Malwarebytes 3.4.4 Scans Running Hours

[hedera]

I now run Malwarebytes 3.4.4.2398, Component package version, 1.0.322, Update package version 1.0.4528.  This appears to be current.  It's running on Windows 7 Pro.

I run a daily threat scan.  When I first upgraded, around the beginning of March, a threat scan took under 10 minutes.  Within a day or so, it began taking around 30 minutes.  (True there's a lot of disk on this machine - the data drive is 2TB.)  On the 24th, the scan took an hour and a half, then dropped back briefly to under 30 minutes.  On the 27th, it took almost 5 hours.  Today, the 28th, the scan had been running for just over 7 hours when I cancelled it because the CPU usage was affecting the rest of the box.  This was the regularly scheduled scan.  What is going on here?  On my laptop with a 750GB drive, running the same version of Malwarebytes on the same O/S, scans rarely take more than an hour.  Why is this machine different?

 

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Farbar Recovery Scan Tool (FRST)
  1. Download FRST and save it to your desktop
     Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  3. Press the "Scan" button
  4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
     • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
• MB-Check
  1. Download MB-Check and save to your desktop
  2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
  3. This will produce one log file on your desktop: mb-check-results.zip
     • This file will include the FRST logs generated from the previous set of instructions
     • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

Greetings,

I've been tracking an issue with scan hangs/scan performance for some time now in MB3 and while my scans aren't taking that long (my faster/higher-end hardware config accelerates things quite a lot), I have been noticing a pattern of increasing and occasionally decreasing scan times with the biggest delays being during the memory scan phase where I notice long pauses during which the scan doesn't appear to be progressing at all for sometime until it finally gets "unstuck" and proceeds with the remainder of the scan process.

I believe these issues are due to certain definitions being used in the database as I noticed for a while they had vanished and my scans were as fast as ever until sometime recently when, after a database update, the scans once again started to hang during that phase of the scan process.

Is this where your scans seem to be taking the longest as well and are you noticing periods during the memory phase of the scan where it appears to be hung up where the number of items scanned doesn't increase for long periods of time, or are you noticing the hangs elsewhere, or is it something else related to some other aspect of the scan?

[hedera]

On my system it seems to hang up on the "scanning file system" step.  It could be changes in the database.  I haven't noticed any hangs in the memory phase, always in the file system scan.

[exile360]

Good, thanks for the info.  I definitely suspect it's related to changes in the databases, particularly since the same version of Malwarebytes 3 is being used and the only change in the software during that time would be the database.

There is a way to troubleshoot this, but it is rather tedious.  It requires using another piece of CPU/RAM/disk intensive software while the scan is running in order to create a (typically rather large) logfile.  If you're willing, I'm sure the Product team would find the data most helpful to them in diagnosing the performance issues in the scan engine:

Create a Process Monitor Log:

• Create a new folder on your desktop called Logs
• Please download Process Monitor from here and save it to your desktop
• Double-click on Procmon.exe to run it
• In Process Monitor, click on File at the top and select Backing Files...
• Click the circle to the left of Use file named: and click the ... button
• Browse to the Logs folder you just created and type MB3 Log in the File name: box and click Save
• Exit Process Monitor and open it again so that it starts creating the logs
• Open Malwarebytes and perform a scan.  Once it freezes, locks up, or hangs, let it run for a bit longer then terminate the scan
• Close Process Monitor
• Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Please attach the Logs.zip file you just created to your next reply, or if it is too large, please upload it to WeTransfer and provide us with the link to the file
  

[AdvancedSetup]

Might also want to get us a set of regular logs too. That seems like a very long time for a Threat Scan. If you were doing a custom scan with rootkit and archive enabled for all files I could understand a long time but Threat Scans should not be taking that long. 

 

Please download the Malwarebytes Support Tool to assist us in helping you further with your issue.

It is a multi-purpose troubleshooting and repair utility, designed to assist with issues related to Malwarebytes for Windows. Our goal with the Malwarebytes Support Tool is to provide a simple and stress-free approach to troubleshooting issues with Malwarebytes products

** Download Malwarebytes Support Tool Here **
 

1. Please save the file where you can locate it.

2. Then close all browsers and locate the file you downloaded and double-click on it to install and run the program.

3. Place a checkmark on the "Accept License Agreement" checkbox and click the Next button.

4. Click on the "Advanced Options" link for Forum Support options

5. Click on the "Gather Logs" button

6. The program will run the FRST program in the background and gather some diagnostic logs and zip them up on your desktop as:  mbst-grab-results_zip

7. Close the Malwarebytes Support Tool and locate the file: mbst-grab-results_zip on your desktop and upload that as an attachment to your next reply.

