Jump to content

MBAM takes long time to display when invoked


Recommended Posts

Not sure what you mean by profiles. If you are equating users to profiles, no, there are few users on the server. One of the servers is a database server so there are 9 defined users within the Users folder. On the web server, there are 7 defined users within the User folder. In both cases there are 3 log-able users, the rest are users created by the system or services.

When I ran the older version of MBAM on Windows 2012 R2, it had similar users defined and it never took that long to display.

If it is doing what you suggest it may be doing, this is extremely poor UI design as the app appears to be loaded yet it is not providing any tactile response to the user that it is loaded. In fact, the first time I tried opening MBAM on the servers the other day, I wasn't aware of the issue and in the end, I started 4 copies of MBAM. Come on, this is a no brainer, you display a splash window to indicate you are alive and some status indicator you are hard at work in the salt mine.

 

Link to post
Share on other sites

What version of Malwarebytes are you running? Can you run the support tool listed below so we can try to get some information about what's going on? Thanks!

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and then click the link for Advanced Options
  3. Click Gather Logs on the page that comes up, and then reply with the zip file that's created on your desktop named mbst-grab-results.zip
    1. You can private message the logs to me or Dyllon if you don't want to post them publicly
Link to post
Share on other sites

The profile folders in C:\users are not important. It is the system and local profiles in HKU and the domain profiles in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Every profile listed in these locations will be enumerated on disk prior to the GUI opening as the engine loads. If this server happens to be a VM, you will also be at the mercy of your storage latency for this process.

This process can also be made worse by other security programs watching us as we do this enumeration, adding time by inspecting each file we create and touch. If you have not yet set up exclusions of our processes to be ignored in the other security software you have, I would make sure to do that. Even for MSE, Defender, MCEP solutions. MBMC Managed and Unmanaged file/folder locations are here in this KB - https://support.malwarebytes.com/docs/DOC-1236

While 2 minutes to start is on the higher end, Anti-Malware 1.x is no speed demon, 10 to 60 seconds is in the realm of normal (depending on profile #). The test VM I used, which has 3 system accounts, 1 local account and 5 domain accounts, 9 total, loads within an average of 15 seconds over ten timed openings.

You can watch the behavior I am talking about by opening this folder - C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware, leave it open while you try to start MBAM's GUI. You'll see what I am talking about. Here's a capture from mine...

2018-05-15_17-17-41.thumb.gif.b9c8ddf06454c539e6669686767d0114.gif

Edited by djacobson
Link to post
Share on other sites

Dyllon,

On the web server VM there are six user profiles and on the DB VM 15 user profiles. I just timed the DB load of MBAM and it was 3:40 to load. Unloading is just as slow at about 2 minutes.

I don't know if a second copy of mbam.exe is supposed to be loaded and in the initial logged in state, there is already a copy of mbam.exe listed in the processes.

Even so, based on your description, once the app is loaded, it should display a splash screen so the user knows it is up and running. That has been in the MS UI guidelines forever. Why? Simply because windows 3.1 didn't load apps very quickly and it was one way to indicate to the user something was happening.

Attached are the log files.

 

mbst-grab-results-web.zip

mbst-grab-results-db.zip

Link to post
Share on other sites

The second copy of mbam.exe could be a scan that is running, it handles that and the interface. There's something else going on here, this performance problem you are having doesn't look like it's MBAM's fault, it looks like there's a conflict or the run-time is broken. Are either of the servers, from which you captured those logs, in an RDS, Terminal or some other shared resource role? They are filled with VB6 related errors against the MBAM process, historically that points to a possible problem with the VB6 run-time install or MBAM's real-time against an RDS role, or some other role these servers are in.

 

You could try reinstalling VB6 runtime in the meantime:

https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-basic-6/visual-basic-6-support-policy

https://support.microsoft.com/en-us/help/957924/description-of-the-cumulative-update-rollup-for-the-visual-basic-6-0-s

 

Error: (05/17/2018 01:15:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 1.80.0.1, time stamp: 0x56ba3282
Faulting module name: MSVBVM60.DLL, version: 6.0.98.15, time stamp: 0x49b01fc3
Exception code: 0xc0000005
Fault offset: 0x000da280
Faulting process id: 0x1464
Faulting application start time: 0x01d3edf81bf9db62
Faulting application path: C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
Faulting module path: C:\Windows\SYSTEM32\MSVBVM60.DLL

 

 

 

Edited by djacobson
Link to post
Share on other sites

Dyllon,

Thanks for the info. Before I go down this rabbit hole, can you shed some like to me on this? Should I see entries within the Apps & features for VB 6? Right now, I do not. I only see the VC++ runtime installations.

If I should, that would explain why you saw all those errors. It isn't installed and I am not sure if you should be installing if your package relies on it.

Link to post
Share on other sites

The VB6 needed is shipped with the MBAM installer but looks to be broken here in your case. The MSVB file is most likely in syswow64.

  1. Uninstall the Malwarebytes agent on the server
  2. Use this installer to repair the VB6  - https://www.microsoft.com/en-us/download/details.aspx?id=24417
  3. Restart
  4. Reinstall the Malwarebytes agent

Let me know if that helps the loading situation, if not, capture a new log set.

Thanks @codesmithery

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.