Jump to content
mavengroup

HELP! No Fix For Endpoint Protection (SAAS) Platform - Memory Issue

Recommended Posts

The "fix" for the memory issue has not resolved the issue with customers using Malwarebytes Endpoint Protection (Cloud SAAS Service).

I have done the process; stopped services, rebooted, etc. with no effect.  I have tried to push protection updates through a task through the control panel, also with no effect.

The Malwarebytes service still starts and spiked CPU and continues to Gobble memory until the system becomes unstable.  

I have been unable to reach anyone in business support and do not see any posts in reference to this product or how to remediate the issue for business users.

Just looking to get some clarity on how to resolve this on the 900 endpoints and servers that we have that are affected.

Thanks.

Share this post


Link to post
Share on other sites

Same here. Nothing has worked.

We have gave up using the cloud to fix it. A batch file seems to be the only way to fix it for us. But with 400 workstations? Well... it is not turning out to be a good weekend.

Here is what works for us.... (we are having to use psexec to push the batch file out to the workstations one at a time)

 

 

@ECHO Off

sc config "MBAMService" start= disabled
taskkill /f /im MBAMService.exe
del /q /f %ALLUSERSPROFILE%\Malwarebytes\MBAMService\*.mbdb
sc config "MBAMService" start= auto
sc config "MBEndpointAgent" start= auto
net start MBEndpointAgent

net start MBAMService

 

 

Share this post


Link to post
Share on other sites

Hi ShaunB,

Thank so much for this.  I ran this on my own machine (as Admin) and it did not resolve for me.  Let me know if you continue to have success with it

I will report back anything I find out. 

Thanks!

Share this post


Link to post
Share on other sites

Strange. Basically all it is doing is disabling the service, then kills the process, then deletes the db files in that directory... and then starts everything back up. I would confirm the directory is perhaps the same on your machine, and that it is successfully killing the service and removing those files. After about 10 minutes or so... the new database files are downloaded and all is good. Can always do one line at a time and step though it.

Share this post


Link to post
Share on other sites

Maven again I want to apologize for this experience.

There are several options we can attempt to get the updated DB if the problems persist

Disable the MB services as Admin user or otherwise quick the program

Please Reboot the machines into safe mode WITH networking to see if with the real time disabled we are able to receive the latest update

As well we would get the latest DB by uninstalling and reinstalling

I understand the pain with this many machines anything we can do to have them communicate without the services started would allow us to update

Share this post


Link to post
Share on other sites

If you are having this issue while running Malwarebytes Endpoint Protection follow these steps:

1. From the Cloud console, go to the endpoints pane and select all the endpoints.
2. In the action drop down, choose the 'check for protection updates' option to force an update on all endpoints to database update 1.0.3803. This should fix the problem for the vast majority of Cloud endpoints.

If endpoints are still affected after applying this, please reboot the machine.

If the remote agent is unable to reach out and get this update, then we must disable the web protection:

1.  In the cloud console, go to the settings> policies> and open up the policy the clients are on.
2. From here, go to the endpoint protection policy and turn off the "Web Protection" portion of the policy. Then try this:
a. If the machine is unresponsive, reboot the machine and log in.
b. Once in, right click on the tray icon and start a scan. This will force a database update and fix the issue.
c. Once updated, cancel the scan and reboot the machine.
3. When the computers are all online and  updated, please turn back on the web protection again in the Endpoint Policy.

Share this post


Link to post
Share on other sites

This manual process does work, but keep in mind that I have 900 endpoints and this is not a viable solution for a corporate deployment.

We need a BAT or VBS to deploy by RMM that will run as a system user that will remediate the issue.  SHAUNB posting in this thread might have a good start (I think it may be the fix), but I want something from Malwarebytes (M Sherwood has stated that something might be in process) that I can run and deploy that MBAM verifies is the solution and will resolve the issue as well as not affect working machines.   Keep in mind this would be a mass deployment to 900 endpoints (some working and some not) covering a 3 state area.

Thanks again for the help.  

 

Share this post


Link to post
Share on other sites

Hey KDawg, still not a solution.

So this would mean I am scripting an uninstall for 900 systems (which may or may not be on).  Then I am scripting an install for 900 systems.

