Jump to content

MB 3.5.1 MBAE Service not installing on Windows XP?


Recommended Posts

I have a very strange problem with Malwarebytes 3.5.1 on my Windows XP system.
It says that the exploit protection is not running, and keeps nagging me to start it, but when I do, nothing happens.
In the Windows System log, I'm getting "The Malwarebytes Anti-Exploit service failed to start due to the following error: A device attached to the system is not functioning."
On investigation, it appears that the service isn't actually installed!
There is no reference to it at all as a service in the registry.
MBAE.SYS is present in the System32\Drivers folder, but appears to be orphaned.
It also appears to be a Spanish language version of the file for some bizarre reason!
I have tried countless uninstalls and reinstalls, including system cleaning in between, with the same result every time.
I've tried in a clean boot environment, and in Safe Mode, in case something else on the system was interfering the installer, same result.
I've tried running the Support Tool, which didn't find anything meaningful as far as I could see.
Any ideas anyone?
Cheers, Dave.
🙂

Link to post
Share on other sites
  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings,

Please try performing a clean installation by following these instructions to see if it helps:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes by downloading the latest Windows XP compatible version from here

Please let us know how it goes and if the issue is resolved or not.

Thanks

Link to post
Share on other sites

OK, thanks.  It looks like the Base Filtering Engine (BFE) service isn't running on your system for some reason.  That may be the issue as that service is one of the required dependencies for Malwarebytes to function.  You should also try removing the following exclusion from Malwarebytes temporarily to see if that allows Exploit Protection to function as I recall there being an issue with exclusions on other drives causing problems with Exploit Protection a while back:

E:\Installation Files

Link to post
Share on other sites

I removed the exception on drive E: and it made no difference.
I would have been very surprised if it had done, as the problem was there before I added it!
I can find no trace of a Base Filtering Engine service on my machine, at least not in the Windows XP partition.
It's a multi-boot machine, and it is there in Windows 10.
Does that service actually exist in Windows XP, and if not is there an equivalent service instead which I should check?

Just to give more detail, which I didn't do earlier to avoid possible confusion if it was an obvious known fixable issue, when I first installed Malwarebytes, the Anti-Exploit function didn't work then either, but suddenly after a few reboots it spontaneously did start working.
It worked fine for the rest of the day, through several reboots, but in the evening I noticed that the red triangle exclamation mark was back on the tray icon.
I tried running the interface, which then just kept on crashing every time.
Eventually I reinstalled MB, and the interface now works again, but again I cannot now get the Anti-Exploit function to run.
It actually looks like the registry entries it needs are not even being installed, as there is no reference to mbae in the registry.
The Spanish version of mbae.sys is being installed in system32\drivers, as is mbae.dll and mbae-api-na.dll in the MB folder, these are both US English versions, so why is mbae.sys Spanish?!
Again there is no reference to any of these files in the registry, which surely can't be right!
☹️

Link to post
Share on other sites

Doing some more research, there appear to be files such as mbae.exe and mbae-svc.exe which are part of the Anti-Exploit system.
Neither of these files are present on my system.
I unpacked the MB 3.5.1 installer, and they don't seem to be there either!
I don't understand this.
🙂
 

Link to post
Share on other sites

No, those files are for the standalone version of MBAE, not the version integrated into Malwarebytes 3 so those other EXE files shouldn't be there.

As for why the Spanish language version of the driver is being installed, I have no idea, but it may be related to why Exploit Protection isn't working.

Link to post
Share on other sites

I just noticed something else odd in your logs.  They list the Windows directory as:

D:\WIN-NT

In XP, it should be C:\Windows, or in your case, since Windows is installed on D:\ it should be D:\Windows.  Win-NT is not a valid system folder name for the Windows directory on XP so I have no idea what's going on.  I also noticed other oddities in the logs regarding drive letters and folder structures and it shows D:\ as being a FAT32 formatted partition rather than NTFS.  I don't know if the filesystem structure has anything to do with it but it is odd for XP to be set up that way.

Link to post
Share on other sites

Thanks for the information on the standalone version of MBAE, that makes perfect sense.
So there is no separate MBAE service when using the full Malwarebytes program I guess.

