Jump to content
RubbeR DuckY

IMPORTANT: Web Blocking / RAM Usage

Recommended Posts

Thanks for all the support you've offered here, Porthos, I think you've done a magnificent job.

I wasn't affected by this because I only run manual scans and I too will continue to maintain my current security setup which does not allow MBAM to run continually with automatic updates (or automatic quarantines). I prefer to run manual scans and to check the forum before each one to ensure that there are no current issues. I have another AV program running in the background and this combination seems to work for me.

I accept that MB will not have all the email addresses of their many users. Whether they should have as an integral part of MBAM's installation is something I feel MB should now consider as there is no doubt that a lot of the confusion and heartache in this incident could have been eased with prompt direct notification (preferably to an alternative device which could be part of the recommended practice on installation). It's not so much that people didn't know about this forum, or even that there was apparently no mention of the issue on the main website, rather it's that ordinary lay users would have had no reason to know or even suspect that the cause of their computer misbehaving was in any way connected with MBAM.

I'm sure there are a lot of lessons to be learnt from this episode, by both MB and its customers, whether the latter were directly affected by it or not. That in itself will be a positive outcome, even if the company and some users will end up having paid a significant price in getting there.

Edited by Tandor

Share this post


Link to post
21 hours ago, dcollins said:

It's very strange to hear about the hard drive issues. The main hard drive activity that this would've caused is for lots of Web Protection reports to show up in %ProgramData%\Malwarebytes\mbamservice\MwacDetections. But this happens normally anytime there is a block. The root symptom of this issue is that it used up too much RAM, which could have also triggered the pagefile to swap in an out, but Windows already does this at a pretty consistent clip as well. If anyone has some logs around the corruption or hard drive tests, I'd be curious to see them (you can message me directly if you'd like).

Sorry I dont have an data to show you but the issue started when I booted up and I used task Manager (and very much later when it eventually managed to start) MS process explorer to confirm it was 100% disk usage and 100% RAM in both tools...the machine was effectively frozen and response to keys or starting apps (or to ctrl-alt-del) was about 5 or 10 minutes. Eventually went for a hard stop. My machine was running like this for about 20-30 minutes while I tried to work out what was happening but eventually, refresh rates on the monitoring apps was extemely poor, panic set in and I just decided to stop the machine.
If you can tell me where to look for appropriate logs I'll have a look and see if they are still there
As with Davidtoo I started experiencing issues (different ones concerned with losing access to win10 start menu and Notification and mail etc) and had to go to safe mode for a while to run some rudimentary AV and disk checks from powershell in admin. My research for a solution didnt focus on MBAM at all as I wasnt aware it was at the root of the issue - I tried running all the standard checks and got results that said I had disk corruption and CHKDSK just would not repair past 11%, and then I found on the MS site a comment that helped sort out my issues with accessing Win10 start and Action centre by editing a registry value
"\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnUserService" Start from 2 to 4
Once there I started finding other elements damaged and personalisation data corrupted, so much so that I started trying to clear what appeared to be damaged personal files because I thought they could have been compromised during the event.
Anyway also like Davidtoo I have since found that I lost the Edge history (hence I cant link you to the page that gave me the regedit solution) and I've also found that all my regular system restore points taken before Saturday have been wiped or lost.

As a post script the aftermath seems to be rumbling on as various previously stable programs such as Libre Office and browsers are now crashing every day, I've run checks on the drive and since Windows auto recovery decided to kick in it says it is OK physically but I think I am going to have to reinstall windows because there must be other issues causing the instability unless it really is the hardware. Its a pain as I have to go dig my old machine out and check I have laplink backed up, then go through the getting the machine back the way I like it and pray nothing is missing.

I dont have the experience or background to get much further than I have but I believe my dell is still covered by call out warranty so that may be a last resort if a reinstalll doesnt sort it out.

Share this post


Link to post

For those mentioning hard drive issues, I would wager good money it's due to the Windows page file (for those less knowledgeable, Windows will use the hard disk when you run out of RAM). This can cause disk usage to go up as process memory increases.

By default this amount is managed by Windows. I override it and set a maximum, so my machine will crash instead (which I prefer over eating up my hard drive and making it run slower than molasses).

If you have an SSD, this can kill it (depends on usage, of course).

