Jump to content

Startup/Shutdown Delay with Ransomware Protection


Recommended Posts

I found an issue with the new build.  Windows 7 x64, fully patched.

On system startup, when Ransomware Protection is allowed to start with MB3 which is set to start with Windows, system start is halted shortly after Windows loads during the startup process of startup applications/services with MBAMService running without the Malwarebytes tray running and it appears to be getting stuck somehow by or because it is interfering with the startup of HotKey which is a proprietary hardware/system control and monitoring solution provided by Clevo for their custom high end laptop solutions (sometimes sold under other branding such as Sager, Eurocom etc.).  If I terminate the HotKey service process via Task Manager, Malwarebytes proceeds to load and allows all the other startups to proceed with loading.  If I do nothing and wait, eventually the HotKey service process will time out and throw an error and Malwarebytes will then finish loading and allow the other startups to load (this takes several minutes to occur).  If I disable Malwarebytes or just Ransomware Protection from loading on boot there is no issue and the system loads fine.  I have not yet attempted creating exclusions but I will.  I just wanted to report this issue first as it seems related to the other issues we've been seeing.

I captured memory dumps via Task Manager from the various processes involved in this issue and uploaded them here.

I have also noticed, as one user mentioned previously in this thread in post #419, that Malwarebytes causes a delay in shutdown/waiting for a program to close message when installed/active during shutdown and also notice that it takes a while longer for the system to shutdown completely after logging off of Windows on the final shutdown screen with a good deal of that time spent displaying a message about Malwarebytes service shutting down (verbose logon/logoff messaging enabled), though it's not the only one that shows up during shutdown.  The system doesn't hang during shutdown and it doesn't take terribly long, but it is noticeable, especially considering my system specs:

WEI_FullDetail.png.1e2cc47dbf6ef2449559b91cf7f636cd.png

I will test with exclusions and let you know how it goes, but I suspect that something similar to the multi-threading/vs single threading issue discovered with the Web Protection component is involved here as well because seeing Malwarebytes' protection get "stuck" on something and seeing the rest of the system becoming partially or completely unresponsive as a result is a fairly common occurrence in my experience.

Link to post
Share on other sites

I split this into a new topic to avoid potential confusion with the system freeze issue.
 

1 hour ago, exile360 said:

I found an issue with the new build.  Windows 7 x64, fully patched.

Thank you for the information. We'll look further into the HotKey issue and memory dumps you provided.
 

1 hour ago, exile360 said:

Malwarebytes causes a delay in shutdown/waiting for a program to close message when installed/active during shutdown and also notice that it takes a while longer for the system to shutdown completely after logging off of Windows on the final shutdown screen

Investigation into this is on-going, but we've not been able to reproduce it internally. It would be helpful to obtain a full memory dump generated when the delay/hang occurs during shutdown.

To do so, please enable the Ctrl+Scroll Lock method using the instructions below:
https://www.tenforums.com/tutorials/67856-enable-disable-bsod-crash-ctrl-scroll-lock-windows.html

Once done, restart the computer.

After the restart, ensure Ransomware Protection is re-enabled in Malwarebytes. Then do the following:

  • Try to shutdown and wait for the delay/hang to occur. Press and hold the right Ctrl button, then press Scroll Lock twice. This will force an intentional blue screen.
  • After the machine reboots, zip up the memory dump from %systemroot%\memory.dmp and upload it to wetransfer.com. Please reply with the link.


In addition, please run the Malwarebytes Support Tool > Gather Logs and provide the generated mbst-grab-results.zip.

Edited by LiquidTension
Link to post
Share on other sites

So far the exclusion seems to have done the trick (I also disabled Meltdown protection via the registry so that also may be a factor but I doubt it).  I can test further by re-enabling Meltdown protection and/or removing the exclusion if you wish, just let me know.

Edited by exile360
Link to post
Share on other sites
On 1/23/2019 at 10:36 PM, exile360 said:

I can test further by re-enabling Meltdown protection and/or removing the exclusion if you wish, just let me know.

Yes, that'd be a great - thank you.

Also, please could you configure Process Monitor to perform boot-time logging > restart > reproduce the hang > upload the generated Process Monitor boot logs.

Link to post
Share on other sites

Confirmed, no effect from re-enabling Meltdown protection.  I then tested removing the exclusion and the issue did indeed return on the next reboot.

I've enabled boot logging and I'm about to restart, but keep in mind that this appears quite similar to past issues I've observed and reported to the Devs with MB where it hangs that would often prevent logging tools from functioning because it's close to a full system stop once it occurs.  I do have some flexibility in this case as I can launch at least one or two new processes while MB is hung up/trying to start, but it does eventually stop any new threads from entering memory until I terminate Hotkey from memory so just keep that in mind as it may prevent the capture from working or from working fully by stopping Procmon's write activity after a point.

Link to post
Share on other sites

Well, I've got a weird result for you.  The next time I rebooted my system it didn't hang and Hotkey was allowed to load and Malwarebytes loaded normally.  I'll keep playing with it as I'm sure it will return again, however I suspect that it was the presence of Procmon logging boot activity which altered the timing and may have lead to the issue not occurring since it could have offset the normal startup sequence which allowed Hotkey to load fully prior to Malwarebytes trying to load.

Link to post
Share on other sites
  • 3 weeks later...

Thanks for this thread. My PC was stuck at the Shutting Down blue screen.

I tried letting it run automatically.

Went to bed.

Woke up the next day.

Still at the Shutting down screen.

 

Thanks to you guys, I found out the reason. Now I make sure to manually kill Malwarbytes from Windows Task Manager and disconnect my internet connection prior to shutting down.

I'm on Windows 7 x64

 

Maybe the staff can fix this? I've been a SUBSCRIPTION premium member for 3 years and these glitches are ridiculous. Why is it that all things on subscriptions are broken and bad? *cough Windows 10* I'm looking at you too.

Link to post
Share on other sites
On 2/13/2019 at 7:13 PM, alanintendo said:

Now I make sure to manually kill Malwarbytes from Windows Task Manager and disconnect my internet connection prior to shutting down. 

To confirm your issue is consistent with other reports, can you try only disabling Ransomware Protection in Malwarebytes and check if the issue still occurs. To do so, open Malwarebytes and turn Ransomware Protection off under Real-Time Protection.

Could you also carry out steps 4 and 5 in the topic linked below please:
https://forums.malwarebytes.com/topic/190532-having-problems-using-malwarebytes-please-follow-these-steps/

Edited by LiquidTension
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.