Initial thoughts on MB 3.3.1

[TempLost]

Just installed MB 3.3.1 over 3.3.0 Beta by clicking on Install Application Updates on the Application Tab. Got the message Unable To Contact Licence Server after installation, but everything seems to have installed correctly. In the first few minutes of playing around with the new release, I could invoke the message again by clicking on the My Account tab but the message seems to have been suppressed now.

Ran a manual Hyper Scan which seemed to finish very quickly - I looked at the report (see attached) and was interested to see that it reported:-

-Scan Options-
Memory: Enabled
Startup: Disabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Disabled
PUP: Detect
PUM: Detect

That seems a little odd, as Hyper Scan is supposed to check Memory and Startup Objects.

I have not yet rebooted after the installation - will be shutting down shortly and probably won't have the opportunity to get back on this computer for a couple of days, but will add further details as I can.

I ran FRST64 and MB-Check and attach the results below......

Windows 7 Home Premium SP1 64x
MB Premium 3.3.1
MSE
CryptoPrevent Premium 8.0.4.3

HyperscanLog.txt

mb-check-results.zip

[TempLost]

Just carried out a reboot and the problems persist. Still getting "Unable To Connect To Licence Server" popups and a very truncated Hyper Scan without scan of Startup.

I will run MB Clean when I'm next back on this laptop and see how MB 3.3.1 runs then.

I'm not absolutely certain that my problems are due to the latest release as I had been experiencing one or two anomalies over the last few days when running 3.2.2, which is why I tried 3.3.0 Beta

Windows 7 Home Premium SP1 64x
MB Premium 3.3.1
MSE
CryptoPrevent Premium 8.0.4.3

[exile360]

Thanks for reporting this.  I just tested on my own system and the Hyper scan seems to be skipping things it shouldn't here as well (in my case it skipped the memory portion of the scan according to my log).  I've reported this to the team.  It seems we have a new bug.

[Firefox]

Just to add my 2 cents... I see the same results as both of you...

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/2/17
Scan Time: 4:26 PM
Log File: 7c10919c-c014-11e7-8018-484d7edd8d7e.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3161
License: Premium

-System Information-
OS: Windows 10 (Build 15063.674)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Hyper Scan
Result: Completed
Objects Scanned: 3760
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 9 sec

-Scan Options-
Memory: Enabled
Startup: Disabled
Filesystem: Disabled
Archives: Disabled
Rootkits: Disabled
Heuristics: Disabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

[TempLost]

Glad it's not just me! I was planning on an early night (here in France) but just had to do a clean uninstall and reinstall first.  The Licence Server popups issues seem to have disappeared but the Hyper Scan is still skipping stuff.

Windows 7 Home Premium SP1 64x
MB Premium 3.3.1
MSE
CryptoPrevent Premium 8.0.4.3

[BillH99999]

I just installed over 3.2.2 and had no problems with the license server, but did see the same results on the hyperscan:

-Scan Options-
Memory: Enabled
Startup: Disabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Disabled
 

The run took  7 seconds.

Bill

[lmacri]

Hi TempLost:

This might be an old bug.  I'm still on MB v3.2.2.2018 and ran a Hyperscan after reading your original post and my scan log (MB v3_2_2 Hyperscan Log 02 Nov 2017.txt) also says:

-Scan Options-
Memory: Enabled
Startup: Disabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Disabled
PUP: Warn
PUM: Warn

...even though the interface shows Startup Objects being scanned.

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.4.0 * NS Premium v22.11.0.41 * MB Premium v3.2.2.2018-1.0.212

[throkr]

Just an info : looking in older (scheduled) Hyperscan logs,  I noticed that this bug was already present in the previous official version 3.2.2.

See attached log.

Scan log.txt

[TempLost]

Strange that it's only now surfaced as a bug - perhaps not many users run Hyper Scan, just Threat Scan?

Windows 7 Home Premium SP1 64x
MB Premium 3.3.1
MSE
CryptoPrevent Premium 8.0.4.3

[bdubrow]

Hi all--

There are a couple issues here, both of which have been around since we released the initial Malwarebytes 3.0 back in December of last year.  

First, I want to clarify what Hyper Scan is currently scanning and looking at.  It ONLY scans Memory and Startup.  And it is actually scanning these areas, despite what the logs show.

We've had two items in our queue to fix, that basically fell off our radar due to being lower priority, more cosmetic issues. But this conversation is helping them get some additional attention.  

