Jump to content
dagar74

Changes to Exclusions for Kaspersky needed

Recommended Posts

Reinstalling Windows 10 1809 and all software, I ran into a problem setting up Exclusions for Malwarebytes Premium version 3.7.1, in Kaspersky Total Security 2019. This is probably due to the new version 3.7.1, which I had not used before.  I tried to set the exclusions using previous guidance that I had found on this forum but could not find all of the drivers. I found a support DOC 1123 that says it was updated on 2/14/2019, but it does not include two new files mentioned in a post by 1PW on 12/22/2018, which are present in my system (mbamwow.exe and malwarebytes_assistant.exe) and I did exclude these.

Previous guidance on excluding drivers has flip flopped over a couple of years between using them in the C:\Windows\Sysnative folder or the System32 folder and the above mentioned DOC 1123 uses the Sysnative folder which is is not visible in Explorer regardless of viewing options. I only found mbae64.sys and MbamElam.sys (not in the previous list)  in the System32\drivers folder, but none of the remaining 5 .sys drivers previously excluded in my version 3.6.1 Malwarebytes installation.

I would really appreciate some updated guidance on the exclusions to be set in Kaspersky to include mbamwow.exe, malwarebytes_assistant.exe, and MbamElam.sys, plus clarifying whether we use the Sysnative or System32 folders.

Thank You

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings,

Regardless of whether the system is running a 32 bit version of Windows or 64 bit version, System32 is the Sysnative folder.  On 64 bit Windows the SysWOW64 folder is the non-native/non-64 bit location.  This means that when creating exclusions, as long as the browse/exclude functions in your antivirus can see the actual System32 folder (rather than being redirected to SysWOW64, which 32 bit programs on 64 bit Windows are by default), that the System32 and Sysnative locations are the same so the path should be C:\Windows\System32\drivers regardless of whether you're running a 32 bit or 64 bit version of Windows.

As for the new files, I don't currently have a copy of mbamelam.sys in my System32\drivers folder, it's only in my Program Files folder for Malwarebytes.  I don't know if it's actually necessary to exclude it or not, but it does no harm to do so even if it isn't necessary.  The support article you referenced provides instructions to exclude the entire program folder anyway, so all files in that directory should be excluded:

C:\Program Files\Malwarebytes

The same goes for this directory, which is where Malwarebytes stores its configuration files and data:

C:\ProgramData\Malwarebytes

I think the whole System32/Sysnative thing is a bit confusing unless you understand how Windows x64 works and what WOW64 is, but basically you should always be excluding the drivers located under C:\Windows\System32\drivers regardless of the OS version, it's just that some 32 bit programs when running on a 64 bit operating system get redirected to the SysWOW64 folder instead of the actual System32 folder unless you specify Sysnative instead.  I just tested this using Spybot Search & Destroy which is a 32 bit program (I know this because it installs under C:\Program Files (x86)) and using its built-in browse function to add a custom directory for scanning, I verified that no matter whether I go to C:\Windows\System32\drivers or C:\Windows\SysWOW64\drivers, it is always actually seeing C:\Windows\SysWOW64\drivers (I can tell because it never shows the two additional folders that exist in my actual native System32\drivers folder).  This is because of a compatibility function in Windows called WoW64 filesystem redirection that affects all 32 bit applications when run under a 64 bit version of Windows.  You can find out more about how this works in this Microsoft article.  It can be disabled by the Developers of a 32 bit application through special API functions, however by default any 32 bit (x86) executable that tries to see the System32 folder will actually be redirected to the SysWOW64 folder for the sake of compatibility (this is also true of the registry where 32 bit applications can by default only read/access the Wow6432Node registry keys).

So if Kaspersky is a native 64 bit application then it doesn't matter and you should have no trouble finding Malwarebytes' drivers under C:\Windows\System32\drivers, however if it is a 32 bit application then chances are it may only be able to if you specify "SysNative" to disable WoW64 filesystem redirection.

So basically, everything in this Malwarebytes support article should still be accurate.  It specifies "Sysnative" because otherwise you'd be redirected to the SysWOW64 folder in 64 bit Windows versions if using a 32 bit antivirus program and thus you wouldn't be able to locate Malwarebytes' drivers because they are always under the native System32 folder regardless of whether it is a 32 bit or 64 bit operating system (and there are a couple of extra drivers on 64 bit Windows of course, as mentioned in the support article).

