What is MBAMService.exe doing on my computer during the daytime??

[Dynszis]

Hi,

because of the hot summer, I installed more powerful (and noisier) fans in my computer. Since then I started to notice that my computer gets quite busy when I leave it alone for a while, with the fans howling very noticeably and annoying.

Closer inspection reveals that MBAMService.exe is the culprit, eating away some 14% CPU as soon as no-one is looking. Why does it do that, with no obvious task to do?  There are 12 hours to go before the next scheduled scan, and the updates are marked as "Current"?

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download Malwarebytes Support Tool
• Once the file is downloaded, open your Downloads folder/location of the downloaded file
• Double-click mb-support-X.X.X.XXXX.exe to run the program
  • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
• Place a checkmark next to Accept License Agreement and click Next
• You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
• Click the Advanced Options link
  
  
   
• Click the Gather Logs button
  
  
   
• A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
• Upon completion, click OK
• A file named mbst-grab-results.zip will be saved to your Desktop
• Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
  
     
  
  
  Click "Reveal Hidden Contents" below for details on how to attach a file:
   
  Spoiler

  To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

  
   

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Dynszis]

Here are the logs, in case the behavior isn't considered normal.

mb-check-results.zip

[dcollins]

That's our old, deprecated log collection tool. Can you grab the logs using the tool mentioned in the first reply above?

[Dynszis]

46 minutes ago, dcollins said:

That's our old, deprecated log collection tool. Can you grab the logs using the tool mentioned in the first reply above?

Oops. That's what I actually did, and I uploaded the only zip archive that I could find on my desktop.

However, for some reason your tool automatically saved the logs to the administrator's private desktop so they were invisible for everyone else.

This one below should be the one you want.

 

mbst-grab-results.zip

[dcollins]

Nothing really jumps out, so let's try this:

1. Open Malwarebytes and navigate to Settings -> Protection
2. Scroll down and turn off Self-Protection, then close Malwarebytes
3. Download and extract Procdump.zip
4. Right click on RUNME.BAT in the Procdump folder and choose Run as Administrator
5. Now wait for the CPU spike to happen
6. Once the spike happens, a .dmp file will be created in the Procdump folder
7. Please zip up the dmp file from step 6 and use wetransfer.com to generate a download link, then reply with the the download link

This will give us a memory dump of mbamservice when it's using more than 15% memory for 5 seconds.

[Dynszis]

Thank you for your support. I will post a memory dump after it has been generated.

[Dynszis]

Hello again. The memory dump is here. 

As you can see on the attached screenshot, the CPU usage is quite significant for specific cores, regardless of the value shown (it collapses as soon as you touch the mouse).

[dcollins]

Thanks for the memory dump, I'm looking this over now. Of note,I'm actually on vacation for the next week, so I've reached out to some other members to see if they can provide some support in my absence. They may have some different ideas to try. I will try to look at this memory dump while I'm away, but I may not get a chance until after the 5th of September. I apologize for any delays.

Can you also provide a new set of logs from the Malwarebytes Support Tool as well? I would like to line up the logs from the support tool from the time the memory dump happened (it already has timestamps) so we can see what was going on behind the scenes. Thanks!

Edited August 25, 2018 by dcollins

[exile360]

Greetings,

I was speaking with dcollins about your issue and had a couple of ideas.  First, I'm thinking that because of the way that Ransomware Protection in Malwarebytes functions, being a real-time monitor of system file and memory activities, it's likely that this is the component causing the CPU spikes so I'd suggest starting by disabling Ransomware Protection temporarily to test and see if that eliminates it.

Next, I have a hypothesis that there is some scheduled and/or idle tasks executing when the system is idle that are causing this behavior as Malwarebytes monitors them, thus consuming additional resources as this occurs so the next step would be to try and track down what this idle/scheduled task might be.  It could be something in Task Scheduler or a background scan, optimization or update process being performed by some other software or a native Windows component so you'll need to watch for any spikes in any other threads/processes/services to see.  It could even be something executed through a driver which would make it more difficult to track down as it would not be displayed in Task Manager, so using a more advanced diagnostic/logging tool such as Process Monitor and/or Process Explorer by MS Sysinternals might be necessary (though it's also possible that running either of these tools constantly might consume too many resources for the system to go into idle mode and the idle task to trigger/launch so it's not a bullet proof plan unfortunately).

Anyway, I hope this helps and please keep us updated on anything new that you find out and hopefully dcollins will have good news for us upon his return with info from the Devs on the memory dump's contents.

[Dynszis]

Thank you very much. The logs from one minute ago are attached.

mbst-grab-results.zip

[Tokala]

Did dcollins ever get back to you on this? I have been wondering about this problem myself for months now. Though using a program to twitch the mouse every so many minutes can help to prevent the system from being idle, though that is more of a 'put tape over the symptom' approach than anything.

[Dynszis]

4 hours ago, Tokala said:

Did dcollins ever get back to you on this?

Unfortunately not. It probably wouldn't make too much sense anyway, since there was a software update in the meantime.

[exile360]

That's true, version 3.6.1 has been released since then so things may have changed, however if there is a bug revealed by the memory dumps it could still reveal the cause to the Devs even if it is from the last version meaning a fix is still possible (again, assuming it is actually a bug and not the result of some other process running in the background on the system when it is idle).

In the meantime, if the CPU usage is really a problem I'd suggest trying disabling just the Ransomware Protection component to see if that makes any difference.  That particular module is less proactive than the others anyway and was designed to detect an already present ransomware infection based on file and process activity, so it is unlikely that disabling it would do much to reduce your level of protection (especially given the fact that the vast majority of ransomware infections use exploits to download/install themselves, and you'd still have the Exploit Protection component active which should stop most threats before they could ever get to the point of actually infecting your system and attempting to encrypt any files) and you'd still have all the other layers of protection active as well, including Web Protection, Malware Protection and the anomalous threat detection engine that uses advanced heuristics algorithms and cloud capabilities to detect new and unknown threats and suspicious files.

Edited October 6, 2018 by exile360