The reason why my Windows folder is WIN-NT goes back many years.
I used to dual boot Windows 2000 and Windows 98 (going back a bit here! 😀) and to avoid confusion I had Windows 98 on C:\WIN-98 and Windows 2000 on D:\WIN-NT.
When I updated Windows 2000 to Windows XP, I simply kept the same arrangement.
It has never caused any problem because installers should not use absolute paths of course.
They usually use variables like %WINDIR% which reads the path from the machine environment variables.
If the MB installer is using absolute paths I would be very surprised, as that's asking for trouble, as it assumes that all systems are standard!

I doubt that's the problem as if it were there would be far more serious problems, in fact I doubt that the program would run at all!
The same applies to the drive being FAT32 rather than NTFS.

Anyway, as I said earlier, the Anti-Exploit component did run yesterday for quite a while, so it obviously can do.
The mystery is why it isn't running now, when I haven't knowingly changed anything!
🙂
 

Link to post
Share on other sites

Ah, I see.  That makes sense.  Yes, since it worked for a while chances are it's just some kind of intermittent issue with the software or it could be some kind of conflict with one of the other drivers on the system.

I have one more thing to suggest to troubleshoot:

Please open Malwarebytes and go to Settings>Application and toggle the option on under Event Log Data then restart the computer and once it restarts and Malwarebytes is up and running again, check to verify that Exploit Protection still isn't functioning.  Once that's done you may turn off the option under Event Log Data again (you don't want to leave it on constantly as those logs are quite verbose and will start to take up a lot of space on your system after a while so we use them sparingly only for diagnostic purposes).

Next, run the Malwarebytes Support Tool again and once again have it gather logs and then attach the new ZIP file containing the new set of logs into your next reply and I'll ask a member of the Malwarebytes staff to take a look and hopefully they'll be able to provide some insight as to why it's failing to start correctly.

Link to post
Share on other sites

OK, here's the new set of logs!
I hope they provide some clue as to what's happening (or not happening!)

Incidentally, I noticed yesterday when I tried the Repair option on the Support Tool that it uninstalls and reinstalls the program.
OK, except that it fetches and tries to install version 3.6, which doesn't work on XP, so the reinstall fails!

The tool needs to be updated so it detects the OS being used and serves the appropriate version.

Thanks for sticking with this.
Cheers, Dave.
🙂

mbst-grab-results.zip

Link to post
Share on other sites

Thanks for the info regarding the Support Tool on XP.  I'll be sure to report that to the team and hopefully they'll fix that in a future version so that it downloads/installs the appropriate build for legacy operating systems.

@dcollins, @nikhils could one of you please take a look when you get a chance?  I suspect your direct access to the Devs will prove valuable in determining what's going on here in this particular case (both of those members are Malwarebytes Support staff personnel).

I guess we'll have to wait until they return from their time off for the holidays, but in the meantime please let us know if there are any changes.

Edited by exile360
Link to post
Share on other sites

Hi again, I don't know if anyone is now looking at this problem, but yesterday I had to disable MB temporarily to test something, and I switched off the self-protection module and stopped the main service. To my amazement, when I rebooted, I found that the anti-exploit function was now enabled!
It now seems to be keeping working, but there's now another problem!
I now can't switch the self-protection module back on again.
If I try to do it, the MB interface just immediately and permanently freezes, and has to be forcibly terminated with the Windows Task Manager.
Anyone any ideas on that?
Cheers, Dave.
🙂

Link to post
Share on other sites
3 hours ago, Dave-H said:

...I switched off the self-protection module and stopped the main service. To my amazement, when I rebooted, I found that the anti-exploit function was now enabled!
It now seems to be keeping working, but there's now another problem! I now can't switch the self-protection module back on again. If I try to do it, the MB interface just immediately and permanently freezes, and has to be forcibly terminated with the Windows Task Manager.

Hi Dave_H:

You might need to collect another set of MB Support Tool logs with advanced event logging (Settings | Application | Event Log Data) temporarily enabled as exile360 suggested in post # 12.

