Jump to content
King_Of_The_Castle

Tray icon causing high CPU usage

Recommended Posts

1 minute ago, King_Of_The_Castle said:

Revisiting this issue as we started having 100% CPU usage issues again on our terminal servers. Maybe an update brought the issue back?

I have a number of endpoints that have begun using 100% CPU usage again over the last week. I didn't receive any notification that an update was being pushed so I don't think there has been any new updates?

They did email us and specifically say repeatedly that they would improve communications and stop pushing out updates that break endpoints.

If they have pushed out a bad update again, this might be the last straw for us.

Share this post


Link to post
Share on other sites
1 minute ago, IT_Guy said:

I have a number of endpoints that have begun using 100% CPU usage again over the last week. I didn't receive any notification that an update was being pushed so I don't think there has been any new updates?

They did email us and specifically say repeatedly that they would improve communications and stop pushing out updates that break endpoints.

If they have pushed out a bad update again, this might be the last straw for us.

Also I'm seeing near 100% RAM usage. Terminals server create a "Endpoint Agent Tray" process for every connected user which uses 500-800MB of RAM on its own. Right now I'm creating a test policy with the agent tray icon disabled and see if this helps as a workaround. I'll update on the outcome. 

Share this post


Link to post
Share on other sites
Just now, King_Of_The_Castle said:

Also I'm seeing near 100% RAM usage. Terminals server create a "Endpoint Agent Tray" process for every connected user which uses 500-800MB of RAM on its own. Right now I'm creating a test policy with the agent tray icon disabled and see if this helps as a workaround. I'll update on the outcome. 

Yes, in addition to the high-cpu usage I'm also seeing almost 100% memory usage with both task manager and resource monitor unable to locate where all the memory has gone. It says MWAB is using about 200MB but that's it. So if it is another memory leak, this time it doesn't even show that MWAB is leaking.

Share this post


Link to post
Share on other sites

Yes, in addition to the high-cpu usage I'm also seeing almost 100% memory usage with both task manager and resource monitor unable to locate where all the memory has gone. It says MWAB is using about 200MB but that's it. So if it is another memory leak, this time it doesn't even show that MWAB is leaking.

I had a couple machines that were acting stupid last week.  MWAB showed around 200MB usage.  For giggles, I killed the process, and wham, PC acting just fine again.  Process started back up and I have not seen it again.

Edited by spnkzss

Share this post


Link to post
Share on other sites
1 minute ago, King_Of_The_Castle said:

Alright , I can confirm the "No tray-icon" test policy worked as a workaround for the high-RAM usage on the terminal servers. 

Do you mean you turned off the option for endpoints to have the tray-icon and the high-ram usage went away?

 

Share this post


Link to post
Share on other sites
1 minute ago, IT_Guy said:

Do you mean you turned off the option for endpoints to have the tray-icon and the high-ram usage went away?

 

Yep, as this was being the main cause of the high RAM usage. Every tray icon process was taking up around 500-800MB of RAM.

Share this post


Link to post
Share on other sites

Just for the tray icon!?!

Crazyness, I'm going to turn that off right now, end users never perform their own scans anyway.

Share this post


Link to post
Share on other sites
On 12/14/2017 at 7:28 PM, djacobson said:

Are you scanning with high priority set in policy? Are you including Rootkit scanning to every threat scan performed?

I'm running into this too with only one Win7 machine. Rootkit and Self Protection are disabled. It'll be fine for a week or two then kicks over into CPU consumption mode until I kill it and restart the processes.

Share this post


Link to post
Share on other sites

Well...Looks like the "No-Tray Icon" Policy helped just for a couple of days....the tray icon processes are back and grabbing more and more RAM by the day. If I let this keep up it will become to a point where every single process is taking over 1GB of RAM, thus slowing things for every user connected to the terminal server. I'm hoping this months update helps but I don't want to keep my hopes too high...

 

MB-tray-issue.PNG

Share this post


Link to post
Share on other sites

@King_Of_The_Castle

Could you get a dump of the mbamservice.exe for us to look at and upload it? 

