Scan speed irregularities

[C337Skymaster]

This may need to be forwarded to Malwarebytes' engineers, as there's nothing about it anywhere on the internet.

I'm currently running a virus scan after getting a disturbingly accurate spam email, conclusively proving that someone put a keylogger on my computer. At this moment, Malwarebytes has scanned 1,876,069 files, over the past 186:22:04 hours. The scan managed to complete the first 400,000 files in the first 5 or so hours, but was only up to 750,000 files by 23 hours. Currently, the scan is managing a little better than one file per second, scanning speed. If I pause the scanner for a while, when I resume, it goes back to the full 1000 files/second scanning speed, but only manages to maintain that for a few seconds, with the number of seconds dependent on how many minutes I paused the scanner.

I'm curious to know what causes the slowdown, and why the sudden boost in speed when a scan is unpaused. I wonder if this information would help Malwarebytes' engineers design a faster scan, or if this is simply a limitation of the hardware "caching" on my system's processor, etc.

My processor is currently only using about 16%, and my hard drive is seeing widely fluctuating usage (and that's with a lot of browser tabs open). I'm wondering why, since the scanner is set to use "maximum system resources", it slows down and leaves so many system resources unused.

Thanks for satisfying my curiosity. :)

[Porthos]

1 hour ago, C337Skymaster said:

after getting a disturbingly accurate spam email, conclusively proving that someone put a keylogger on my computer.

Let me address this. It is fake. I have had many in the last month.

Has a Hacker Really Hacked My Email Account? - Ask Leo!

I assume the scan you are running is a full custom scan. All you really need is a threat scan with rootkit scanning enabled. Anything else is really overkill.

Edited November 24, 2018 by Porthos

[C337Skymaster]

He had one of my passwords. Nothing else came of it, but since I don't tell my password to people, it got found out somehow.

[David H. Lipman]

This is purely a scam and they send those emails out en masse hoping one or two bite at the bait.  

Just delete the email and then change your email password to a new Strong Password just to make sure.

You can enter your email address(es) in the following site and it will check to see if that email address was part of a known breach.  That is how the scammer would know your password.

https://haveibeenpwned.com/

Please reference:
-----------------
MyOnlinesecurity - attempted-blackmail-scam-watching-porn
BleepingComputers - Beware of Extortion Scams Stating They Have Video of You on Adult Sites
Malwarebytes' Blog - Sextortion emails: They’re probably not watching you
Malwarebytes Forum sample thread - Got strange threating email.

 

[Porthos]

5 hours ago, C337Skymaster said:

He had one of my passwords.

With the above being said If you still use that password on any site/service/bank etc. I would change it since it is out there just in case. 

Mine was breached in the old Adobe hack years ago. I do not use that password anywhere anymore so I just laugh at the emails.

[C337Skymaster]

Thanks for that checker website. I hope it's secure.

It wasn't a particularly un-secure password, not the most secure, either: very middle-of-the-road, as it was one of my earliest, but I still use it to log into non-security-critical applications, such as online video games.

This is detouring away from my original question: trying to figure out why the scan speed varies the way it does. Ideally, I wanted to run a full scan about once a month, but if a scan takes a month, that's unrealistic.

[David H. Lipman]

We wanted to get at the root of the causative factor in you having to perform said scan.

There are many factors that can affect the time of a scan.

1. CPU and RAM speed
2. Other application's foreground and/or background actions or OS tasks occurring simultaneously
3. Disk data fragmentation
4. Disk speed
5. Large numbers of small files
6. Large numbers of Archive files and installer packages ( ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files) )

For example if you have large Temporary Internet File caches, a slow 5400rpm spindle drive, large number of ZIP files and a Celeron CPU it can take a long time.

Take a ZIP file.  To scan it, MBAM must open it extract the files and scan each file ( to MBAM's max. depth capacity ).  The scan log will show 1 file, the zip file, but if that ZIP contained 100 files then it really scanned 100 files.  If the ZIP file on the disk was highly fragmented, that action will be slowed down.  If you know that the Archive files are clean, you can disable scanning Archive files which will speed up the scan process. 

If you have a Peer-to-Peer ( P2P ) application also running it can slow down MBAM's scan.  In other words, any other application that is running and using the disk being scanned ( read/writes ) while MBAM is scanning will slow the MBAM scan down.

 

Edited November 24, 2018 by David H. Lipman

[C337Skymaster]

Intel i7-4710MQ (4-core, 8-thread)

Samsung 840 EVO SSD and Samsung 850 EVO SSD in Raid 1 (Mirrored). One is mSATA, the other is 2.5". Each drive is 1 TB.

