V3.4.5.2467, update 1.0.342 excessive scanning during VS2017 compiles

[paynterf]

V3.4.5.2467, update 1.0.342, Update 1.0.5278

Every time I compile a program in VS2017 (Community Edition) I get a huge CPU-usage hit from MBAM. Watching Task manager, I see MBAMService.exe jump from 0% to 8-20% every time I do a compile.

If I turn OFF ransomware detection, the effect is much less noticeable - maybe 1-2% for each compile

I have devenv.exe (VS2017) excluded, as well as the entire source tree folder, but this doesn't seem to help.  I suspect MBAM is scanning processes spawned by devenv.exe, even though these processes are 'owned' by an excluded app.

Any hope for a fix for this?  I do a *lot* of compiles, mostly with very small changes to source files.  Having my PC slow down to a crawl for absolutely no reason is very frustrating.

TIA,

 

Frank

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download Malwarebytes Support Tool
• Once the file is downloaded, open your Downloads folder/location of the downloaded file
• Double-click mb-support-X.X.X.XXXX.exe to run the program
  • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
• Place a checkmark next to Accept License Agreement and click Next
• You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
• Click the Advanced Options link
  
• Click the Gather Logs button
  
• A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
• Upon completion, click OK
• A file named mbst-grab-results.zip will be saved to your Desktop
• Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     
  
  Click "Reveal Hidden Contents" below for details on how to attach a file:
  Spoiler

  To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

  

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[dcollins]

I would start by updating Malwarebytes to the latest version. You can do this by going to Settings -> Application and clicking "Check for Application Updates". Then see if your performance improves.

[paynterf]

Devin,

Well, that was a big fail; I didn't find 'Check for Application Updates', but I did find (and launched) the 'Install Application Updates' button.  This downloaded and offered to install a new update.  However, when I launched the installer and rebooted as required, MBAM didn't launch on reboot, and apparently didn't install either, as I can't find MBAM (or anything remotely similar) in the list of installed programs.

WTF?

Frank

PS:  I uploaded the zip file mbst-grab-results.zip, acquired from the previously installed version by running the support tool.

mbst-grab-results.zip

[dcollins]

Very strange, can you please try downloading the latest installer from https://downloads.malwarebytes.com/file/mb3 and install it

[paynterf]

Devin,

Thanks for the quick reply; I dl'd and installed the latest version (3.5.1) and it seems to be running OK.  Thankfully, my license and customizations seem to have been preserved - whew! ;-).  I'll check on the performance issue for a while and update as necessary.

On  a different subject; I checked the scan schedule, and I'm confused by the 'recurrence' entry. I want to do a threat scan every day at 2.15AM, forever.  However, there is no 'forever' recurrence option - only 1-60 days.  What am I missing here?

TIA,

Frank

 

[dcollins]

You want "Daily" and "1 day". This means the scan runs daily, every day.

[paynterf]

Devin,

Thanks!!

Frank

 

[paynterf]

OK, so I launched VS2017 with the latest MBAM version, and the CPU load from MBAM immediately went to 10, then 15, and then 24%.  after about 10-15 sec, the load went back to zero.  During this time, VS was loading a small project into the IDE.  Both the VS executable and the entire source folder have been excluded from MBAM, so I have no idea why MBAM was taking so much CPU time.

Then I did a simple compile, and watched MBAM usage hang around 1% for the duration of the compile, and then go back down to 0%.  This seems to be a significant improvement over my previous version, but I will keep an eye on it for  while.

Thanks  for the help so far ;-).

Frank

 

[exile360]

Unfortunately exclusions in Malwarebytes don't function the way you might expect.  When something is excluded, it isn't actually ignored from scanning and monitoring completely, but instead is simply never detected as a threat or blocked from executing, so you'll still see activity in MBAMService.exe when loading excluded files and processes.

That said, the most likely culprit for the majority of the CPU usage is likely Ransomware Protection.  If you wish, you can check this by right-clicking on the Malwarebytes tray icon and clicking Ransomware Protection: On and then clicking Yes to the User Account Control prompt to confirm then try running the application again to see how the CPU usage in Malwarebytes is.

[paynterf]

Wow - that's weird; why would a company deliberately ignore opportunities to skip unneeded tasks, especially when that policy is almost certain to cause user complaints?

 

void MopFloorIfNecessary(bIsNecessary)

{

     mop floor;

     mop floor;

    if(bIsNecessary) 

     {

          do nothing;

     }

}

Frank

[exile360]

