MB Premium 3, Roboform, & Chrome High CPU Issue

[Digitsoft]

Software (all current as of Jan 13, 2018)
OS: Win 7 x64 SP1
MB: Premium 3.3.1
AV: eSet v11
Roboform: 8.4.6.6
Chrome x64

When I'd run Chrome with Roboform enabled, I'd notice lag and high CPU use (2-5% constant) for the Roboform process (rf-chrome-nm-host.exe) attached to Chrome.
This does not occur when I use Firefox x64 with Roboform enabled - the same executable is used for Firefox and the filename is not specific for Chrome (weird huh?).

I used Procmon (from Sysinternals) to see what the Roboform process was doing only when Chrome was in use.
There's a constant registry lookup cycle along with file lookup.

I had been trying to figure out what the issue was, but finally involved the Roboform support team.
They looked at my Procmon log and ran some internal tests - they said that eSet and/or MB were injecting into those processes.

I tested many scenarios and in the end they were correct - MB was the culprit.
With MB disabled I can run Chrome with Roboform and no spikes in CPU occur.

I then went further to test a brand new Chrome profile with nothing enabled other than Roboform - same issue.

I then added the Roboform executable in question to the MB exclusions list, but the CPU issue still exists only in Chrome.

The CPU issue with this process only happens with MB enabled, so I now have to choose between either MB or using Roboform in Chrome.

Ideas?

[Porthos]

44 minutes ago, Digitsoft said:

Ideas?

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues.... Please use an Administrator account when doing the following,

1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
2. Download FRST and save it to your desktop. Tell any program that blocks it to ignore or allow. It IS SAFE. It contains no info that can identify or harm you.
3. NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
4. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
5. Press the "Scan" button
6. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
   NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
7. NEXT: Create and obtain an mb-check log
8. Download MB-Check and save to your desktop
9. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
10. This will produce one log file on your desktop: mb-check-results.zip
11. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

[Digitsoft]

I wanted to test this on a clean install (same software as above) and the issue still exists.

 

Addition.txt

FRST.txt

mb-check-results.zip

[Digitsoft]

Anyone have ideas on this?  It's definitely a MB issue.

[Porthos]

On 1/13/2018 at 1:09 PM, Digitsoft said:

so I now have to choose between either MB or using Roboform in Chrome.

Ideas?

You answered your own question.

On 1/13/2018 at 1:09 PM, Digitsoft said:

This does not occur when I use Firefox x64 with Roboform enabled

I will ask staff to look into this. @dcollins@nikhils@vbarytskyy

 

[Digitsoft]

I just opened a ticket with MB, but feel free to investigate.

[vbarytskyy]

Hello @Digitsoft

I was able to replicate this issue. I was getting about 2-3% constant usage which closely matches what you experienced. This is a very low amount of CPU usage but I was able to find a workaround through exclusions. Adding the entire Roboform Chrome folder dropped usage to 0-1%. See screenshot below and give it a try if you'd like: 

 

[Digitsoft]

Thanks for testing.

I already had the rf process excluded, but tested excluding the entire Siber\AI folder.
It doesn't do anything for me - the registry and file hits are non-stop.

The rf process for Firefox doesn't have the constant activity, so this is Chrome specific.

This is definitely something MB needs to look at.

[vbarytskyy]

@Digitsoft

Could you elaborate more on what kind of spikes you are seeing?

I am doing more testing on this issue and seeing about the same CPU average on a clean machine with RoboForm. This is a test on a clean machine before and after Malwarebytes install. Average CPU usage is 0.25% with and without our software installed. The actual % figure may change based on hardware but should still be in single digits in a modern CPU, which is right about what you were seeing with 2-5% usage you described. 

Edited January 17, 2018 by vbarytskyy

[Porthos]

Additional note. I assume  @vbarytskyy is not testing with Eset installed as well. Could you add the exclusions for MB.

Malwarebytes 3 files to be set as exclusions in other security software.

Edited January 17, 2018 by Porthos

[vbarytskyy]

@Porthos @Digitsoft

I am currently benchmarking with ESET installed as well just to replicate this environment as much as possible, but I would like more explanation on what kind of spike is being seen as well as if anything changes by after adding exclusions like @Porthos suggested above. 

[Digitsoft]

The rf-chrome-nm-host.exe process that is spawned when Roboform is enabled in Chrome instantly spikes the CPU. 
I've seen it hit up to 5% and I can notice it during normal use.

The rf-chrome-nm-host.exe that runs for Firefox has no CPU impact (other than when first run or synching).
If you run both browsers simultaneously with RF enabled, it's only the Chrome instance that has the issue.

It's only the rf-chrome-nm-host.exe process that continually scans the registry and hits files.
You have the procmon file, so you can see everything that it's hitting.

I forgot to mention that I also tried disabling ESET and that makes no difference, which is why I was able to identify MB as the (most likely) cause.

I'm happy to test most anything, so just ask, but I'll keep digging around in my test install.

[vbarytskyy]

@Digitsoft

I am noticing CPU utilization even with no protection of any kind installed. I also looked into ProcMon and I see that registry is constantly being read by this extension even with no Malwarebytes installed. I left ProcMon to gather while Google Chrome just sat open and registry was being accessed the whole time.

Did you have this problem with an older version of RoboForm? 

What did you and their support teams observe with no Malwarebytes installed?

• If no utilization was observed, could you get me a ProcMon log with Malwarebytes running when CPU spikes and without Malwarebytes running so I can compare your results to my test box. 
• Since logs will be large, upload them to www.wetransfer.com 

Thank you

[Digitsoft]

RF support said it was MB injection and everything seemed to point that way.
My first reaction was them pointing fingers, but the CPU usage went to 0% when I disabled MB.

I've been using the same major version of RF for a long time, but this all seemed to converge when I upgraded MB.
I was running v1,x (was never prompted to upgrade) and I found v3.x when on the MB site.

Let me spin up my fresh test machine and give you detailed reports with specific apps enabled and not enabled (alone & in combination).
I'll limit the procmon logs to just the RF process to help minimize them.

 

[Digitsoft]

Sorry for the complete waste of time - I was positive that I had disabled MB and ESET, but I must not have at one point.

It's definitely the RF extension.

If I find anything to contradict this, I'll post it.

[TheSQLGuru]

I too have 2-5% CPU usage (and about 150 page faults per second) on roboform. Please fix this. 

[TheSQLGuru]

BTW, it is specifically this process (in the Chrome subfolder): rf-chrome-nm-host.exe

[Digitsoft]

I don't know your situation directly, but with Roboform and Chrome there's an issue not related to MB.

I tracked this down and worked with Roboform via tickets, but they have no fix - it's due to Windows Accessibility components.

Roboform uses Microsoft Accessibility components to track various items and you can't disable the accessibility in Windows.

I had to disable Roboform in Chrome and use LastPass in Chrome - no choice.

[Digitsoft]

rf-chrome-nm-host.exe is used for all processes and not specific to Chrome - confirmed via Roboform.

If you want to see what this process (and others are up to), download and run procmon from MS.

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Add a filter to monitor processes that start with rf, capture for a few seconds, and you'll see the RF process constantly hitting MS Accessibility components.