Edited by exile360

Share this post


Link to post
Share on other sites

Thanks for the reply exile 360. I have changed my drivers to list the Sysnative folder instead of System32 and also excluded the MbamElam.sys file that I found in my System32 folder.

Kaspersky settings for Exclusions includes two categories of Exclusions: "Manage exclusions" and "Specify trusted applications".  The Manage Exclusions option is where the items you recommended go. It may be overkill, but for the last couple of years I have also been clicking on "Specify trusted applications" and adding 8 Malwarebytes executables like "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe" as Trusted Applications, just to be sure that Kaspersky leaves Malwarebytes alone. 

Do you think that adding the executables to Trusted Applications is a waste of time?

Thanks again 

Share this post


Link to post
Share on other sites

Not at all, in fact, it's very likely that adding Malwarebytes to the trusted applications list is the only truly effective way to prevent potential conflicts with Kaspersky, as I believe that's the only type of exclusion that prevents Kaspersky from actually monitoring/interfering with an application's processes in memory.  I believe the others only really prevent Kaspersky from detecting the selected items as threats which is not at all the same as not monitoring them and would only work to prevent a potential false positive detection of those items; it wouldn't really do anything to prevent conflicts, at least if I am correct about what each type of exclusion does (I'm a former Kaspersky user myself, and this is how it worked from what I remember).

Share this post


Link to post
Share on other sites

Thanks exile360. I will continue adding the executables. It seems like it would be good for Malwarebytes to update the Support Article mentioned in your first post to include the executables for programs like Kaspersky that have a Trusted Applications exclusion.

Share this post


Link to post
Share on other sites

Yes, I agree.  I'll definitely bring this up to the team that handles our support documentation and hopefully they'll revise it to be more specific/accurate.

Share this post


Link to post
Share on other sites
On 2/20/2019 at 1:30 AM, exile360 said:

Greetings,

Regardless of whether the system is running a 32 bit version of Windows or 64 bit version, System32 is the Sysnative folder.  On 64 bit Windows the SysWOW64 folder is the non-native/non-64 bit location.  This means that when creating exclusions, as long as the browse/exclude functions in your antivirus can see the actual System32 folder (rather than being redirected to SysWOW64, which 32 bit programs on 64 bit Windows are by default), that the System32 and Sysnative locations are the same so the path should be C:\Windows\System32\drivers regardless of whether you're running a 32 bit or 64 bit version of Windows.

As for the new files, I don't currently have a copy of mbamelam.sys in my System32\drivers folder, it's only in my Program Files folder for Malwarebytes.  I don't know if it's actually necessary to exclude it or not, but it does no harm to do so even if it isn't necessary.  The support article you referenced provides instructions to exclude the entire program folder anyway, so all files in that directory should be excluded:

C:\Program Files\Malwarebytes

The same goes for this directory, which is where Malwarebytes stores its configuration files and data:

C:\ProgramData\Malwarebytes

...I think the whole System32/Sysnative thing is a bit confusing unless you understand how Windows x64 works and what WOW64 is, but basically you should always be excluding the drivers located under C:\Windows\System32\drivers regardless of the OS version, it's just that some 32 bit programs when running on a 64 bit operating system get redirected to the SysWOW64 folder instead of the actual System32 folder unless you specify Sysnative instead..

So basically, everything in this Malwarebytes support article should still be accurate.  It specifies "Sysnative" because otherwise you'd be redirected to the SysWOW64 folder in 64 bit Windows versions if using a 32 bit antivirus program and thus you wouldn't be able to locate Malwarebytes' drivers because they are always under the native System32 folder regardless of whether it is a 32 bit or 64 bit operating system (and there are a couple of extra drivers on 64 bit Windows of course, as mentioned in the support article).

Hi exile360:

I'm still confused.

The Malwarebytes support article Malwarebytes for Windows Antivirus Exclusions List (last updated 14-Feb-2019) you referenced above states that the correct path to the .sys drivers is C:\Windows\Sysnative\drivers\  for 64-bit Windows and C:\Windows\System32\drivers\ for 32-bit Windows.  However, the exclusion list in post # 7 (subtitled "Malwarebytes 3.0 Files To Be Added to AV Exclusions List") of the FAQ Malwarebytes 3 - Frequently Asked Questions pinned at the top of this board doesn't make any reference to the path C:\Windows\Sysnative\drivers\ for 64-bit Windows.

