Jump to content

IMPORTANT: Web Blocking / RAM Usage


Recommended Posts

1 minute ago, WatchingtheTaskManager said:

They've left the faulty software up? I knew it wasn't working when I tried it, but this strikes me as a pretty big oversight to make...

I've posted two images of the details of the executable that I downloaded. I didn't attempt to install them, I asked if they were the fixed version. If it were me, if I couldn't deliver the fix using the normal download method, I would have pulled all download ability until the fixed version could be disseminated.

Link to post
  • Replies 761
  • Created
  • Last Reply

Top Posters In This Topic

1 minute ago, GaryRK said:

I've posted two images of the details of the executable that I downloaded. I didn't attempt to install them, I asked if they were the fixed version. If it were me, if I couldn't deliver the fix using the normal download method, I would have pulled all download ability until the fixed version could be disseminated.

Finally the download version is 3803

Link to post

In the heat of the failure I couldn't even get to Task Manager until I re-booted after 3803 was available.  Subsequent "Check for Updates" got me 3804 and then that didn't work until after I uninstalled MWB and re-installed it again.  I'm not sure MWB will do anything about it with regards to time but they better offer a major mea culpa for creating a totally unnecessary train wreck.  I blew 6 hours today on my two personal computers and I can't imagine the hell you folks with big networks of computers went through.

 

Link to post
5 minutes ago, 1776blues said:

I haven't tried this and it may or may not be in this thread.

https://blog.malwarebytes.com/malwarebytes-news/2018/01/important-web-blocking-ram-usage/

For our consumer solutions

Please follow the steps below on how to update to the latest database:

1. Open Malwarebytes
2. Turn OFF web protection by Clicking on “settings”, click to turn web protection OFF
3. Under Scan Status (right side), click next to “Updates” to have Malwarebytes download the latest database
4. Restart PC
(Note it may take up to 2 restarts after the update to stabilize the system)

To confirm that you are on the latest database please follow the steps below:

1. Open Malwarebytes
2. Click on Settings
3. Click on the About tab
4. Next to “Update package version” if you see version 1.0.3803 or higher you are on the latest database which addresses the issue.

If the above doesn’t resolve the issue, please reach out to support at support@malwarebytes.com.

For our business solutions

Please follow the appropriate steps below to update to the latest database:

Malwarebytes Endpoint Security (On-premises)

First step to get the update is to disable the real-time protection. To do this in the Management console:

1. Open up the policy the clients are on and go to the protection tab.
2. From here, disable the ‘enable protection module’ option.
3. Once this is done click OK. When your clients check in they will get this new policy update.
4. Once real-time is protection is disabled and your clients can communicate, highlight the endpoints on the client screen and click the update database button at the top.
5. After the update is applied, a reboot of the machine may be required.

Note: If your client cannot resolve internal addressing, then re-installing the agent manually on the machine will need to be done. The client will not be able to reach out to the server for a policy update and will never be able to turn off the real-time protection.

Malwarebytes Endpoint Protection (Cloud)

1. From the Malwarebytes Cloud console, go to the endpoints pane and select all the endpoints.
2. In the action drop-down, choose the ‘check for protection updates’ option to force an update on all endpoints to database update 1.0.3803.

This should fix the problem for the vast majority of Endpoint Protection endpoints.

If endpoints are still affected after applying this, please reboot the machine.

If the remote agent is unable to reach out and get this update, then we must disable the web protection:

1. In the Malwarebytes Cloud console, Go to the settings> policies> and open up the policy the clients are on.
2. From here, go to the endpoint protection policy and turn off the “Web Protection” portion of the policy. Then:

a. If the machine is unresponsive, reboot the machine and log in.

b. Once in, right click on the tray icon and start a scan. This will force a database update and fix the issue.

c. Once updated, cancel the scan and reboot the machine.

3. When the computers are all online and updated, please turn back on the web protection again in the Endpoint Policy.

If the above doesn’t resolve the issue, please reach out to support at corporate-support@malwarebytes.com

The root cause of the issue was a malformed protection update that the client couldn’t process correctly. We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again.

Getting your computer or business back up and running is our utmost priority, as is rebuilding your trust.

Trust is difficult and slow to build, but easy to lose. It will take a lot of time and remorse on the part of MWB and actions such as extended subscription time. Obvious opening for a hungry competitor.