It has more to do with how scanning works than anything else I think, and goes back to the logic in the original Malwarebytes Anti-Malware engine which exists now as what is known as the Malware Protection component.  Since one of the things it checks to determine whether an object is malicious is the name of the object and the path where it is located (a very basic form of heuristics used for locating items that use a common installation pattern, particularly for things like PUPs as well as startup items), even if an item is ignored, Malwarebytes must first check to see what the item's name is and where it is located.  Any AV/AM app would do the same, and typically the checks would stop here if the item were excluded, however, in Malwarebytes it was decided that rather than taking that approach, it should instead simply refuse to detect the item as a threat (in other words, more like whitelisting than actually ignoring an item).  This also bleeds over into other modules.  For example, if an item is excluded from being detected as malware, it is still possible to not exclude it from being detected as ransomware.  This is because the separate components of the engine perform their own analysis tasks to determine if an item is malicious, with Ransomware Protection being based mostly on behavior post-execution, but with Malware Protection being based mostly on the signatures in the database which analyze everything from an object's name, to its location as well as its contents (along with several other items I cannot discuss publicly since it is proprietary, which I am sure you can understand), though the vast majority of that analysis is performed pre-execution as the process attempts to enter memory, but prior to it being allowed to do so (this is why we say that Malwarebytes is an on-execution detection protection app, not an on-access detection app like the vast majority of AVs which scan objects as they are downloaded or accessed, not just when they are mapped to memory for execution).

It could simply be that the way that they have implemented exclusions for the Ransomware Protection component are not functioning correctly, but based on what I know of the Malware Protection component and how it works, I suspect that they simply chose to implement exclusions for the newer Ransomware Protection module in the same way as the Malware Protection module, meaning it's simply told not to detect an item as a threat, not to ignore it completely which means Ransomware Protection will still very much be monitoring the item's activity while it is active in memory.

I could be wrong though, and you can test this by following my suggestion above regarding disabling that component temporarily to see how it behaves.

If you do, please let me know how it goes as I am curious about it, and I would also like to suggest to the Developers that they change this implementation if that proves to be the case, so that hopefully situations like this can be avoided in the future by altering how exclusions for Ransomware Protection are handled.

[paynterf]

Yeah, you are probably right, and I am probably just bitching to be bitching.  In the end, I'm much more willing to put up with MBAM CPU drag than I am to endure the agony of recovering from a successful virus/ransomware attack.

I have turned Ransomware detection OFF before on a temporary basis, and noticed a significant decrease in CPU load.  However, even though I regularly make physical clones of all my hard drives as insurance against a successful ransomware attack, it's not something I want to experience - ever.  So, I'll keep it turned ON

?

[exile360]

No problem, I can completely understand that as I tend to be on the paranoid side myself

Did you test with this latest build to verify that it was indeed Ransomware Protection causing the shorter duration spikes you were seeing?  I'd just like to know so that I can report to the Devs on it, because hopefully they can correct it if it is the cause.

[paynterf]

I just tried launching VS2017 & loading a project with multiple source/header files, with and without Ransomware detection enabled.  Both cases showed 2-10% CPU loading during the launch, and 1-2% during a compile.  If anything, the CPU load was less with Ransomware enable than with it disabled.

Frank

 

[exile360]

That's probably the Malware Protection component then, which makes sense given the fact that it shows the most usage during launch (i.e. as the new process(es)/thread(s) is/are being mapped to memory.  That's where the on-execution protection comes into play that I referred to.  At least the usage isn't too high and I assume (though please correct me if I am wrong) that it isn't really disruptive to your workflow.

[paynterf]

Well, I'm a retired scientist/hobbyist of "independent means", so the value of my time is identically zero. So more of a minor annoyance than really disruptive to my workflow ?

 

Frank

[lmacri]

On 5/28/2018 at 9:43 AM, paynterf said:

Every time I compile a program in VS2017 (Community Edition) I get a huge CPU-usage hit from MBAM. Watching Task manager, I see MBAMService.exe jump from 0% to 8-20% every time I do a compile....

Hi paynterf:

This could be completely unrelated, but the symptoms you described reminded me of a similar problem being discussed in the Norton forum about the MS .NET Framework Native Image Generator (NGEN).

See mickhardy's workaround posted in the Norton forum thread CPU Usage about 30% about a recent problem related to the .NET Framework NGEN v4.0.30319 and Visual Studio 2013.  He was able to solve the high CPU consumption by his Norton real-time protection (i.e., nortonsecurity.exe) on his Win 10 computer by disabling non-critical NGEN tasks scheduled in his Windows Task Scheduler.

From the MS .NET Framework support article NGEN.exe (Native Image Generator):

Quote

"The Native Image Generator (Ngen.exe) is a tool that improves the performance of managed applications. Ngen.exe creates native images, which are files containing compiled processor-specific machine code, and installs them into the native image cache on the local computer. The runtime can use native images from the cache instead of using the just-in-time (JIT) compiler to compile the original assembly."

The FRST Addition.txt diagnostic log bundled inside your mbst-grab-results.zip file shows that you have a Win 7 SP1 computer.  I believe the NGEN scheduled tasks mickhardy showed in his post are unique to Win 10 and I can't see any reference to NGEN.exe tasks in your Scheduled Tasks, but there are several references to C:\Windows\assembly\NativeImages_v2.0.50727_32\ and C:\Windows\assembly\NativeImages_v4.0.30319_32 in that log.   I wonder if your high CPU consumption by MBAMService.exe is actually being triggered by assembly compiling by the MS .NET Framework NGEN (which is supposed to improve the performance of .NET applications) rather than Visual Studio itself.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.8.0 * Norton Security Premium v22.14.0.54 * MB Premium v3.5.1.2522-1.0.365

Edited May 30, 2018 by lmacri