Edited by Phoenix84

Share this post


Link to post
5 hours ago, Phoenix84 said:

For those mentioning hard drive issues, I would wager good money it's due to the Windows page file (for those less knowledgeable, Windows will use the hard disk when you run out of RAM). This can cause disk usage to go up as process memory increases.

By default this amount is managed by Windows. I override it and set a maximum, so my machine will crash instead (which I prefer over eating up my hard drive and making it run slower than molasses).

If you have an SSD, this can kill it (depends on usage, of course).

I also have a SSD and was fortunate enough to have caught it in action... I immediately employ the 'emergency protocol' -  physically pull the plug off the router and manage to 'save' it

RE.pagefile I also manually set it while waiting for the strom to blow over... but now I set it back to automatic.

Just curoius to your user experience on SSD - If you set the max yourself, dont you find the system often get 'jittery' esp when it tries to load something faster or larger RAM?

Thanks :D

Share this post


Link to post

Just read the MalwarebytesFPPlan-EndpointProtection.pdf that was sent to techbench accounts.  Bravo for coming up with a clear plan to move forward from this.  I'm sticking with you!

Share this post


Link to post
21 minutes ago, HighCaliber said:

Just read the MalwarebytesFPPlan-EndpointProtection.pdf that was sent to techbench accounts.  Bravo for coming up with a clear plan to move forward from this.  I'm sticking with you!

Can't locate this document through a web search; is it available to mere mortals ?

Share this post


Link to post

Still no email to users.   And now I hear there's a plan for the future.  Will I ever get to read it?  Was it emailed to some users?   Why has MWB still not reached out to its users?  There's probably some people who have no idea about the defective and then the subsequent update!

Share this post


Link to post

I find this INFURIATING!!!   "10:48 AM The update v1.0.3803 without the bad detection was posted":

OH, GREAT!!   10:48 a.m. on Saturday you fixed it and I didn't realize anything until Sunday night at 9 p.m.   THANK YOU SO MUCH!!!  And I didn't learn it was a MWB problem until Monday afternoon.   GREAT COMMUNICATION!!!      

I will spend this weekend in the house catching up on work I should have done last weekend.    WHY DID YOU NOT EMAIL USERS?  You have no email addresses?     If not for one friend who was helping me decide on which new computer to buy who wanted to see my dead computer Sunday night, I might have gone out Monday morning to Micro Center to buy a new desktop computer.  

Geez.

I have another corrective action:

Corrective Action

Based on the finding listed above, the following corrective actions will be taken:

 The system that performs the syntax checking of all Web Filtering heuristics will be expanded to reject entries that cover these wide IP ranges.

 The components within the Malwarebytes Web Filtering system that runs on customer computers will be changed to perform stronger checking of these entries – similar to the point above – and reject any that do not meet that criteria.

 Improve the facility within our publishing system that provides the ability for faster rollback of problematic detections. This will reduce the window of exposure, thus reducing the number of customers impacted.

 Add many more computers to our existing testing cluster to increase the scope of our coverage.

ADDITIONALLY, WE WILL INFORM ALL USERS IMMEDIATELY!!!!!   We won't hide it on the MB forum which many people never visit or know about.  We will use email!!

 

Edited by marge201
added a corrective action

Share this post


Link to post

Is anyone else still having issues with some endpoints blocking websites?  We're completely up to date, but some of my endpoints can't browse the net unless I completely disable MB on their systems.

Share this post


Link to post
36 minutes ago, BrentB9193 said:

Is anyone else still having issues with some endpoints blocking websites?  We're completely up to date, but some of my endpoints can't browse the net unless I completely disable MB on their systems.

@AlexSmith

Share this post


Link to post
On 1/31/2018 at 6:24 PM, marge201 said:

You said that you found out about this mess on Saturday on your phone (an email, I thought, but maybe not) and then you say that a simple email should have included us, the users.  So did you find out about this Saturday?  I found out late Sunday night when I turned the computer on and saw that it's fine but not until Monday about the MWB problem.    How can MWB not have sent an email to users on Saturday??!!!

I thought i created a new member acc for this but when logged in I can see last I was here in 2012. I wrote please send me email about updates. 2016 and 2017 the way I have found out that there are product updates available is finding them posted on pirate sites. not lol.

Share this post


Link to post

We will be locking this thread as we're starting to see unrelated posts happening. If you're in need of assistance, please check out the following:

Share this post


Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.