If the Norton employees can't find any obvious problems in your latest set of MB Support Tool logs, you might want to try disabling any third-party utilities that that load at boot-up (or that have modules that run in the background and monitor your system after the utility is launched) just in case they are interfering with MB Premium's real-time protection.

Your FRST logs indicate that MB Premium v3.5.1-1.0.365 is the only security software running in real-time on your system, but I noticed you have many older utilities like Norton Utilities 2002 installed.  Is Norton Crash Guard (C:\Utilities\Symantec\Norton CrashGuard\CGMenu.EXE) or any other utility like your Super Doctor III (C:\Utilities\Monitoring\SuperDoctor III\Xitami\xisrv32.exe) configured to load a module at boot-up?

Please see jniffen's thread Mbamtray.exe Doesn't Start in Windows. This user found that they could get MB Premium to load correctly at boot-up without disabling MB Self-Protection (Settings | Protection | Startup Options | Enable Self-Protection Module | OFF) after they uninstalled the Lenovo RapidBoot software on their Thinkpad X220 running 64-bit Win 7 SP1.  Anything that potentially interferes with the loading of MB services at boot-up (including the FastStartup feature in Win 8.x and Win 10) can cause this type of problem when MB Self-Protection is enabled.

If you can't find a utility loading at boot-up that could be interfering with loading of MB services try changing the time that your MB real-time protection and/or Self-Protection starts and see if that helps.  For example, go to Settings | Protection | Startup options and test with Delay Real Time Protection When Malwarebytes Starts turned ON (change the default 15 sec to the max 180 sec for your first test), and re-boot a few times ensure the configurations changes have taken effect.  If that doesn't help, turn OFF Delay Real Time Protection When Malwarebytes Starts, then turn ON the setting for Enable Self-Protection Early Start, and re-boot a few times.  

I have Norton Security v22.15.1 installed on my 32-bit Vista SP2 machine for my main real-time antivirus protection, and discovered that I can't run Malwarebytes v3.5.1.-1.0.365 Premium at the same time as my Norton AV (even if I create the recommended scan exclusions in both products) unless I disable the Self-Protection module in Malwarebytes. That's not an acceptable workaround so I currently have my MB Premium license deactivated and only use MB as a free on-demand scanner.  Several other users have reported similar problems with MB Premium not loading correctly at boot-up (e.g., crashes of mbamservice.exe, mbamtray.exe, etc.) unless they disable Self-Protection module because of apparent conflicts with their antivirus.  See comments in MadDemon's thread Malwarebytes System Tray Icon Missing After Latest Update from post # 96 onward, as well as his newer Oct 2018 thread Malwarebytes System Tray Icon Missing confirming that MB Premium still won't load correctly at boot-up unless MB Self-Protection is disabled.  Just an FYI that MadDemon has a 64-bit Win 8.1 OS (with FastStartup disabled) and the latest Norton Internet Security v22.16.x so this issue with MB's Self-Protection and Norton isn't restricted to older 32-bit OSs.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

Thanks very much for that!

Those Norton programs are part of the (very) old Norton Utilities suite.
There are no anti-virus or anti-malware programs there, they are just maintenance tools.
There are no processes running permanently from any of them, so it's very unlikely that they are affecting Malwarebytes in any way.

After a lot of uninstall/clean/reinstall cycles, I'm now back as before, with everything looking OK apart from the self-protection function not being switched on, and the whole interface just freezing permanently if I try to turn it on.

The only other security software that i have installed and running is Trusteer Rapport, but disabling that makes no difference.

It seems to me that my MB installation is always in one of two states.
Either the Anti-Exploit function is enabled and the self-protection function is not enabled, or vice-versa.
There seems to be no way of getting both functions enabled at the same time.
If I uninstall and reinstall, the self-protection module is enabled and OK, but Anti-Exploit won''t switch on, and then if I reboot a few times, the Anti-Exploit function does turn on, but the self-protection module is then switched off, and cannot be turned on again, just freezing the interface if I try.