16 GB Corsair Ballistix RAM.

Of specific interest is why I can pause the scan and have the speed increase momentarily, and overall why the speed SLOWLY decreases over the first 24 hours of a scan. Most of the explanations given, both here, and elsewhere on the internet, implicate a constant scanning rate. Scanning rate displayed is generally constant, but stabilizes at 1 file per second. With those system specs, and the fact that the computer is able to scan 400,000 files in 5 hours, I don't see why it slows to 1 file per second a day later, with no variation in speed thereafter (thus not indicating any file size effects). If you claim that it's saving the big files for last, then explain why, if I pause it, when I resume, it's scanning 1000 files/second, but if I'd let it continue normally, it sticks with 1 file/second.

These seem like really big variations in speed to "just" be due to file size... And it doesn't increase when I close programs, either.

[exile360]

It could be some kind of hardware bottleneck holding it back such as memory allocation or drive read speed throttling (a common issue with SSDs when their controller chips get too hot), however that's really just speculation.  To truly diagnose it you'd probably need to use a tool such as Sysinternals Process Monitor to see what it is checking and when because the information displayed in the UI of Malwarebytes while scanning is not necessarily accurate (it can't be because it is a multi-threaded application and therefore scans multiple files simultaneously depending on the number of cores and threads your CPU is capable of).

[exile360]

By the way, with regards to SSD throttling you can just do a web search for Samsung SSD thermal throttling and you'll find plenty of threads and articles on the subject, but as I understand it, it is an issue that virtually all fast SSDs face.  Basically the NAND flash chips where the data is stored like to be warm or even hot to perform their best, but the controller chip that manages them and handles the more advanced tasks of reading/writing to the flash needs to stay cool, with most of them throttling somewhere around 70C.  Unfortunately most SSDs and monitoring tools do not have a thermal sensor on the controller chip, so they only show you the temp of the NAND flash memory, which is typically much cooler (for the same reason your RAM is always cooler than your CPU, because the CPU is doing more intensive work) so getting the true temps for the controller chip can be difficult.

I have a 960 Pro NVMe SSD which does have a second thermal sensor in it to monitor the controller chip's temperature but very few monitoring tools are capable of reading it (only HWiNFO can of the tools I've tried so far):

Those temps are at idle taken just now while all I was doing is browsing.  It tends to run hot due to the fact that I have a laptop so there's not a lot of exposure for the controller chip to be able to cool itself off.  As soon as it hits 70C it will throttle and the throughput speed will drop dramatically.

Edited November 25, 2018 by exile360

[AdvancedSetup]

Let's get some logs, please

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to the disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thanks

 

[C337Skymaster]

FRST.txt

Addition.txt

Attached.

That thermal throttling issue is interesting. My mSATA hard drive is mounted on top of the motherboard, just underneath the keyboard, where it gets absolutely no ventilation at all. I used to have my two RAM sticks up there (because I got two extra sticks to have 32 GB, realized I was only using around 8GB, and removed the two lower frequency sticks from the two bottom slots. I only recently got worried/annoyed about my hand burning when I placed it on the palmrest and moved the two RAM sticks to the bottom. It turned out they weren't what was causing the heat, though the overall heat did diminish a bit).

[dcollins]

Can you please perform the steps below to gather a set of logs that should help us understand what's going on?

1. Start a scan
2. Wait for it to slow down
3. Once it slows down, pause the scan
4. Resume the scan and verify the number of files jumps
5. Download and run the Malwarebytes Support Tool
6. Do not click Repair
7. Click on Advanced on the left side
8. Click Gather Logs
9. This will take a bit, but should put a zip file on your desktop named mbst-grab-results.zip
10. Please upload this zip file in your response

[C337Skymaster]

mbst-grab-results.zip

Here you go.

Thanks again for the help!

[AdvancedSetup]

I was not able to find a smoking gun reason for this. I see a couple of minor issues but don't think that is the cause. Let's try doing a clean removal and reinstall and see if that helps. Part of the issue may be that we typically don't run into scans that last that long and if so users have not been reporting an issue.

Let me have you try doing a clean removal and reinstall of Malwarebytes and see if that helps correct the issue or not.

 

Please download the Malwarebytes Support Tool and use it to do a Clean Removal and reinstall of Malwarebytes

• Download Malwarebytes Support Tool
• Once the file is downloaded, open your Downloads folder/location of the downloaded file
• Double-click mb-support-X.X.X.XXXX.exe to run the program
  • You may be prompted by the User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
• Place a check-mark next to Accept License Agreement and click Next
• Click the Advanced menu on the left.
  
  
   
• Click the CLEAN button
  
  |
   
• A progress bar will appear and the program will proceed to remove Malwarebytes from your computer
• Upon completion, click OK
• Follow the onscreen prompts to reboot and reinstall Malwarebytes

Then let me know if you're still having issues with Malwarebytes.

Thanks

Ron