Link to post
49 minutes ago, 1776blues said:

Can the New Member BOTS stop posting how MB did a fantastic job? And yes, they are because most are 1 post ponies!!!!!

Most (myself included) are 1-post ponies because they had occasion until today to make their 1st post. I uninstalled MWB around 12 noon, but haven't yet attempted to reinstall. I posted earlier about a suspicious file Hit Man Pro found on my computer, to-wit: MpKsl2ca1aaf4. Nobody seems to have responded to the earlier post so my observation may be of no consequence. I am re-posting the report summary here, in the event that it may prove to be relevant at a later time.I find it interesting that this file was detected by Hit Man Pro simultaneous to the Malwarebytes fiasco.

"Hit Man Pro recorded an instance of a suspicious file that showed up this morning on my computer at 0916 hours. I think this is about the same time Malwarebytes started wreaking havoc on my laptop. The file is pointing to a Windows Defender definition update. It would seem that the two may be possibly related, but I don't really know.

C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{71F49DBD-AC01-4AAC-B851-A7A1EE5E10A2}\MpKsl2ca1aaf4.sys
      Size . . . . . . . : 58,120 bytes
      Age  . . . . . . . : 0.1 days (2018-01-27 09:16:37)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : F6DB64112CC50EEE495E2D7C61B8BDBE757A31B03144B0396615FD38C312824E
      Product  . . . . . : Microsoft Malware Protection
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : KSLDriver
      Version  . . . . . : 1.2.1009.0
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Service  . . . . . : MpKsl2ca1aaf4
      LanguageID . . . . : 1033
      Fuzzy  . . . . . . : 47.0
         The file is hidden from Windows API. This is typical for malware.
         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
         Starts automatically as a service during system bootup.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\MpKsl2ca1aaf4\

Link to post
12 minutes ago, GaryRK said:

I've posted two images of the details of the executable that I downloaded. I didn't attempt to install them, I asked if they were the fixed version. If it were me, if I couldn't deliver the fix using the normal download method, I would have pulled all download ability until the fixed version could be disseminated.

Ah, I see. Well if you have a older version of the MB installer on your computer then you might be better off using that instead of the one up on the main site.

I was able to get MB working by using the Malwarebytes Cleanup Utility to remove the entire program before reinstalling. You can it find here https://support.malwarebytes.com/docs/DOC-1112 or by going to the main site -> Support -> Home -> Uninstall / Reinstall -> How-To: Use the Malwarebytes Clean Uninstall Tool and downloading the tool from there.

The installation file they have on the main site didn't work for me. It restarted the computer and did absolutely nothing else as far as I can tell. I still have an older installation file on my computer which worked and I was able to successfully update to version 1.0.3804

If you don't have a older version of the installer, it might be better to wait until they update the one available on the site? Your call...

Edit: They appear to have updated the installer available on main site.

Edited by WatchingtheTaskManager
Link to post
1 hour ago, GavinP said:

OK, looks like the patch has come through so I'm able to access the internet with my machine (and MB is back in my tray)

All's well that ends well I guess... But this has given me like six hours of stress and worry. 

Will think long and hard about uninstalling MB from my machine - I renewed my yearly subscription exactly one month ago - How do I stand about getting my money back for the remaining 11 months if I uninstall?

Glad you got it going. After a screw-up of this magnitude, I would venture MBAM won't have another hiccup soon. Guessing Volkswagen won't be messing with emissions systems anytime soon. Back in '86 after the shuttle explosion, I said "the safest launch ever will be the next one".   They did have an issue with re-entry about 18 years later. Still...  

Edited by TerryH
Link to post

Interestingly enough for mine to report "okay" with both web protection and real time protection working I HAD TO use MBam's cleaner twice... I used it, followed everything except the 'download and re-install' the first time, said 'no'. Used the cleaner again, confirmed folders were mostly empty (leaves behind some files) and then followed thru to the 'download and reinstall', YES... did one scan and both protections are working again. What ever happened to 'inhouse testing'?? Glad it is fixed.... thank you for the efforts on getting this fixed!

Link to post

Anyone enterprise folks try applying a GPO to disable Malwarebytes at startup?

In theory, if a machine is hard rebooted, it would take the new GPO before Malwarebytes can start up. This would enable users to actually log on to the domain, which they can't do right now...

