Jump to content
IT_1152

High CPU after automatic update.

Recommended Posts

Here is the MBAMService.log

Quote

01/02/18    " 13:00:48.792"    1296931484    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate    "UpdateControllerImplHelper.cpp"    507    "DoUpdate - Starting check for updates (automatic)"
01/02/18    " 13:00:48.792"    1296931484    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate    "UpdateControllerImplHelper.cpp"    509    "Checking for: Installer=[Yes], SDK/Ctlr=[Yes], DB/CLS=[Yes]"
01/02/18    " 13:00:48.792"    1296931484    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions    "UpdateControllerImplHelper.cpp"    1035    "Installer package --> [ncep-win.installer.common], current version: [3.1.8]"
01/02/18    " 13:00:48.792"    1296931484    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions    "UpdateControllerImplHelper.cpp"    1055    "SDK/Controller package --> [ncep-win.ctlr.64bit], current version: [1.0.160]"
01/02/18    " 13:00:48.792"    1296931484    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::GetInstalledPkgVersions    "UpdateControllerImplHelper.cpp"    1087    "DB/ClsEng package --> [mbam-c.dbcls.64bit], current version: [1.0.3607]"
01/02/18    " 13:00:49.131"    1296931828    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::ProcessAvailablePackages    "UpdateControllerImplHelper.cpp"    988    "A New version (1.0.3608) of pkg [mbam-c.dbcls.64bit] (FULL) is available"
01/02/18    " 13:00:49.131"    1296931828    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::ProcessAvailablePackages    "UpdateControllerImplHelper.cpp"    988    "A New version (1.0.3608) of pkg [mbam-c.dbcls.64bit] (INCR) is available"
01/02/18    " 13:00:49.131"    1296931828    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate    "UpdateControllerImplHelper.cpp"    518    "Available updates found - beginning download"
01/02/18    " 13:00:49.549"    1296932250    0840    2a80    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::DownloadComplete    "UpdateControllerImplHelper.cpp"    2769    "Download Complete (Successful) for: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\delta1\dbcls.64bit.incr.7z"
01/02/18    " 13:00:49.647"    1296932343    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::DownloadUpdates    "UpdateControllerImplHelper.cpp"    1327    "Successfully downloaded: mbam-c.dbcls.64bit"
01/02/18    " 13:00:49.757"    1296932453    0840    093c    INFO    MBAMShimImpl    MBAMShimImpl::PrepareUpdate    "MBAMShimImpl.cpp"    95    "MBAMCore preparing update"
01/02/18    " 13:00:49.843"    1296932531    0840    093c    INFO    MBAMCoreImpl    MBAMCoreImpl::Shutdown    "MBAMCoreImpl.cpp"    152    "MBAMCore was successfully shutdown."
01/02/18    " 13:00:49.843"    1296932531    0840    093c    INFO    ActionsShim    ActionsShim::PrepareUpdate    "ActionsShim.cpp"    118    "Starting update of actions"
01/02/18    " 13:01:00.690"    1296943390    0840    093c    INFO    ActionsShim    ActionsShim::FinishUpdate    "ActionsShim.cpp"    129    "Finishing update of actions"
01/02/18    " 13:01:00.788"    1296943484    0840    093c    INFO    MBAMShimImpl    MBAMShimImpl::FinishUpdate    "MBAMShimImpl.cpp"    131    "MBAMCore finishing update"
01/02/18    " 13:01:00.851"    1296943546    0840    093c    INFO    MBAMShimImpl    MBAMShimImpl::InitializeInternal    "MBAMShimImpl.cpp"    62    "MBAMCore was successfully loaded. CoreFilePath=<C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll>."
01/02/18    " 13:01:04.831"    1296947531    0840    093c    INFO    MBAMCoreImpl    MBAMCoreImpl::Initialize    "MBAMCoreImpl.cpp"    123    "MBAMCore was successfully initialized. CoreFolderPath=<C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE>. DefsFolderPath=<C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE>."
01/02/18    " 13:01:04.831"    1296947531    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::UpdateInstalledPkgVersion    "UpdateControllerImplHelper.cpp"    2307    "Successfully updated DB/ClsEng package version to: 1.0.3608"
01/02/18    " 13:01:04.831"    1296947531    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::UpdateInstalledPkgVersion    "UpdateControllerImplHelper.cpp"    2315    "Set DB version to: 2018.01.02.04"
01/02/18    " 13:01:04.835"    1296947531    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest    "UpdateControllerImplHelper.cpp"    3658    "Signature successfully validated"
01/02/18    " 13:01:05.264"    1296947953    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::ValidateDBManifest    "UpdateControllerImplHelper.cpp"    3662    "DB manifest successfully validated"
01/02/18    " 13:01:05.264"    1296947953    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::CheckDbManifest    "UpdateControllerImplHelper.cpp"    3892    "Validated DB manifest - success"
01/02/18    " 13:01:05.303"    1296948000    0840    093c    INFO    UpdateControllerImpl    mb::updatecontrollerimpl::CUpdateControllerImpl::DoUpdate    "UpdateControllerImplHelper.cpp"    550    "Update check is complete."
01/02/18    " 13:01:05.303"    1296948000    0840    09f0    INFO    CleanControllerImpl    CleanDBParser::Parse    "CleanDBParser.cpp"    18    "Parsing C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\clean.mbdb"
01/02/18    " 13:01:05.303"    1296948000    0840    09f0    INFO    GalaxyRuleParser    mb::common::galaxyrules::SimpleRuleFileParserV2::Parse    "GalaxyRuleParser.cpp"    2973    "Successfully parsed 196 records."
01/02/18    " 13:01:05.554"    1296948250    0840    0bf0    INFO    MwacControllerImpl    mb::mwaccontrollerimpl::MwacShimModuleLoader::UnloadModule    "MwacShimModuleLoader.cpp"    104    "Unloaded the Web Access Control Sdk implementation module."
01/02/18    " 13:01:05.554"    1296948250    0840    0bf0    INFO    MwacControllerImpl    mb::mwaccontrollerimpl::MwacControllerImpl::StopProtection    "MWACControllerImplHelper.cpp"    1531    "Web Access protection has been stopped."
01/02/18    " 13:01:07.550"    1296950250    0840    0bf0    INFO    GalaxyRuleParser    mb::common::galaxyrules::SimpleRuleFileParserV2::Parse    "GalaxyRuleParser.cpp"    2973    "Successfully parsed 846141 records."
01/02/18    " 13:01:14.397"    1296957093    0840    0bf0    INFO    MwacControllerImpl    mb::mwaccontrollerimpl::MwacControllerImpl::InitializeMwacSdk    "MWACControllerImplHelper.cpp"    757    "Initialization succeeded"
01/02/18    " 13:01:14.401"    1296957093    0840    0bf0    INFO    MwacControllerImpl    mb::mwaccontrollerimpl::MwacControllerImpl::StartProtection    "MWACControllerImplHelper.cpp"    1490    "Web Access protection is starting..."