1) The logging for the Hyper Scan scan options is incorrect.  Startup should show as Enabled.  It’s just the logging that is incorrect as the scanning is taking place. (e.g. if there are malicious startup items, Hyper Scan will detect these).

2) The progress bar displayed during Hyper Scans should not display Scan File System or Heuristics Analysis phases. Only the following nodes should show:  Check for Updates, Pre-Scan Operations, Scan Memory, Scan Startup Files

We'll get both of these items fixed in a future update.

 

Edited November 3, 2017 by bdubrow
clarified text

[throkr]

Hi bdubrow,

Thank you for this useful explanation.

[TempLost]

Hi bdubrow

Thanks from me as well - glad it's not an actual scan failure.

[BillH99999]

 

@bdubrow

 

4 hours ago, bdubrow said:

First, I want to clarify what Hyper Scan is currently scanning and looking at.  It ONLY scans Memory and Startup.  And it is actually scanning these areas, despite what the logs show.

 

Thanks for the explanation.  Glad to know the scan is working as expected.  Just a couple of clarifications.

1. Is a 7 second elapsed time "normal"?

2. Should Archives: also show as Disabled?

Scan Options-
Memory: Enabled
Startup: Disabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Disabled

Thanks,
Bill

[bdubrow]

Hi Bill--

Yes, depending on the system, 7 seconds is absolutely normal.  

And you are correct on Archives...that should also show as disabled for Hyper Scans as it doesn't apply.

[BillH99999]

@bdubrow

Thanks.  Everything else seems to be working fine in 3.3.1.

Bill

[TempLost]

Yes, everything seems fine for me since I ran the MB-clean and it reinstalled MB 3.3.1. Just a question - does running the clean process remove all log files as well as the program files?

Windows 7 Home Premium SP1 64x
MB Premium 3.3.1
MSE
CryptoPrevent Premium 8.0.4.3

[Porthos]

22 minutes ago, TempLost said:

Just a question - does running the clean process remove all log files as well as the program files?

Yes

[TempLost]

Thanks, Porthos 

[throkr]

@bdubrow

@BillH99999

Additional information : this seems to be related to the main setting under "Protection Settings" > Scan Options > Scan within archives; if this setting is activated, the log will show enabled. If this setting is deactivated, the log will show disabled (see attached logs).

But in the case of a Hyper Scan, it should definitely show as disabled in the log as it doesn't apply ...

Main setting scan within archives activated.txt

Main setting scan within archives deactivated.txt

Edited November 3, 2017 by throkr
typo

[bdubrow]

@throkr That's all correct.  We want Archives to always show as Disabled for Hyper Scans since it'll never apply.  But we'll need to fix this first.

Edited November 3, 2017 by bdubrow

[AdvancedSetup]

Looks good on my system scan

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/4/17
Scan Time: 12:46 AM
Log File: 33b2560c-e124-13e7-baea-2c56dc3f1adf.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3171
License: Premium

-System Information-
OS: Windows 10 (Build 16299.19)
CPU: x64
File System: NTFS
User: AS\BuckinghamPalace

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 430124
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 39 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

Edited November 4, 2017 by AdvancedSetup

[throkr]

Hi AdvancedSetup,

Time elapsed showing up in your log is very low.

I had a scheduled Threat scan running in the background (while I was working on the computer) which took 9min, 30sec. As a comparison, I just ran a manual Threat scan (high priority, GUI closed and no other activity on the computer) which took 4min, 9 sec. (see attached logs)

Is such a big time difference between these 2 scans normal ?

Scheduled Threat scan.txt

Manual Threat scan.txt

[AdvancedSetup]

Hello @throkr

I run an M.2 SSD which is much faster than a normal SSD drive and why I'm able to scan pretty fast.

2,500MB/s Seq. Read
1,500MB/s Seq. Write

As for why there is an obvious speed difference between a manual Threat Scan and a Scheduled one I''m not sure. Perhaps @bdubrow or @exile360 can give some feedback on that issue. I'm going to be on vacation so wouldn't have time to follow up with you on the issue right now.

Thank you

Ron

 

 

[throkr]

Hi AdvancedSetup,

As for the speed difference, I'll wait for some feedback; no big deal, it's really just out of curiosity ...

Thank you for answering and have a nice vacation.

[bdubrow]

Hi throkr--

Scheduled scans always run at a lower priority so as to have less impact on performance if you're using the computer for other activity.  So this difference in times is expected and normal.