Services keep stopping

[fittan]

Hi, I have the latest malwarebytes anti-malware and anti-exploit running on about 40 clients (all windows 10). The problem is that everyday I have 5 to 6 clients and their malwarebytes services stopped for no reason. Sometimes it is the anti-exploit service, sometimes it is the MBAMservice and sometimes it is the MEEClientService. I would then have to manually start up the services or reboot the computer. Is this a common problem?

By the way, I have checked the event logs and there is nothing. Also no other AV running. Only Windows defender and malwarebytes. Thanks.

 

 

 

[StroTech]

We have the same thing happen, just have to restart the service, I have a script that I run through logmein to restart them. It does not happen very often, but it does happen and it is usually on the same computer(s), sometimes the odd other one will do it to.

 

Here is the script

 

echo Timestamp = %date:~10,4%%date:~4,2%%date:~7,2%%time:~0,2%%time:~3,2%%time:~6,2% >> C:\util\checkmblog.txt
for /F "tokens=3 delims=: " %%H in ('sc query "mbaeSvc" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start mbaeSvc
echo Starting mbaeSvc. >> C:\util\checkmblog.txt
goto loop1 
) else (
Echo mbaeSvc Is already Running. >> C:\util\checkmblog.txt
goto loop1
)
)

:loop1
for /F "tokens=3 delims=: " %%H in ('sc query "MBAMScheduler" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start MBAMScheduler
echo Starting MBAMScheduler. >> C:\util\checkmblog.txt
goto loop2
) else (
Echo MBAMScheduler Is already Running. >> C:\util\checkmblog.txt
goto loop2
)
)

:loop2
for /F "tokens=3 delims=: " %%H in ('sc query "MBAMService" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start MBAMService
echo Starting MBAMService. >> C:\util\checkmblog.txt
goto loop3
) else (
Echo MBAMService Is already Running. >> C:\util\checkmblog.txt
goto loop3
)
)

:loop3
for /F "tokens=3 delims=: " %%H in ('sc query "SCCommService" ^| findstr "STATE"') do (
if /i "%%H" neq "running" (
net start SCCommService
echo Starting SCCommService. >> C:\util\checkmblog.txt
) else (
Echo SCCommService Is already Running. >> C:\util\checkmblog.txt
)
)

I actually recently set it up as a scheduled task to get it to run whenever someone logs on or unlocks their computer.

Edited September 29, 2017 by StroTech

[fittan]

Thanks I have a similar script that runs from the server (using the sc command). However it is so annoying as I have to check and sometimes manually start the services. 

[djacobson]

Hi guys, this issue seems to happen most often during and following Windows Updates. If Device Guard is in use, that can contribute as well on Win 10. For the workaround, we are using these commands to edit the failure mode and restart functionality of the service entry:

MEEClientService

sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120

Anti-Exploit Service

sc failure "MbaeSvc" actions= restart/6000/restart/6000/""/6000 reset= 120

Anti-Malware Service

sc failure "MBAMService" actions= restart/6000/restart/6000/""/6000 reset= 120

These commands are set to restart the service if it has failed for longer than 6000 ms, which is 6 seconds, it will do that once more on the second failure, the third failure will take no action so that the service doesn't end up in a start / stop loop. If the first and second restarts are successful, and the service remains up for at least 2 minutes, the failure count is reset. Here's an article that explains the sc failure command set in more detail if you want to alter the config - https://technet.microsoft.com/en-us/library/cc742019(v=ws.11).aspx