Upload it to www.filemail.com since the dump may be large. 

 

Also- 

Could you run procmon on this machine for a few minutes and upload that log as well so we can see what's using resources

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

 

Thanks, 

Vlad

Share this post


Link to post
Share on other sites
1 minute ago, vbarytskyy said:

@King_Of_The_Castle

Could you get a dump of the mbamservice.exe for us to look at and upload it? 

Upload it to www.filemail.com since the dump may be large. 

 

Also- 

Could you run procmon on this machine for a few minutes and upload that log as well so we can see what's using resources

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

 

Thanks, 

Vlad

Hi @vbarytskyy. How can I obtain dumps from both mbamservice.exe and procmon?

Thanks.

Share this post


Link to post
Share on other sites

@King_Of_The_Castle

For mbamservice.exe dump (may be labeled as "Malwarebytes Service" as well)--

  1. Locate the process in Task Manager, right click and select "Create Dump File"
    1. Process may take a few minutes to generate the dump
  2. Note the location of the dump file in the dialog popup, copy the dump out of that location and zip it
  3. Upload the dump

For procmon

  1. Get procmon from this link
  2. Extract the contents and run it as administrator 
  3. Agree to EULA > Capturing of all events will start automatically
  4. Let run for a few minutes (3-5min should be enough)
  5. Hit "CTRL+E" to stop capturing and then "CTRL+S" to save the log
  6. Select "All Events" under "Events to save:"
  7. Note the "Path" where the log will be saved or change it to an easy to access location > Hit OK
  8. Zip up the log and upload to us for analysis

 

Thank you for taking the time to get us this information

Share this post


Link to post
Share on other sites
20 hours ago, vbarytskyy said:

@The0retical

Are you seeing this issue on a virtual endpoint or is this a physical computer? 

Physical machine. The issue only seems to occur occasionally after a reboot.

I'll grab a dump next time it goes into consumption mode.

Share this post


Link to post
Share on other sites

Any word on a fix for this?  Nice to finally find this forum.  Having exactly the same problem on a win 7 machine.  Approx once a week the computer slows right down taking 20 min to restart.  MBAMservice.exe using 13% CPU.  Nice to learn that killing the process works.

Share this post


Link to post
Share on other sites
7 minutes ago, Jim90 said:

Any word on a fix for this?  Nice to finally find this forum.  Having exactly the same problem on a win 7 machine.  Approx once a week the computer slows right down taking 20 min to restart.  MBAMservice.exe using 13% CPU.  Nice to learn that killing the process works.

I still have widespread issues with this, still hard to tell which machines are updated properly so I'm manually checking each endpoint still.

 

Users have reported that browsing their computer and the network is impossible until they end process on mbam service, then everything is fine.

Share this post


Link to post
Share on other sites

We are experiencing the exact same issue. 13% CPU on MBAMservice.exe. We've been going back and forth with MB for the last week. I was asked to create two profiles, one with Anti-Exploit disabled and one with Anti-Malware disabled. I've just split the 200 endpoints we are protecting between these groups to see if we can narrow down which MBEP module is causing this issue. 

Share this post


Link to post
Share on other sites
On 3/8/2018 at 10:12 AM, vbarytskyy said:

@The0retical and @King_Of_The_Castle 

Thank you both

Finally had the problem present itself again today. It's hardly a top of the line machine, but it's isolated. Killing MBAMservice then restarting the service breaks it out of whatever is going on.

Here are requested the dump files. 

https://drive.google.com/file/d/1IVPz6Jxzi_g5yIlkHSJ5Z6EfvGVyn5ux/view?usp=sharing

 

Share this post


Link to post
Share on other sites

We've had 4 reports of slowdowns since splitting the office between two different profiles. Every occurance so far has been in the group with Anti-Exploit disabled and Anti-Malware enabled. Seem to be an issue with the Anti-Malware component of Endpoint Protection....

Edited by AdamKski

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.