Jump to content
omegaminus

Kernel Memory Leak when Malwarebytes is installed

Recommended Posts

Hello, I'm experiencing a problem that appears to be identical to the one described in this discussion on Microsoft Technet.

The problem is that when Malwarebytes is installed, terminated processes leave memory unreleased, particularly in the Page Table.  This chews up a lot of memory over time if many processes are started and stopped.

I did not have the program listed as the culprit in the above discussion, so I used DriverView to see all of my installed drivers, started from what was most recently installed or updated and worked back, using RAMMap to see if closed processes remained in the table with memory unreleased.

Malwarebytes seems to be the culprit.  When it is installed, closed processes do not disappear after refreshing the Processes tab in RAMMap, while after uninstalling it, they do disappear.

I was using 3.4.5 when I found the problem, and I get the same problem after updating to 3.5.1.

I'm using a fully-updated Windows 10.

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link
    welcome mbst.png
  • Click the Gather Logs button
    gatherlogs.png
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Click "Reveal Hidden Contents" below for details on how to attach a file:
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    _mb_attach.jpg.a0465aaafd6cae688aa38ab16

     

    After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

    _mb_follow.jpg.7868cc281f66ac22e919c2c48

    _mb_follow_options.jpg.dcb79fc10aa35beb0

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Can you provide reproduction steps? "terminating a process" can mean a few things, so knowing exact reproduction steps for this will help a lot. Thanks!

Share this post


Link to post
Share on other sites

Reproducing it is just a matter of installing Malwarebytes.  I've attached a number of images to illustrate the difference in system behaviour between having it installed and not having it installed.

What happens with Malwarebytes installed:

Picture 1: Process list view in RAMMap immediately after rebooting the machine.

Picture 2: Same view after starting notepad.exe.  It is using about 3MB of memory.

Picture 3: Same view after closing notepad by clicking the X in the upper-right of the window.  Notepad.exe remains in the list with 72k of memory usage.

 

What happens after uninstalling Malwarebytes:

Picture 4: Process list view in RAMMap immediately after rebooting the machine.  Note that all the entries for OAWrapper.exe from the first set of images are no longer there, and that also the scroll bar indicates that the complete process list is much shorter than it was with Malwarebytes installed.

Picture 5: Same view after starting notepad.exe. It is using about 3MB of memory, same as before.

Picture 6: Same view after closing notepad by clicking the X in the upper-right of the window.  Notepad.exe is no longer on the list.

 

LeakRAMMap1.PNG

LeakRAMMap2.PNG

LeakRAMMap3.PNG

LeakRAMMap4.PNG

LeakRAMMap5.PNG

LeakRAMMap6.PNG

Share this post


Link to post
Share on other sites

Thanks. It looks like RamMap has a bug with 1803 where it won't show any memory details so I'll have to spin up a VM on 1709 to test. I'll look into this in the coming week. Thanks for the detailed report

Share this post


Link to post
Share on other sites

Update: I've been able to reproduce and informed our engineers, thanks again. Of note, this is from the Ransomware Protection module. Unfortunately simply disabling it does not solve the problem, you have to reboot with the module disabled.

Update 2: This should be fixed in our upcoming standalone update to Anti-Ransomware, which means it should get pulled into our next MB3 release

Edited by dcollins

Share this post


Link to post
Share on other sites

Our latest Component Update 1.0.374 contains the fix for the issue reported by @omegaminus. It is being metered out as usual but you can also use the "Install Application Updates" button on the Settings > Application tab to download the latest. 

A reboot would be required after the Component Update to see the benefits of this fix.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.