Jump to content

Recommended Posts

Has anyone else experienced startup issues on endpoints recently.  MBAMChameleon.sys and MBAMSwissarmy.sys have cause a few client machines to not boot the last few days.

Picture below

image.thumb.png.45a4226fa85a86b8e9e655c6a75aebbc.png

Share this post


Link to post
Share on other sites

Yes, and so it seems like this is a real issue. Well done Malwarebytes. AGAIN. I'm really losing confidence. You really have to make up a LOT with the new release...

How have you fixed this?

And is there any way to avoid it? Or can I excpect that I have this all next week???

Edited by Computerdienst

Share this post


Link to post
Share on other sites

I'm checking with the Product team to see what the status of this issue is.  I only learned of it myself yesterday when Computerdienst reported it to me along with a list of other issues he'd experienced.  Hopefully I'll hear back from them soon and they'll have some good news for us.

I'll let you guys know as soon as I hear anything.

Share this post


Link to post
Share on other sites

They've requested some additional info.  Can either of you guys please run the diagnostics tool posted here on one of the affected endpoints and attach the log it creates on the desktop to a reply to this topic?  They want to have a closer look at what's going on with one of the affected installations.

Thanks

Share this post


Link to post
Share on other sites
8 hours ago, exile360 said:

They've requested some additional info.  Can either of you guys please run the diagnostics tool posted here on one of the affected endpoints and attach the log it creates on the desktop to a reply to this topic?  They want to have a closer look at what's going on with one of the affected installations.

Thanks

Hi Samuel,

I can't, as I'm an external IT guy and don't have access to this client at the moment. What I can say is, that this client has Windows 7 and the real difference to my other customers / clients is, that this machine is still running x86 and NOT x64.

Also, the driver that failed was the Chameleon Driver, but "encrypted". Something like a RANDOMNUMBER.SYS. 

For the moment I did what you told and disabled the self protect module. Hope this won't happen now.

Share this post


Link to post
Share on other sites
6 hours ago, Computerdienst said:

Hi Samuel,

I can't, as I'm an external IT guy and don't have access to this client at the moment. What I can say is, that this client has Windows 7 and the real difference to my other customers / clients is, that this machine is still running x86 and NOT x64.

Also, the driver that failed was the Chameleon Driver, but "encrypted". Something like a RANDOMNUMBER.SYS. 

For the moment I did what you told and disabled the self protect module. Hope this won't happen now.

Hi Samuel,

I'm unable to gather any logs either, we've turned the machines back over to the end users and it's very hard to get them to bring machines back to us. :-)

The way we fixed it was to go into safe mode and copy the .sys file giving the error from a known good machine with the same version of Windows.  That resolved it.

When we get another machine I will make sure the help desk gathers the logs.

Thanks,

Dean

Share this post


Link to post
Share on other sites
2 hours ago, deanb1234 said:

Hi Samuel,

I'm unable to gather any logs either, we've turned the machines back over to the end users and it's very hard to get them to bring machines back to us. :-)

The way we fixed it was to go into safe mode and copy the .sys file giving the error from a known good machine with the same version of Windows.  That resolved it.

When we get another machine I will make sure the help desk gathers the logs.

Thanks,

Dean

Strange. I wasn't even able to boot up safe mode, so I needed to use the Kaspersky Boot CD and with the integrated registry editor, I was able to remove Chameleon from the Services. However, that won't work with my Bootcamp Clients in case of emergency.

Share this post


Link to post
Share on other sites

OK, thanks for the additional information guys.  The next time you have access to one of these systems could you please verify the exact build of Malwarebytes?  To find out, open the main Malwarebytes UI and click on Settings>About and make a note of the exact version numbers listed under Version Information:

  • Malwarebytes version: <version number>
  • Component package version: <version number>
  • Update package version: <version number>

This way they at least know which version(s) is/are being impacted by this issue and they can then let us know if the issue has been worked on and/or corrected in a newer release or is planned for an upcoming release.

I'll pass on the info about x86 systems being affected.  That would likely explain why I haven't encountered this issue before personally as most of our customers these days are on x64 operating systems.

Share this post


Link to post
Share on other sites

Just to clarify it is happening on x64 systems for us.

2 minutes ago, exile360 said:

I'll pass on the info about x86 systems being affected.  That would likely explain why I haven't encountered this issue before personally as most of our customers these days are on x64 operating systems.

 

Share this post


Link to post
Share on other sites
12 hours ago, exile360 said:

OK, thanks for the additional information guys.  The next time you have access to one of these systems could you please verify the exact build of Malwarebytes?  To find out, open the main Malwarebytes UI and click on Settings>About and make a note of the exact version numbers listed under Version Information:

  • Malwarebytes version: <version number>
  • Component package version: <version number>
  • Update package version: <version number>

This way they at least know which version(s) is/are being impacted by this issue and they can then let us know if the issue has been worked on and/or corrected in a newer release or is planned for an upcoming release.

I'll pass on the info about x86 systems being affected.  That would likely explain why I haven't encountered this issue before personally as most of our customers these days are on x64 operating systems.

But EP has no User Interface...

Share this post


Link to post
Share on other sites

Ah, right you are.  Apologies, I'm checking with the Product team and I'll get back to you as soon as I hear from them.

In the meantime, if you have any scan logs handy that were created recently that should contain the info we need.  It would be in the header at the top where it lists our product info/the OS version etc.

Share this post


Link to post
Share on other sites
11 hours ago, djacobson said:

@deanb1234 @Computerdienst do you guys have the self-protection early start option enabled in your policy?

Hi Dylion,

 

When the problem was occuring yes.  I've since turned that feature off and have not received any more complaints.  We did have one user that was getting the same error but turns out the hard drive was bad in that particular machine.

 

Thanks,

Dean

Share this post


Link to post
Share on other sites

Thanks @deanb1234, I was hoping that was the case. That setting is ultra sensitive, it is meant to be used when you are dealing with an infection that can kill security program services. You can utilize that setting to load MB drivers early to prevent tampering and killing. Be aware that this setting can prevent normal safe changes to the files and can leave your product unable to update, don't use it for the every day, it's for emergencies.

Share this post


Link to post
Share on other sites
On 27.10.2017 at 6:19 PM, djacobson said:

Thanks @deanb1234, I was hoping that was the case. That setting is ultra sensitive, it is meant to be used when you are dealing with an infection that can kill security program services. You can utilize that setting to load MB drivers early to prevent tampering and killing. Be aware that this setting can prevent normal safe changes to the files and can leave your product unable to update, don't use it for the every day, it's for emergencies.

Hi Dyllon,

Is only the "Enable Self-Protection Module Early Start" which can cause problems or also the "Enable Self-Protection Module"?

At the moment I disabled the "Enable Self-Protection" Module.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.