There were no entries after that point and the CPU remained maxed out until MBAMService.exe was manually terminated 30 minutes later.

Share this post


Link to post
Share on other sites

This is still an issue, the platform update pushed recently locked up half of our production workstations. These are quad core systems with 8GBs of RAM. Please fix whatever is causing CPUs to max out.

I've had to run "taskkill -s \\<hostname> /im:mbamservice.exe /f" about 100 times today because the systems are too slow to even process a reboot command.

Edited by IT_1152

Share this post


Link to post
Share on other sites

The service needs its properties edited to help with this issue. Use these commands:

sc config MBEndpointAgent start= delayed-auto
sc failure MBEndpointAgent actions= restart/900000 reset= 120

Share this post


Link to post
Share on other sites

Do we have to do this on ALL of our machines?

Can't you guys test this stuff in some sort of test-environment?

Since the start of October every time there is something wrong on my network it's MalwareBytes "accidentally" pushed out an upgrade that took down a large portion of our network and the "quick" fix is that I have to go to every machine (which now are running slow as molasses) and run a couple commands?

I am REALLY getting tired of this, managing MalwareBytes on my network is becoming a full time job.

Share this post


Link to post
Share on other sites

Sometimes fixing one thing can break another, it is the nature of software and needing to support fragmented Windows' OS ecosystems.

The service failure property edits have since become part of new installs performed from a brand new download of the agent installer as of March 26th.

Share this post


Link to post
Share on other sites

Months later and this is still an issue. After updates over the weekend I had about 15 workstations lock up today.

only "taskkill -s \\<hostname> /im:mbamservice.exe /f" helps make the computer responsive again.

Edited by IT_1152

Share this post


Link to post
Share on other sites

@IT_1152 are these machines still on 3.4.5.2470 or have they moved to 3.5.1.2600? The system can begin to consume resources if it is stuck trying to download the updated build over and over only to not be able to install it. If these are on the newer build, we'll need to know what kind of system and role, and logs sets from it.

Share this post


Link to post
Share on other sites

@IT_1152

We'll need to get a dump of the "Malwarebytes Service" while its in high usage state:

  1. When you notice that "Malwarebytes Service" is in high usage state (30-40% CPU), open Task Manager (as admin, if on domain user)
  2. Find "Malwarebytes Service" in the list and confirm high usage is happening (if used another tool to notice initial usage)
  3. Right-click on "Malwarebytes Service" and select "Create dump file"
    1. Wait a few minutes, it can take up to 10min to create the dump
  4. When dump is done creating, it'll give the location it was stored, please notate this location (will be %temp% most of the time)
  5. Go to the location given, zip the file and send it to us.

Feel free to use your own cloud storage solution to share the dump with me or upload it to wetransfer.com and provide me with the link.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.