This is a recipe for more issues than I have now (as many of these systems a non-responsive due to the current issue).

This would be the last resort.

I am going to play with ShaunB script and wait to hear back from business support and their plan.

I appreciate the help!

Edited by mavengroup

Share this post


Link to post
Share on other sites

mavengroup  - I found the problem... we are using a different path then default. Change %ALLUSERSPROFILE% to C:\ProgramData

Should work then

 

Cheers

Share this post


Link to post
Share on other sites
57 minutes ago, ShaunB said:

mavengroup  - I found the problem... we are using a different path then default. Change %ALLUSERSPROFILE% to C:\ProgramData

Should work then

 

Cheers

maybe different software versions too.  For us the files are "ren "%ALLUSERSPROFILE%\Malwarebytes\Malwarebytes' Anti-Malware\rules.new" rules.new.1.27.18".  For us killing the mbabservice.exe and a hard reboot generally fixes it after 2-3 mintues on next boot.  On troubled machines deleting the rules.new and rules.ref files seems to work.

No easy way to hit all of the machines that have the issue though...

Edited by jayt12

Share this post


Link to post
Share on other sites

We profusely apologize for this issue.  If you're able to remotely run scripts, this may help to resolve the problem:

  1. Run "Before Reboot.bat" as admin 
    • This step can take a few minutes if the machine is pegged on resources
  2. The endpoint should automatically reboot
  3. When it comes back up run "Post Reboot.bat" as admin

Download link:  https://malwarebytes.box.com/s/xigyl22ba5pz721hfjqajn5n2r9ia7en

Share this post


Link to post
Share on other sites

I need to verify clients have been updated? Where in the cloud console can I see the current database version? I cannot locate that for the life of me.

Share this post


Link to post
Share on other sites

I have been trying to contact support in various ways with no success all morning. All I need is a simple answer to a simple question. I have a hard time believing that Malwarebytes support is not monitoring email and forums in real time after creating an issue of this magnitude, even though it is a Sunday. Please, I would like to get my clients up and running prior to the beginning of the workday Monday, and I don't seem to have a concrete way of telling which endpoints are affected, or perhaps simply offline for other reasons.

Share this post


Link to post
Share on other sites

I found out on Saturday afternoon when my personal PC at home crapped out with mbam taking all the memory - that was V3 consumer edition, but at work we use the MBAM Cloud Endpoint Protection and I knew we had at least 20 PC's online at that time.

I VPN'd into work, and the first clue that all was not well was the the PC I was remoting into was not responding.

I drove in and sure enough all the PC's that were on, had either hung, were incredibly slow  or had blue screened.

I checked the memory usage on those that were still on and sure enough malwarebytes service had maxed out the memory.

After hours trying all the fixes I found in these forums with mixed success,  I resigned myself to fixing it the sure fire way - the good old uninstall/re-install

 

1. Hard reboot the PC

2. logon as Admin

3. quickly bring up task manager and stop the malwarebytes service (this is only temporary as it will restart itself and start gobbling memory at a rate of knots)

4. using windows program/features - uninstall malwarebytes - all of it - everything (all the while repeatedly stopping the malwarebytes service before it craps out the PC again)

4. eventually after doing a windows uninstall, I then did a further cleanup using the mb-clean-3.1.0.1031.exe (using both /cloud AND /managed syntax)

5. reboot

6. log back on and do a re-install of malwarebytes

7. wait 2-3 mins after install for it to completely settle down

8. from the cloud console, push an update command to the PC

9.on the PC check in C:\ProgramData\Malwarebytes\MBAMService\dbupdate.log for an entry that confirms a file definition/database has been pulled down and installed.

10. check in the cloud console that the push update command has been logged as successful

 

 

Share this post


Link to post
Share on other sites
18 hours ago, wiggy said:

I found out on Saturday afternoon when my personal PC at home crapped out with mbam taking all the memory - that was V3 consumer edition, but at work we use the MBAM Cloud Endpoint Protection and I knew we had at least 20 PC's online at that time.

I VPN'd into work, and the first clue that all was not well was the the PC I was remoting into was not responding.

I drove in and sure enough all the PC's that were on, had either hung, were incredibly slow  or had blue screened.

I checked the memory usage on those that were still on and sure enough malwarebytes service had maxed out the memory.