☹️

Link to post
Share on other sites

OK, after yet another uninstall/clean/reinstall session I've made some progress!
As before, when the program was first installed, the anti-exploit module wouldn't run, but the self-preservation module was fine.
Again after rebooting, the anti-exploit module was on, and the self-preservation module was off, and couldn't be turned on.
Later on I happened to look in the Windows System log, and there on every boot, there was an error message saying -

The following boot-start or system-start driver(s) failed to load:
mbamchameleon

Now this jogged my memory as I had a similar issue with Avast a few months ago when I was trying to get that to work!
There were two boot services there which were also failing to start, and I discovered that if I changed their start type from "boot" to "system" they did work.
I tried the same with mbamchameleon, and lo and behold it now starts and the self-preservation and anti-exploit modules are both working!

I tried to edit the registry entry for the service again, and it blocked me, so it is working.
However, there still seems to be no block on me stopping the main Malwarebytes service using the Windows Services MMC interface, or indeed setting it to disabled!
Should the self-preservation module prevent that?
🙂

Link to post
Share on other sites
3 hours ago, Dave-H said:

However, there still seems to be no block on me stopping the main Malwarebytes service using the Windows Services MMC interface, or indeed setting it to disabled!
Should the self-preservation module prevent that?

No, it doesn't currently prevent manipulating the service through services.msc so this is the expected behavior.  It is odd that the service fails to load when set to boot, even after the system is already running.  You mentioned you had a similar issue with Avast so I wonder what is unique about your system that causes this issue with such services/drivers.

Link to post
Share on other sites

That is the question!
Something on my system is causing problems with security software, and I haven't been able to identify it.
In the case of both Avast and Malwarebytes, there were boot services that loaded fine on the original installation, but would not load subsequently unless they were changed to system services instead of boot services.
I've also tried Panda Security, and that had problems too, similar to Avast. Services starting really slowly or not at all, and also hanging the shutdown of the system as they won't release the registry.
All very odd, and these are all systems which are supposed to still work fine with Windows XP, and many people say that they do!
It's a multi-boot system using a dual processor server motherboard with Windows XP on a FAT32 drive, all things that could potentially cause problems, but I've never been able to find out exactly what the issue is.
☹️

Link to post
Share on other sites
1 hour ago, Dave-H said:

...Something on my system is causing problems with security software, and I haven't been able to identify it.  In the case of both Avast and Malwarebytes, there were boot services that loaded fine on the original installation, but would not load subsequently unless they were changed to system services instead of boot services.
I've also tried Panda Security, and that had problems too, similar to Avast. Services starting really slowly or not at all, and also hanging the shutdown of the system as they won't release the registry...
It's a multi-boot system using a dual processor server motherboard with Windows XP on a FAT32 drive, all things that could potentially cause problems, but I've never been able to find out exactly what the issue is.

Hi Dave-H:

Just throwing out a few ideas for you to think about while you're waiting for the Malwarebytes employees to jump into this thread.

If you haven't already done so, it wouldn't hurt to run the removal tools for Avast (https://www.avast.com/uninstall-utility) and Panda (https://www.pandasecurity.com/support/card?id=82011) to clean up any orphaned registry entries or files left behind after uninstalling these AVs from Control Panel | Add or Remove Programs.  Remnants from previous AV installations can cause all sorts of unexpected glitches when you install a new security program and could be interfering with Malwarebytes.

I just noticed in your FRST logs that you have Microsoft's EMET  (Enhanced Mitigation Experience Toolkit) v4.1.1 installed and it looks like this security software running in real-time protection mode.  EMET has been known to cause conflicts with the Exploit Prevention module in Norton, and I wonder if it's causing a similar problem with Anti-Exploit in Malwarebytes?  Microsoft ended support for EMET v4.x on 09-Jun-2015 (I don't think EMET v5.x is compatible with Win XP) and a conflict with an unsupported version of EMET might even explain past problems with your previous Avast and Panda installation.

Your FRST Additions.txt file also shows you have multiple Malwarebytes-related errors being logged in your Event log, including:

    Error: (12/28/2018 01:40:22 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application mbam.exe, version 3.0.0.1490, faulting module qt5core.dll, version 5.6.3.0, fault address 0x001a51bb.
    Processing media-specific event for [mbam.exe!ws!]