We're essentially trying to avoid 1000 local admin logins and manual uninstalls.

Link to post
1 minute ago, RoamingDoc said:

Interestingly enough for mine to report "okay" with both web protection and real time protection working I HAD TO use MBam's cleaner twice... I used it, followed everything except the 'download and re-install' the first time, said 'no'. Used the cleaner again, confirmed folders were mostly empty (leaves behind some files) and then followed thru to the 'download and reinstall', YES... did one scan and both protections are working again. What ever happened to 'inhouse testing'?? Glad it is fixed.... thank you for the efforts on getting this fixed!

".. thank you for the efforts on getting this fixed!" Really???? They deserve no thanks for getting it fixed. What are they going to do? Not fix it? Never should have happened in the first place. Still waiting for an email apology to users.

Link to post
5 minutes ago, and3rd said:

Most (myself included) are 1-post ponies because they had occasion until today to make their 1st post. I uninstalled MWB around 12 noon, but haven't yet attempted to reinstall. I posted earlier about a suspicious file Hit Man Pro found on my computer, to-wit: MpKsl2ca1aaf4. Nobody seems to have responded to the earlier post so my observation may be of no consequence. I am re-posting the report summary here, in the event that it may prove to be relevant at a later time.I find it interesting that this file was detected by Hit Man Pro simultaneous to the Malwarebytes fiasco.

"Hit Man Pro recorded an instance of a suspicious file that showed up this morning on my computer at 0916 hours. I think this is about the same time Malwarebytes started wreaking havoc on my laptop. The file is pointing to a Windows Defender definition update. It would seem that the two may be possibly related, but I don't really know.

C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{71F49DBD-AC01-4AAC-B851-A7A1EE5E10A2}\MpKsl2ca1aaf4.sys
      Size . . . . . . . : 58,120 bytes
      Age  . . . . . . . : 0.1 days (2018-01-27 09:16:37)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : F6DB64112CC50EEE495E2D7C61B8BDBE757A31B03144B0396615FD38C312824E
      Product  . . . . . : Microsoft Malware Protection
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : KSLDriver
      Version  . . . . . : 1.2.1009.0
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      Service  . . . . . : MpKsl2ca1aaf4
      LanguageID . . . . : 1033
      Fuzzy  . . . . . . : 47.0
         The file is hidden from Windows API. This is typical for malware.
         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
         Starts automatically as a service during system bootup.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
      Startup
         HKLM\SYSTEM\CurrentControlSet\Services\MpKsl2ca1aaf4\

I saw your post earlier, I was referring to those who claimed that the fix worked and MB did a great job. I didn't mean to single out others with one post.

Link to post
1 hour ago, Pooch said:

Updated and rebooted like mentioned, web protection keeps turning off and still memory usage is hitting over 90%. Cant do much because programs keeps crashing due to no memory left.

Think i'll turn it off till further notice. <_<

ArTlOcH.png

C16KSIX.png

I would reboot a couple more times and see if it fixes itself. 

Link to post

My Dell desktop has recuperated from this fiasco and is running fine. I have a laptop Windows 7 which I did a Malwarebytes scan on it because I thought I might have to use it. After my desktop was running I found out about the problem. Now when I try to get in my Malwarebytes account to update on the laptop it says it won't connect to the server. Do I need to uninstall it and then install again ?

Link to post

After I noticed the problem and could not shut down Malwarebytes no matter what I tryed, I completely uninstalled the software.
Reading through all the posts here I then downloaded the software from the mainpage, installed it, updated it and put my product key in and everything is working fine now.

I'm not happy with what happened here but thankfully I noticed it early enough so that my PC did not get damaged.
Please don't let this happen again!!

Link to post
57 minutes ago, Starcad said:

I wish I could start my laptop.  When I do, I can't even force stop Malwarebytes.  Will not allow me to access anything.  The computer shuts down after about 30 seconds.  Windows Surface running Windows 10

reboot to safe mode, uninstall MBAM

Link to post
3 minutes ago, 1776blues said:

I saw your post earlier, I was referring to those who claimed that the fix worked and MB did a great job. I didn't mean to single out others with one post.

Roger that. I made the post in response to another poster that made reference to unusual Windows Defender behavior on his computer after the MWB event. I will try to reinstall later tonight after they have more time to validate the fix.

Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.