After hours trying all the fixes I found in these forums with mixed success,  I resigned myself to fixing it the sure fire way - the good old uninstall/re-install

 

1. Hard reboot the PC

2. logon as Admin

3. quickly bring up task manager and stop the malwarebytes service (this is only temporary as it will restart itself and start gobbling memory at a rate of knots)

4. using windows program/features - uninstall malwarebytes - all of it - everything (all the while repeatedly stopping the malwarebytes service before it craps out the PC again)

4. eventually after doing a windows uninstall, I then did a further cleanup using the mb-clean-3.1.0.1031.exe (using both /cloud AND /managed syntax)

5. reboot

6. log back on and do a re-install of malwarebytes

7. wait 2-3 mins after install for it to completely settle down

8. from the cloud console, push an update command to the PC

9.on the PC check in C:\ProgramData\Malwarebytes\MBAMService\dbupdate.log for an entry that confirms a file definition/database has been pulled down and installed.

10. check in the cloud console that the push update command has been logged as successful

 

 

It's so quick and easy! Just like the fixes MalwareBytes suggests!

So far Malwarebytes has cost my company more time and resources just trying to keep this software limping along and not killing our workstations than the original problem that prompted the installation of this software.

I feel a better solution is just a proper backup and let the hackers run roughshod over the network, at least then I'm not paying for the pleasure of being told to go spend a couple hundred hours fixing the problem the solution has introduced.

Share this post


Link to post
Share on other sites
3 minutes ago, IT_Guy said:

It's so quick and easy! Just like the fixes MalwareBytes suggests!

So far Malwarebytes has cost my company more time and resources just trying to keep this software limping along and not killing our workstations than the original problem that prompted the installation of this software.

I feel a better solution is just a proper backup and let the hackers run roughshod over the network, at least then I'm not paying for the pleasure of being told to go spend a couple hundred hours fixing the problem the solution has introduced.

tell me about it - 10/15min per PC x 20 PC's = 4-5hrs of my time plus the 3hrs on Saturday trying to work out what the heck was going on...

what gives me cold shivers is what if this had happened during a normal working day! - 100 PC's all offline, company at a standstill - Jesus I can't even think about it.....

Share this post


Link to post
Share on other sites

I just want to put this all in perspective.   Perhaps I am the odd one out, but I want to just put this here - take it or leave it.

This sucks.  There is no other way to put it.  Really SUCKS.  (poor English, but that is the best word for it).

I manage about 900 computers in a 4 state area.  I noticed this issue on Saturday on my own computer and then spent the weekend figuring out what was going on and getting servers back up and running so Monday would not be a total loss.

This morning I am getting my A$$ kicked with tickets and support calls regarding the issue.  I am dealing with it and YES it is putting me behind on everything else.  Yes, my customers are pissed and do not understand why this happened.  Trying to turn lemons into lemonade. 

With that said, I have been doing this long enough to know (1990) that $hit happens.  While I cannot say that I am happy that it did, MBAM was on it and working it through the weekend.  They were pretty clear on what the issue was and seemed to be working hard to produce a fix.

Was the response perfect... no.
Was the communication perfect... no.
Do I think WHEN this happens again it will be better... yes.
Can I and do I expect it to be better... yes.

I have clicked the wrong button more than once in my career.  I am pleased that we have a partner that is at least willing to do their best, put it out there, help to resolve and work to be better.

Not sure we can ask for more than that from any of our partners (or ourselves).

I was a happy MABM Endpoint Protection customer prior to this issue and am still (perhaps even more).

Thanks for letting me vent.

Share this post


Link to post
Share on other sites

I'm guessing this is the first time this has happened to you with this software? This will be the 3rd or 4th "accidentally testing something in the production environment requiring endusers to reinstall everything" since October.

If this sort of thing is a severe risk to your career I would suggest using ANYTHING other than this software as it is NOT ready for public usage/deployment. Unless your users are understanding that they may occasionally not be able to use their computer for a day or two at a time. Luckily, if your system is infected while your protection modules are disabled while they try to work out what they screwed up, they will refund you up to 12 months of subscription fees! So your client may lose everything and your IT support company goes insolvent, but at least you'll get that sweet sweet refund money.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.