    Error: (12/29/2018 02:00:32 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The Malwarebytes Anti-Exploit service failed to start due to the following error:
    A device attached to the system is not functioning.

I have no formal training when it comes to interpreting these FRST logs, but the qt5core.dll v5.6.0.3 (C++ Application Development Framework) for my own MB v3.5.1-1.0.365 installation is located in C:\Program Files\Malwarebytes\Anti-Malware. Someone familiar with the inner workings of Malwarebytes would have to tell you if performing a custom install of Malwarebytes on a D:\ drive with a FAT32 file system and placing drivers like mbamchameleon.sys in D:\WIN-NT\system32\drivers\ instead of C:\Windows\system32\ could be causing issues.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

Yes, with all these variables at play I have no doubt that there's something in that configuration, either with failing hardware or just some sort of incompatibility/conflict causing these issues, especially using such a non-standard setup/installation.  The only thing I can recommend would be to try to "normalize" things as much as possible to eliminate possibilities.  Taking the steps mentioned by lmacri above would be a good place to start (i.e. running the clean tools for the previously installed AVs and removing EMET, especially since the Exploit Protection in Malwarebytes should cover everything that EMET does and then some).

Beyond that, I'd start looking at your system's startups/BIOS/RAM/HDD etc. to try and determine if there is some kind of issue there causing these problems with services and drivers starting up.  It could be something as simple as a misconfigured security policy/restriction or permissions issue, but I don't know where to begin with regards to diagnosing that beyond looking at any modifications you might have made in gpedit/the registry for such things in the past assuming you've documented them/remember them (assuming there even are any that you've made to this system).  There are a lot of factors here, especially with the hardware you're using, which while it may be perfectly compatible with XP, may not necessarily be fully compatible with Malwarebytes and other security apps when running XP (assuming the hardware configuration has anything to do with these issues, which it may not, it's just another possibility).  I don't know honestly, but I'm certain the Malwarebytes QA team has never tested on such a system (I doubt any of their test rigs have more than 1 socket/CPU, and as I'm sure you're aware, a multi-core CPU is very different from a multi-CPU/multi-socket system).  That said, if the hardware itself were an issue we probably would have heard something about this from the business customers by now as I'm certain some of them must be running such hardware in their environments, though of course they may not be running the Malwarebytes protection client on those systems since they are servers and all, but I would still think that at least someone would have tried to by now and would have reported it if they encountered any issues/errors with that setup.

Link to post
Share on other sites
  • Staff

Please start with uninstalling EMET 4.1. Malwarebytes for Windows and EMET are not compatible - having both installed can result in false-positives, system instability, performance problems and other issues with the machine.

After uninstalling the program, please reboot the computer and reassess the situation. If you're still experiencing an issue, please rerun the Malwarebytes Support Tool > click Advanced > click Gather Logs and attach the generated mbst-grab-results.zip on your Desktop. In addition, please provide an update of the current issues.

Edited by LiquidTension
Link to post
Share on other sites

Thanks everyone!
Good to be made aware that MB and EMET don't play well together.
It's good to know that MB in fact does everything that EMET does, and I'm sure a lot better, as you have to use quite an old version of EMET if you're still running XP.
I have now disabled EMET.
EMET I'm sure cannot be the cause of the problems however, as I did several installs of MB in a clean boot environment, with nothing running except the core services that Windows needs to run. This included EMET of course. This made no difference to the MB installation.

Anyway, MB seems to be running OK now, touch wood. The only anomaly still present, which is still there even after getting rid of EMET, is that the mbamchameleon service will not run as a boot start service, only as a system start service. I tried putting it back to boot start, and it no longer ran on system startup.
Whether leaving it like this compromises any of the MB protection I don't know.

You are right that my system is extremely non-standard, so I'm probably lucky that MB works at all, that's more than the latest versions of Avast will!
The main Avast service, on which the whole thing depends, won't even run at all.
Cheers, Dave.
🙂

Link to post
Share on other sites
  • tetonbob changed the title to MB 3.5.1 MBAE Service not installing on Windows XP?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.