Jump to content
Selur

Not abiding / ignoring exclusions?

Recommended Posts

I used https://github.com/jb-alvarado/media-autobuild_suite to compile tons of tools to avoid Malwarebytes to interfere with the compilation I added folder the media-autobuild_suite is checked out to to my exclusion list. (I'm on a Win10pro, 32GB, Ryzen 7 X1800 System)
A week or so ago I noticed that compilation takes ages to finish.
I also noticed the CPU handles shown in the Windows taskmanger for 'System' keep increasing over the course of the compilation and not going down, even after the script was finished. The memory allocation of the system got to 60% and stayed there, even after the script was closed. Malwarebyte was always running at 2-3% cpu usage while the script ran.

Checking my ssd, my memory, drivers, en-/disabling Windows features nothing changed until I disabled Malwarebyte.
After disabling Malwarebytes compilation was as fast as before, memory usage stayed at ~25% (8GB) and the CPU handle count didn't increase either while running the script.

So my conclusion atm. is that Malwarebytes isn't respecting my exclusion.

Would be nice if someone could look into this, since I would prefer not to disable MalwareBytes whenever I compile stuff.

Thanks.

mb-check-results.zip

Edited by Selur
added mb-check-results

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Farbar Recovery Scan Tool (FRST)
    1. Download FRST and save it to your desktop
      Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
    3. Press the "Scan" button
    4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
  • MB-Check
    1. Download MB-Check and save to your desktop
    2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
    3. This will produce one log file on your desktop: mb-check-results.zip
      • This file will include the FRST logs generated from the previous set of instructions
      • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings,

Your assessment is accurate.  The way that Malwarebytes excludes things isn't to completely ignore their existence, only to not detect them as threats.  This means that you'll still observe CPU and memory usage by Malwarebytes when an excluded file/process is active.  The only surefire way to eliminate this is to do as you did in terminating Malwarebytes completely via the Quit Malwarebytes option in the Malwarebytes tray context menu.

I'm not a great fan of this myself, but at this point at least this is the way that it works.  I have suggested that they implement exclusions in a more comprehensive fashion, since this obviously can lead to potential conflicts and/or performance issues not being eliminated by setting exclusions as they should be, however at least for now, this is how it functions as far as I know.

Share this post


Link to post
Share on other sites

Problem is Malwarebytes is messing up somewhere since it causes the 'System'-process (ntoskrnl.exe) to keep tons of CPU handles and not releasing them.
After running the whole script I got 600 000+ CPU handles.

The 2-3% used by Malwarebytes doesn't really bother me, but those tons of CPU handles cause the system to really slow down a lot and causes the script to take nearly three days to complete fully. (otherwise a full clean run is done in a few hours)

Share this post


Link to post
Share on other sites

It's most likely being caused by one of its drivers.  Most likely the Ransomware Protection component as that's the one that does most of the heavy process activity monitoring.  If you disable just that component do things improve at all?

Share this post


Link to post
Share on other sites

By the way, you can probably use a tool such as Process Monitor by MS Sysinternals to determine where the RAM/CPU usage are coming from (or at least identify the thread(s).

Share this post


Link to post
Share on other sites

Did a small test and from the looks of it you are right, the problem is the Ransomware Protection, when keeping it disabled the issue does not occur. Memory usage and cpu handles stay stable.

Thanks exile360.

@Malwarebyes: Please fix this.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.