Is the information in the FAQ pinned at the top of this board (last updated 28-Jul-2017) out-of-date, and if so could you please raise this discrepancy with your contacts at Malwarebytes?  I've always directed users to the exclusion list in the FAQ and told them to use C:\Windows\System32\drivers\ as the path to the .sys drivers, regardless of whether they have a 32-bit or 64-bit OS.  If that's wrong then I imagine there are many users with 64-bit Windows who are not using the correct path to the .sys drivers in their exclusion list.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365

Share this post


Link to post
Share on other sites

Hello

Is it necessary to exclusde this new folder "C:\Windows\system32\Drivers\MbamElam.sys" ?

Thanks for your help.

Share this post


Link to post
Share on other sites

On 64 bit Windows, System32 is the same thing as SysNative.  As I mentioned, it only affects 32 bit processes that get redirected to SysWOW64.  My guess is that the FAQ on the forums here just didn't include that information since most AVs are native 64 bit applications these days so they won't get redirected to SysWOW64 so there is no need for the SysNative function, however in the support article the one(s) who handled writing it were more aware of this issue and wanted to ensure that it covered all scenarios, but that's just my guess as I didn't write it.

As for the file MbamElam.sys, it may not be necessary, but it couldn't hurt either.  That's the early launch driver which is used for starting Malwarebytes' protection early during the boot process in Windows 10 per Microsoft's documentation for AV/AM vendors to allow them to better protect systems.  Since it doesn't keep running by the time the desktop is loaded and the exclusions become relevant, I doubt it would have any effect, but I don't know all the details on Microsoft's implementation.

So essentially, my opinion is I doubt excluding that particular file makes any difference, but it couldn't hurt to exclude it if you decide to.  I don't know if the Malwarebytes tech support folks are going to add that to the list of items to exclude in their documentation/FAQs in the future or not, but they probably will just to be safe and all-inclusive.

Share this post


Link to post
Share on other sites

No matter what I have done exclusion wise, Kaspersky always blocks malwarebyte services on my win7 pro computer...attached are my exclusions and kaspersky report...if anybody has any suggestions... thanks.  Otherwise, this has been going on forever, and I assume Kaspersky will continue blocking memory processes and Malwarebytes will still do what it is supposed to do in the background.

mal1.jpg

Shot3.jpg

Share this post


Link to post
Share on other sites

Hi Davidtoo:

I don't use Kaspersky, but can you view the details of those logged "Suspicious action was blocked" events to see if your Malwarebytes Service (MBAMService.exe) was trying to access your firewall?  The exclusions listed in the Malwarebytes support article Malwarebytes for Windows Antivirus Exclusions List notes that MBAMService.exe must be able to contact the domains keystone.mwbsys.com and sirius.mwbsys.com, and I'm wondering if Kaspersky's firewall (or perhaps some sort of built-in web browsing protection) is blocking MBAMService.exe when it tries to access Malwarebytes' backend servers to perform background checks for product updates, etc.

Quote

For licensing and updates, mbamservice.exe needs to reach out to the following hosts:

  • keystone.mwbsys.com
  • sirius.mwbsys.com

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365

Share this post


Link to post
Share on other sites

The only detail I can come up with using Kaspersky is the attached.  I have no idea if or how to figure out what role the firewall is playing....I suspect that Kaspersky will block memory processes no matter what is excluded due to the danger they pose..but I am speculating there.....

Shot1.jpg

Share this post


Link to post
Share on other sites

Here are my kaspersky firewall rules regarding malwarebytes...if you or anyone can make a suggestion as to what I should add or delete or edit.....to get the memory process working......

Shot1.jpg

Share this post


Link to post
Share on other sites

best I can tell...everything in malwarebytes is trusted by kaspersky and its firewall...and yet it still blocks the service.

Share this post


Link to post
Share on other sites

It looks like it's the HIPS component in Kaspersky detecting/blocking Malwarebytes.  If there's a way to exclude processes from that component then that should hopefully resolve it.

Share this post


Link to post
Share on other sites
15 minutes ago, exile360 said:

It looks like it's the HIPS component in Kaspersky detecting/blocking Malwarebytes

exile360, you DO realize that is a lost battle to fight with each and every antivirus  suggesting "add this" or "exclude that" in order to make Malwarebytes "compatible", when every computer user on this planet is well aware that shouldn't run two antimalware with real time protection at the same time...

What about tomorrow, when the antivirus will update a module ? Now what, start all over again???

