MEP causing high memory usage on client PCs

[Brandon_Lutz]

Several of our weekend employees have contacted me this morning about MEP eating up the memory on their stations. The errors they are describing match what is happening in this thread on the consumer forum:

I havn't seen it mentioned here yet on the MEP forums so I thought I would start a topic on it. I'm on hold now waiting to get a hold of someone in business support but I've attached the compiled FRST and MB Checks logs below.

 

mb-check-results.zip

Edited January 27, 2018 by Brandon_Lutz

[Brandon_Lutz]

I've moved my clients all over to an incident response policy but that appears to not be helping. So far it has gotten bad enough on some clients I am being forced to remove MEP from them in order to get them back up and going.

[KDawg]

We have updated out definitions with a fix, please select all affected machine from the Endpoints list and Actions > Check for protection Updates

Please let us know if this is able to resolve at this time.

[Brandon_Lutz]

KDawg,

I'm running the updates now and I will let you know the result.

[R2CIT]

KDawg, please confirm which signature update contains the fix?  I'm on v2018.01.27.12 now.

Does the latest signatures just fix the memory exhaustion errors or does it also fix all of the issues with the false positive detections and emails as well?

Please confirm.

[Brandon_Lutz]

I'm getting back several automated messages from MEP after I tried to run the client updates.

I get the error message below. It appears the stations are not taking the update from MEP.

 

Based on your preferences, you are being notified that a new event has occurred on your account:

 

• Endpoint Name: clientname.domain
• Source: managed.machines
• Severity: warning
• Type: machine.command.failed

Details: command.protection.update.now

 

Edited January 27, 2018 by Brandon_Lutz

[Brandon_Lutz]

I'm restarting clients now and trying to reissue the update commands. I'll update and see if that resolves the issue.

[KDawg]

Please reattempt to run that command again, then restart the machine and let us know if it as able to pull

As well is your web protection disabled?

 

[Brandon_Lutz]

Yes web protection is disabled as I have everyone on an IR policy.

[Brandon_Lutz]

Ok this is what I've done:

I've moved everyone back to a our default MEP policy with Web Protection Turned OFF
I've forced a network wide restart
I then forced the update across the board

Stations are still moving slow and it appears nothing is applying like it should. Can I get an official case number so I can call into support again and provide them the number? I called earlier and told I was going to be sent an email with case number but I never got that email which is understandable given the circumstances. However I now have my CFO, CEO, and COO breathing down my departments back about this problem. Can I please get a case number so I can call in and get someone on the phone?

[JDBw57]

I am using MB cloud,i did check for updates, reboot the client, nothing is hppening. The client is not getting updates and PC still hang, i cant stop the service. Any other suggestions?

[Brandon_Lutz]

I think it is starting to finally work on workstations that were not hung up. The workstations that are hung up in my environment, i'm having to touch them manually and run one of the mb clean utilities to remove part of the install so I can remove the rest via the deployment tool. Then I can go in and reinstall after a reboot.

[itmindscape]

This is a disaster...I've rebooted machines 10 times...its random on whether it updates or not...how do I force the update???  I have 200 endpoints - I can't sit and watch each one and pray it works

[lockon]

Lost 40+ PCs this morning and this has ruined my whole day.

MEP is really a half-baked product - even before this I was very frustrated with it - endpoints not checking in, detections on PCs but unable to quarantine, no way to clear stats on the web portal, no way to clear detections lists, very limited info overall and, the biggest pisser - can't even open up an interface on the PCs themselves to see if things are actually working or to see which set of signatures is installed.

So, how to I tell if the corrected signatures are installed?

Edited January 27, 2018 by lockon

[Brandon_Lutz]

59 minutes ago, itmindscape said:

This is a disaster...I've rebooted machines 10 times...its random on whether it updates or not...how do I force the update???

Go into the cloud console, got to the endpoints section. Tick the box to select all of your endpoints. Then click on the actions button to open the drop down menu. Select the last option to Check for Protection Updates. This will force the updates to the clients.

Now here is where I ran into similar issues that you had. Some of my older stations got hung up really bad, about 20 out of 400. I had to do a force reboot on them via command prompt and I verified that they restarted. I showed a little patience and waited about 20 minutes and starting remoting into them to check their resources. It appears after letting them sit for a period of time they pulled down the update and that fixed the problem.

I highly recommend you bounce your workstations so they can pull down the workstations.

[itmindscape]

 

3 minutes ago, Brandon_Lutz said:

Go into the cloud console, got to the endpoints section. Tick the box to select all of your endpoints. Then click on the actions button to open the drop down menu. Select the last option to Check for Protection Updates. This will force the updates to the clients.

Now here is where I ran into similar issues that you had. Some of my older stations got hung up really bad, about 20 out of 400. I had to do a force reboot on them via command prompt and I verified that they restarted. I showed a little patience and waited about 20 minutes and starting remoting into them to check their resources. It appears after letting them sit for a period of time they pulled down the update and that fixed the problem.

I highly recommend you bounce your workstations so they can pull down the workstations.

Thanks Brandon - problem is...the leak is so exponentially bad...I can't wait 20 minutes...in 4 minutes, the machines with 8 GB of ram (standard workstation and smaller servers) are absolutely dead....and I have 27 sites...and - like you...my patience was shot about 5 hours ago =)

Edited January 27, 2018 by itmindscape

[Brandon_Lutz]

Do you have any of the mbam removal tools? If so on the really bad ones, I ran them while in safe mode. Rebooted when prompted and then finished the uninstall after they rebooted into Windows normally via the deployment tool.

Then I restarted and reinstalled. That fixed the issue on the ones that had their resources get eaten up very quickly.

[jasonc]

We're sorry you had issues with our program today. We've addressed the issue and here's what you need to do to fix it

Malwarebytes Endpoint Protection (Cloud Console)

1. From the Malwarebytes Cloud console, go to the endpoints pane and select all the endpoints.
2. In the action drop-down, choose the ‘check for protection updates’ option to force an update on all endpoints to database update 1.0.3803 or higher.

This should fix the problem for the vast majority of Endpoint Protection endpoints. If endpoints are still affected after applying this, please reboot the machine.

If the remote agent is unable to reach out and get this update, then we must disable the web protection:

1. In the Malwarebytes Cloud console, Go to the settings> policies> and open up the policy the clients are on.
2. From here, go to the endpoint protection policy and turn off the “Web Protection” portion of the policy. Then:
   • If the machine is unresponsive, reboot the machine and log in.
   • Once in, right click on the tray icon and start a scan. This will force a database update and fix the issue.
   • Once updated, cancel the scan and reboot the machine.
3. When the computers are all online and updated, please turn back on the web protection again in the Endpoint Policy.

To learn more about what happened, please go here: