MBAM and problem with zombie processes

[Medwynd]

Using MBAM Premium 3.4.5

How did you encountered the issue and any steps to reproduce it

I noticed this problem about a month or so ago, my machine was running out of ram for some reason.  I then tracked this down to all these zombie processes still existing.  I then started removing anything that had been installed recently.  I then uninstalled MBAM and the issue went away.

I am also using ESet NOD32 Antivirus 11.1.54.0

Exclusions in ESet
E:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe
E:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
E:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
E:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
E:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
E:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mwac.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
C:\Windows\System32\drivers\mbamchameleon.sys
C:\Windows\System32\drivers\farflt.sys
C:\Windows\System32\drivers\mbae64.sys
C:\Windows\System32\drivers\mbae.sys

Using RAMMap64 I see lots of zombie process, primarily cmd and reg, that eventually take up all my system ram.  If I set MBAM to not launch at windows startup this does not occur.

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download Malwarebytes Support Tool
• Once the file is downloaded, open your Downloads folder/location of the downloaded file
• Double-click mb-support-X.X.X.XXXX.exe to run the program
  • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
• Place a checkmark next to Accept License Agreement and click Next
• You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
• Click the Advanced Options link
  
• Click the Gather Logs button
  
• A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
• Upon completion, click OK
• A file named mbst-grab-results.zip will be saved to your Desktop
• Please attach the file in your next reply. Click "Reveal Hidden Contents" below for details on how to attach a file:
  Spoiler

  To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

  

   

  After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

  

  

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Medwynd]

mbst-grab-results.zip

[exile360]

The topic you linked to has nothing to do with RAM usage, performance or the real-time protection in Malwarebytes.  The user that posted about that was using the free, on-demand scan version of Malwarebytes and during the scan, Malwarebytes detected a threat and because it was accessing the file, it caused ESET to analyze the file as well and since ESET (as with most AVs) uses on-access detection, it detected and removed the file when this occurred.  This is very much a corner case and won't happen with the real-time protection components in Malwarebytes because they work very differently from the scan engine with regards to when and how they detect items.  The protection layers in Malwarebytes operate at different phases in the attack chain from the ones used by ESET and other AVs to detect threats, so either the attack will be blocked by Malwarebytes before ESET has the chance to see a threat, or ESET will detect and remove the threat if it gets passed those first layers of Malwarebytes protection, or the threat will get past both the first layers of Malwarebytes protection and ESET, then if the user tries to execute the malicious file in memory, Malwarebytes later phase malware protection component will trigger and detect and quarantine the file because it operates as an on-execution protection/detection component, unlike ESET which functions as an on-access protection/detection layer.

By the way, the exact same thing would have happened with any other scanner, or even if the user were performing some other task which caused that file to be accessed (like running a search of their drive's files, opening the folder and viewing the file in Windows Explorer or any number of other tasks/processes).  It would have even occurred if the user was running any of the free online virus scans which don't even install any full antivirus product on the system.  Any of these tasks would have caused the file to be accessed and thus would have caused ESET to see/analyze the file and detect it.

Edited May 5, 2018 by exile360

[Medwynd]

Just a bump for this.  This is still going on.

I recently updated to 3.5.1.2522 with components 1.0.365

Repro steps

1. Disable Web, Exploit, Malware, Ransomeware protection
2. Run RamMap
3. Run Firefox
4. Refresh RamMap and view the Firefox processes
5. Close Firefox
6. Refresh RamMap and view their are no Firefox processes
7. Turn on web protection
8. Run Firefox
9. Refresh RamMap and view the Firefox processes
10. Close Firefox
11. Refresh RamMap and view their still is a Firefox process left behind

 

 

[exile360]

A new component update for Malwarebytes has been released, version 1.0.374.  I don't know if this specific issue was addressed or not, but it's worth a try if you wish to give it a shot.  To install it, open Malwarebytes and navigate to Settings>Application and click on the Install Application Updates button and it should be silently downloaded and installed.  Once it has installed and you see the new build number reflected in the UI, I'd recommend restarting the system at least once to confirm that the new components get loaded into memory, then perform your test again to see if it makes any difference.

If you do try it, please let us know the results.

Thanks

[dcollins]

This specific issue is fixed in 1.0.374!