 

For more information, please refer to the following links:

Malwarebytes Support Tool User Guide
Malwarebytes Support Tool FAQs
 

Thank you

 

 

 

[AdvancedSetup]

 

THREAT SCAN

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/28/18
Scan Time: 8:59 PM
Log File: 97615a09-3305-11e8-bab6-00ff59e182ca.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4530
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: MBAM\AS

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302383
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 54 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

 

CUSTOM FULL SCAN

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/28/18
Scan Time: 9:02 PM
Log File: fc2600e2-3305-11e8-953a-00ff59e182ca.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4530
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: MBAM\AS

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 599244
Threats Detected: 0
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 31 min, 14 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0

(No malicious items detected)

(end)

[hedera]

Wow, thanks for all the responses!  For the record, I'm traveling to visit family tomorrow and won't be able to work on this problem until next Tuesday, but I will certainly read all this and try it when I return.

As a matter of fact, I do have both rootkit and archive turned on.  I didn't realize that was an issue.  How common are rootkits, anyway?  I really don't know.

[AdvancedSetup]

Not as common as they used to be, but rootkits are still out there. But not something one typically would need to scan for daily unless you were downloading and dealing with cracked software or other illegal activities.

There is one out called SmartService that is a bit time consuming to remove as it needs to be removed a special way.

Okay, let us know when you have time and post back some logs and we'll see what we can find.

Cheers

Ron

 

[exile360]

Just to add to what AdvancedSetup said above regarding rootkits, the only scan type you should be enabling rootkit scanning for is the Threat scan.  It is virtually pointless to include rootkit scanning when performing a full scan because only specific items, objects and locations can or typically would be used for rootkit activity anyway (this is by design based on how rootkits must work on a fundamental level because of the way Windows works and the nature of what rootkits actually are).  While it is true that a rootkit could be present on a secondary drive from another system (i.e. the Windows installation drive from another PC), any such rootkit on such a drive would be inactive and therefore actually wouldn't even be detected by the anti-rootkit component in Malwarebytes because it is the mechanisms that rootkits use to conceal themselves when active that trigger the anti-rootkit component to detect them (this is also why it's so effective, because much of what it does to detect rootkits are based on rootkit methods and behavior, not necessarily just the specific installation/structure of known rootkits).

As for archive scanning, the issue with that is primarily that if a piece of malware resides within an archive (such as a ZIP file, RAR file, 7Z file etc.) it is absolutely impossible for that piece of malware to be active in memory/on the system.  For any executable to be active on a system, it cannot be contained within an archive.  This means that any archive that contains a piece of malware must first be extracted and then executed/installed in order to actually infect the system.  This also gives you an advantage because whenever you download an archive file and are not certain as to how safe it might be, you can simply right-click scan it with Malwarebytes to check it for any infections.  I just tested this for myself.  I turned off archive scanning in Malwarebytes, placed a test infection (a file that Malwarebytes detects as a threat) within an archive, then right-clicked on the archive and scanned it with Malwarebytes.  Malwarebytes detected the file within the archive as a threat as it should even though archive scanning is disabled.  This may be due to a bug (perhaps archive scanning isn't turning off as it should), or, more likely, it scans within the archive anyway even though the setting is disabled because the archive was specifically selected for scanning.  Either way it means you can disable archive scanning for your Threat and Full scans but still use it easily to check any archives you might download or receive as email attachments etc. to check them for threats.

Personally, I actually leave all the scan options enabled (including rootkit scanning even though it's off by default), but I only ever perform Threat scans, never Custom/full scans and I only ever save any files I download from the net to a location that is among those checked by default in the Threat scan (the Downloads folder; the default location for saving downloaded files in modern Windows versions for IE and most other browsers).  I also rely on the fact that, because Malwarebytes always checks all active threads/processes in memory, even if a threat were active/installed in a location not checked by default by the Threat scan, it will still be detected because when it comes to checking those items, Malwarebytes disregards location and checks them anyway.

The biggest factor, for me at least, is that more than anything I rely on the active components in the real-time protection layers in Malwarebytes to protect me for the most part.  I really don't scan too often, and when I do, nothing is ever found (unless I'm performing testing with a file I know should be detected deliberately) and that's likely due to the fact that the real-time protection layers in Malwarebytes go far beyond traditional file signature detection and extend into behavior based, signature-less detection capabilities like the anti-exploit layer as well as proactive protection components like the web protection layer which blocks threats from known sources (i.e. malware friendly servers and hosting providers as well as known malware/exploit friendly ad networks that are known to serve up malvertisements and the like).

[hedera]

I'm back from my family trip and now have time to work on this issue.  I attach the log collection gathered by the Support Tool, thanks for the link to that.  Per your very comprehensive advice I've also removed the archives from the scan configuration, but left the rootkit check in because I'm paranoid (which is probably why I have the cleanest computer you'll ever see).  I only ever run threat scans.

I learned some new things, reviewing my daily logs.  For no reason I can grok, the daily threat scan since March 28 (when I shut the scan down at 7 hours 9 minutes opened this question) has taken anywhere from 18 minutes (on March 30) to 4 hours 48 minutes (on March 29).   After the 18 minute run, daily times increased slowly to 29 minutes (April 2), and then ran 4 hours 22 minutes (April 3), followed by 3 days where the run never exceeded 25 minutes.  This makes no sense to me, maybe it will to you.

mbst-grab-results.zip