Jump to content

MBAMSERVICE.LOG file being written to constantly at 10MB/s


Recommended Posts

In the C:\ProgramData\Malwarebytes\MBAMService\logs folder there is a file MBAMSERVICE.log, and on some endpoints, MBAMSERVICE.LOG.bk1, bk2, bk3, bk4 etc all the way up to bk10 each of which are 10MB and each of which are being written to at 10MB/s as the original file is filled up and all the subsequent files are renamed and backed up.

This file is filled with log entries like this:

11/14/17    " 12:33:48.298"    468252    0b00    1624    ERROR    CHAMCTRL    CControlWatchdogDriver::DecrementRefCount    "ControlWatchdogDriver.cpp"    272    "Error getting driver RefCount - 2"
11/14/17    " 12:33:48.298"    468252    0b00    1624    ERROR    CHAMCTRL    CControlWatchdogDriver::Remove    "ControlWatchdogDriver.cpp"    370    "Failed to remove reference"
11/14/17    " 12:33:48.298"    468252    0b00    1624    ERROR    SPSDK    Uninstall    "SelfProtectionUser.cpp"    182    "SelfProtection driver failed to uninstall. LE=0."
11/14/17    " 12:33:48.298"    468252    0b00    1624    ERROR    CHAMCTRL    CControlWatchdogDriver::GetRefCount    "ControlWatchdogDriver.cpp"    305    "GetRefCount (err = 2) = 4294967295"

if you notice the timestamp is identical, I have an additional 24 lines written to the log file in the same millisecond, then another 28 entries 16 milliseconds later. These computers are basically non-functional since the HD is being 100% monopolized by this process.

Uninstalling and Reinstalling seems to fix it the problem but this leads me to another feature request. Can we get ALL of the log files from the endpoints available through the cloud? Or at least their file sizes? It would be a lot easier to see that the log is at 10MB through the cloud and then check the endpoint. Alternatively, someway of the cloud notifying the admin that there is a problem with an endpoint would be great, as it is I have to wait for users to tell me their computer seems slow.

Link to post
Share on other sites

I can guarantee it is turned on because I turned on all modules on all endpoints and this is only happening on a few endpoints.

I would rather spend 30 minutes reinstalling it rather than disable the protection. I did not purchase the software to turn it off.

Further, if modules are broken there should be a patch pushed out to disable the module and notify administrators that the module is disabled.

 

Frankly, telling people to turn off the broken software is a horrible suggestion if you want to keep selling the software.

 

 

Link to post
Share on other sites
14 hours ago, djacobson said:

Self-Protect and Self-Protect Early Start are tools only meant to be used if you have an infection that is disabling Anti-Malware's functions. It is known as Chameleon in the consumer space. It is not meant for the every day use.

Kinda makes sense, so these features should be set to off unless you are fighting a persistent infection on an endpoint ?

Link to post
Share on other sites
  • Staff

That's correct, specifically infection types that load right away on log on with the purpose of manipulating the files associated with your protection software. We are not the only ones that get targeted like this, though we try to give you as many tools as possible to get around situations like that. These settings are meant to prevent changes to your Malwarebytes files, but understand they can also prevent legitimate changes, like updates. It was a common issue back in the consumer Anti-Malware 2.x days, that a user would turn that on, not realizing what it is for, and then sometime in the future, their Malwarebytes wouldn't update.

To use these options effectively, I like to setup it up as another group/policy, and if you are dealing with a machine exhibiting symptoms like that, plop it into that aggressive Chameleon enabled group/policy to help add another dimension to your remediation tactics. Note that the machine will need a restart to have it take affect. I typically use the early start option as a step right before resorting to safe-mode removals.

Link to post
Share on other sites
1 hour ago, djacobson said:

That's correct, specifically infection types that load right away on log on with the purpose of manipulating the files associated with your protection software. We are not the only ones that get targeted like this, though we try to give you as many tools as possible to get around situations like that. These settings are meant to prevent changes to your Malwarebytes files, but understand they can also prevent legitimate changes, like updates. It was a common issue back in the consumer Anti-Malware 2.x days, that a user would turn that on, not realizing what it is for, and then sometime in the future, their Malwarebytes wouldn't update.

To use these options effectively, I like to setup it up as another group/policy, and if you are dealing with a machine exhibiting symptoms like that, plop it into that aggressive Chameleon enabled group/policy to help add another dimension to your remediation tactics. Note that the machine will need a restart to have it take affect. I typically use the early start option as a step right before resorting to safe-mode removals.

Great idea...I'm gonna go make myself a separate policy just as you described. Thanks

Link to post
Share on other sites

I have also done this, created a separate policy for potentially infected endpoints and disabled the self-protection module on the default policy. People immediately said their computers started working better (After a reboot).

 

Might I suggest that this feature cannot be enabled in the default policy and that warnings about the performance impact will popup when enabling it?

 

Obviously this isn't something that should be running on EVERY endpoint, and as such it should not be available in the default policy. There should be a popup that describes the use of the function and the recommendation to create a standalone policy for that feature. I would not leave it up to the end user to have to crawl through forums to figure it out.

Link to post
Share on other sites
  • Staff
2 hours ago, IT_Guy said:

There should be a popup that describes the use of the function and the recommendation to create a standalone policy for that feature. I would not leave it up to the end user to have to crawl through forums to figure it out.

Agreed, and we are working on content that dives into the settings and recommended approaches.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.