Where do we stop, acknowledging that is not advisable to run Malwarebytes pro and another antivirus simultaneously????

Share this post


Link to post
Share on other sites
7 minutes ago, selma said:

 when every computer user on this planet is well aware that shouldn't run two antimalware with real time protection at the same time...

Really,  If every computer user on the planet knows this, why don't the experts at malwarebytes know this?

Thank you exile, but I have to assume that HIPS is part of Kaspersky's "system watcher" and sure it can be turned off...but best as I can tell there is no way to exclude anything...anyway, that is the part of the program that protects malicious activity, like Ransomware, from infecting your computer ..stops it cold and rolls back the damages...so I guess I will continue using both and not worry about whatever Kaspersky is blocking.  I know that Malwarebytes still works because it has prevented exploits in the past and has blocked me going to malicious websites...so I may not get full functionality out of it...but at least I get some... 

Share this post


Link to post
Share on other sites
18 minutes ago, Davidtoo said:

Really,  If every computer user on the planet knows this, why don't the experts at malwarebytes know this?

Because they need to sell product which is not anymore minimalist like version 1.75 but not yet a fully flagged antivirus, to be used alone.

So, they try to push this "compatibility " thing, claiming that Malwarebytes was designed  to be compatible with all other anti-viruses  (maybe this was a valid statement for version1.75)

Now, the anti-viruses are increasingly complex and they cover basically all aspects of malware fighting and there is nothing left for Malwarebytes to "detect"

Kaspersky by itself is a "monster", with 100% detection on all possible tests. What do you hope to accomplish running Malwarebytes on top of it????

Share this post


Link to post
Share on other sites

@selma Hello Lock, please refrain from striking up this discussion yet again as we are trying to assist this user with an issue.  You have every right to your own opinion, but not to hijack and derail the topics of others so please take up this discussion elsewhere in your own thread.

@Davidtoo I found this thread on the KIS forums that seems to be regarding a similar issue.  Per the info in that thread, can you please test to see if disabling the Safe Money feature in Kaspersky eliminates the warnings/blocks?  I don't know if this is the same situation in your case, however I would like to know if it is so that I may document it for the Developers.

Thanks

Share this post


Link to post
Share on other sites
On 2/21/2019 at 6:43 PM, lmacri said:

...The exclusions listed in the Malwarebytes support article Malwarebytes for Windows Antivirus Exclusions List notes that MBAMService.exe must be able to contact the domains keystone.mwbsys.com and sirius.mwbsys.com, and I'm wondering if Kaspersky's firewall (or perhaps some sort of built-in web browsing protection) is blocking MBAMService.exe when it tries to access Malwarebytes' backend servers to perform background checks for product updates, etc.

 

1 hour ago, exile360 said:

... I found this thread on the KIS forums that seems to be regarding a similar issue.  Per the info in that thread, can you please test to see if disabling the Safe Money feature in Kaspersky eliminates the warnings/blocks?...

Hi Davidtoo:

Further to exile360's comment, if disabling Kaspersky Safe Money solves the problem, one other test you can try is to leave Kaspersky Safe Money enabled but disable the Web Protection module in Malwarebytes Premium.  I've seen Malwarebytes Web Protection cause similar conflicts and server connection problems with my Norton security software - see my thread MB v3.2.2 Web Protection Still Blocks Norton Automatic LiveUpdates.  I have a lifetime (perpetual) license for Malwarebytes Premium but I've deactivated my MB Premium license and am currently using Malwarebytes Free as an on-demand manual scanner because of these conflicts.

One other possibility is a conflict with Kaspersky's Advanced Disinfection Technology. You might want to look at Malwarebytes employee dcollins' post # 16 in danielfcoelho's September 2018 thread MBAM Issues with Kaspersky.  This Kaspersky user was seeing similar blocks for MBAMService.exe (according to Google Translate, the translation for the Portuguese phrase "a ativadade suspeita foi bloqueda / ler memoria de outros processos" is "Suspicious activity was blocked / Read memory from other processes") and dcollins stated:

Quote

"Do you have the Advanced Disinfection Technology disabled in Kaspersky as mentioned above? This is known to cause this issue and there is workaround other than disabling that option."

----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365

Share this post


Link to post
Share on other sites

Davidtoo

I read your list of Exclusions and note than you have all of the Malwarebytes executables (.exe files) listed under Exclusions. Have you tried listing those files under "Trusted Applications" as discussed in Posts 4 and 5, above.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.