Jump to content
kramdish

Malwarebytes Service stopped working when performing scan

Recommended Posts

Hello, good afternoon, 

We have 5 licences for Malwarebytes Endpoint Protection Cloud, but have issues with one computer. It's a VM Player server running Windows Server 2008. I can install the agent without problem and scan specific folders. However, if I run the Threat scan from the computer or create the task from control center, the scan will start and fail after 30 seconds of so. A Microsoft Windows window shows up saying that "Malwarebytes Service stopped working". 

The computer is running Malwarebytes versión 3.5.1.2523 although I have created several tasks to update it but it stays the same. Strangely, I have computers running 3.6.1 and 3.7.1. Why would it stay on 3.5.1?

Please find attached 2 screeshots with the appcrash details and the logs created using Malwarebytes Support Tool 1.3.2.

 

I appreciate your help.

IMG_4239.JPG

IMG_4240.JPG

mbst-grab-results.zip

Share this post


Link to post
Share on other sites

2008 and 2008 R2 are not supported by the 3.6 engine, they'll need to stay at 3.5.

From the Cloud Admin Guide - https://www.malwarebytes.com/pdf/guides/MBQSG.pdf
Windows Server 2008 R2 SP1‡§, 2008 SP2 ‡§, 2008§
‡ Microsoft patch KB4019276 must also be installed and enabled
§ As of July 2018, development has halted for Endpoint Clients using this operating system

Share this post


Link to post
Share on other sites
2 minutes ago, djacobson said:

2008 and 2008 R2 are not supported by the 3.6 engine, they'll need to stay at 3.5.

From the Cloud Admin Guide - https://www.malwarebytes.com/pdf/guides/MBQSG.pdf
Windows Server 2008 R2 SP1‡§, 2008 SP2 ‡§, 2008§
‡ Microsoft patch KB4019276 must also be installed and enabled
§ As of July 2018, development has halted for Endpoint Clients using this operating system

Hmmm that's troublesome. If it were Windows Server 64 bit, would it still be able to upgrade further than 3.5?

 

Anyway, what worries me the most is the fact that I can't perform a full threat scan without Malwarebytes Service failing. Could it be that it doesn't work if it's missing update KB4019276? Because it does have Net Framework 4.5.2 installed.

 

Thank you.

Share this post


Link to post
Share on other sites

I know for sure 2008 R2 64 bit is supported so far to our latest 3.7.1 - I have this setup in my test environment, unfortunately I do not have a 2008 non-R2 example to try. I'll need to ask about that 2008 64.

The KB listed is for TLS 1.1/1.2 communication. Failing on a scan can be a variety of things. If you right click on the M icon in the system tray, you can generate logs for us to review the situation.

A workaround for the short term would be to use the "MALWAREBYTES BREACH REMEDIATION (VERSION 2.X)" found under Endpoints \ Add Endpoints \ Dissolvable Unmanaged Remediation Tool, to scan the machine.

Share this post


Link to post
Share on other sites
21 minutes ago, djacobson said:

I know for sure 2008 R2 64 bit is supported so far to our latest 3.7.1 - I have this setup in my test environment, unfortunately I do not have a 2008 non-R2 example to try. I'll need to ask about that 2008 64.

The KB listed is for TLS 1.1/1.2 communication. Failing on a scan can be a variety of things. If you right click on the M icon in the system tray, you can generate logs for us to review the situation.

A workaround for the short term would be to use the "MALWAREBYTES BREACH REMEDIATION (VERSION 2.X)" found under Endpoints \ Add Endpoints \ Dissolvable Unmanaged Remediation Tool, to scan the machine.

Hmm so I don't need to check if the KB listed is installed, the issue is not related to TLS 1.1/1.2.

 

If I right-click the M icon in the system trya, I can only start a new scan. That's why I used the Malwarebytes Support tool to generate the logs, that I uploaded with the name mbst-grab-results.zip. Is that enough?

 

Ok, I'll try the workaround solution, but I still need to find a solution for the issue at hand.

Best regards

Share this post


Link to post
Share on other sites

Please disable self-protection early start (you do not seem to be fighting an infection that targets MB) and turn off having anti-rootkit scan on for all scans. ARK scans are best done scheduled to run on their own.

Share this post


Link to post
Share on other sites
2 hours ago, djacobson said:

I have not gotten a moment to go through them yet.

No worries, I was just making sure you knew I'd posted the logs.

 

1 hour ago, djacobson said:

Please disable self-protection early start (you do not seem to be fighting an infection that targets MB) and turn off having anti-rootkit scan on for all scans. ARK scans are best done scheduled to run on their own.

Ok, I have disabled self-protection early start.

 

Are you saying that anti-rootkit may be causing that Malwarebytes Services stops running? If so, do you have an idea of why it fails to scan on that server and not on the other computers?

In the meantime, I'll program a new scan without anti-rootkit and let you know the results.

Share this post


Link to post
Share on other sites

Hello, happy Sunday, 

 

I made the changes you suggested and I was able to fully scan the computer this time. Then, I enabled rootkit scan again and was still able to scan.

I don't know what the issue could have been, but at least it's scanning. However, I would like to try to find the cause of the problem, to avoid it happening again.

Best regards.

Share this post


Link to post
Share on other sites

Set anti-rootkit scans to be on a schedule on their own rather than engaging the setting to make them run with every scan you perform. Recognizing when to use that will come with experience in dealing with rootkits and knowing the signs of one being there. These scans are highly intensive and ideally should not be ran with other scanning functions, they can also at times crash your system, not just the application, due to the sensitive areas this function scans. This becomes even more sensitive if disk encryption is used. 

I think however, your true culprit may have been the SP early start. This is the old Chameleon function in an updated form. It sets MB stuff to be read only. Early start pushes that into the Windows loading process. Sometimes files need to change, even ours, we do update after all! This setting restricts this need and can have unintended consequences. I recommend this to only be used if you are dealing with malware that targets MB and nothing else - this was more common in the early 2010's, not so much anymore, but it could see a resurgence. Regular SP mode is fine to engage to prevent your users from deleting items.

Share this post


Link to post
Share on other sites

Good afternoon, 

 

I've set the daily schedule to not include rootkit scan and created a new weekly scan that only scans for rootkits, as suggested.

Thanks for your help!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.