Jump to content
slovokia

Very slow scans with newest Malwarebytes!

Recommended Posts

An older scan on the same computer completed in 12 minutes.

Scan Date: 2/3/19
Scan Time: 3:34 PM

Version: 3.6.1.2711
Components Version: 1.0.508
Update Package Version: 1.0.9102

Objects Scanned: 391197
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 12 min, 17 sec

Now the same scan on the same computer takes 53 minutes:

Scan Date: 3/17/19
Scan Time: 10:22 AM

Version: 3.7.1.2839
Components Version: 1.0.538
Update Package Version: 1.0.9724

Objects Scanned: 390731
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 53 min, 11 sec

So your scan time has increased by more than a factor of 4. Attached are the exports of both logs.

Does anyone do performance testing / validation on new releases?

malwarebytesproblem.txt

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings,

Assuming these are the default Threat scans then it definitely shouldn't be taking that long, though if you haven't done so already, deleting your temp files etc. may help, either using the tools built into Windows and your web browser(s) such as Disk Cleanup and the options for deleting your temporary internet files/caches/history etc., or through a specialized tool such as CCleaner.

Other than that, sometimes the Research team does add new signatures to the database that may alter how Malwarebytes analyzes some files, resulting in higher resource usage and thus increased scan times overall, however on my own system I haven't noticed a great increase in scan times recently (still around 40~50 seconds total for a Threat scan, though I have a very fast SSD and a fast 4 core/8 thread CPU, all of which contribute to faster scan times).

With that said, it may also be a sign of a failing disk so backing up your data if you haven't done so recently might be a good idea (I noticed you have Macrium installed, so I'd recommend going ahead and creating an image backup of the system on a separate drive just in case this one fails at any point so that you don't lose anything).

Additionally, it would be a good idea to make sure that you have exclusions configured between your security products so that they don't interfere with one another.  The list of items to exclude in your AV for Malwarebytes can be found in this support article and instructions on excluding other programs from Malwarebytes can be found in this support article under the Exclude a File or Folder section.

If that still doesn't resolve the issue then it might be a good idea to try a clean install of Malwarebytes to see if that helps:

  1. Run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here

If the problem still persists, and if you suspect that the system may be infected with malware (which is also a possible cause, especially if you're seeing general performance issues, including with other software on the system) then you should follow the instructions in this topic and then create a new topic in the malware removal area including the requested logs and information by clicking here and one of our malware removal specialists will assist you in checking and cleaning the system as soon as one becomes available.

Hopefully that helps, and please let us know how it goes.

Thanks

Share this post


Link to post
Share on other sites

As to my SSD:

I can do a raw sequential read of the entire SSD at a constant rate of ~240 MB/sec via cygwin:

$ dd if=/dev/sdb of=/dev/null bs=256K
953900+1 records in
953900+1 records out
250059350016 bytes (250 GB, 233 GiB) copied, 1034.11 s, 242 MB/s
 

I'll try to run some random access tests next to see if anything is amiss. Assume the issue is slow speed when reading files the remaining variables are the windows 10 filesystem and Panda antivirus.

 

Share this post


Link to post
Share on other sites

Yes, Panda is a definite possibility.  If it is doing a simultaneous analysis of the objects being scanned by Malwarebytes during scans that could definitely slow things down.

Please let us know how it turns out.

Thanks

Share this post


Link to post
Share on other sites

Looks pretty fast to me :)

Yep, I suspect your hunch about Panda is correct.  What happens if you disable or uninstall it temporarily and then run your scan with Malwarebytes?  Does it improve?

If so, then it's also possible that Panda made some changes in a recent update that may be causing this, but hopefully exclusions will resolve it; if not then you may need to report it to them and hopefully they will be willing to investigate and correct the issue.

Share this post


Link to post
Share on other sites

With Panda Dome Antivirus disabled I get the following scan results:
Scan Date: 3/17/19
Scan Time: 6:56 PM

Version: 3.7.1.2839
Components Version: 1.0.538
Update Package Version: 1.0.9724

Objects Scanned: 390805
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 53 min, 51 sec

So it's looking like the Window 10 filesystem is the only remaining alternative option at this point unless we don't trust Panda AV when it claims it is disabled.

 

MBlog2.txt

Share this post


Link to post
Share on other sites

Yes, many AV's keep drivers and services active even when protection is disabled so that they don't really stop monitoring, they just don't flag anything so I would suggest giving it a try with Panda removed if you don't mind just to make certain we've fully eliminated it as a possibility.

Share this post


Link to post
Share on other sites

O.K. Opened the Malwarebytes Support Tool and ran Clean and then reinstalled.

Got these results with Panda left on (this time rootkit scanning was not enabled):

Scan Date: 3/17/19
Scan Time: 8:28 PM

Version: 3.7.1.2839
Components Version: 1.0.538
Update Package Version: 1.0.9726


Objects Scanned: 384410
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 44 min, 8 sec

Tomorrow I might try removing Panda and seeing what happens.

What might make sense is for Malwarebytes to instrument it's code so it would be easier to rule out some issues like: 

Is there a generic problem with file reading speed on the computer malwarebytes is running on?

If nothing else you could print out this number in the log files - that way folks will be able to judge whether something lower down in their environment has changed.

freshmbamnorootkitpandaon.txt

Share this post


Link to post
Share on other sites

That's a good idea.  They do have a lot of debugging stuff built into the code already, but I don't think they have anything measuring scan performance/issues like this, so if they could implement something like that it could definitely prove useful, especially since one of the things they pride themselves on is how fast the scan engine generally is.  I will suggest it to the Developers.

Share this post


Link to post
Share on other sites

I ran a Malwarebytes again with rootkit detection enabled after uninstalling Panda security. Windows Defender real time protection was disabled:

Scan Date: 3/17/19
Scan Time: 10:39 PM

Version: 3.7.1.2839
Components Version: 1.0.538
Update Package Version: 1.0.9726


Objects Scanned: 389135
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 41 min, 30 sec

Some improvement but still almost 4 times slower than on 2/3/2019. At this point I think the ball is in Malwarebytes court. If you want I am willing to run more instrumented code if that would help.

freshmbamwrootkitpandauninstwdefenderoff.txt

Share this post


Link to post
Share on other sites

Yes, it could be some change they've made to the signatures.

There is something more we can try to see if it does provide any useful data for the Developers.  If you open Malwarebytes and navigate to Settings>Application and toggle the setting under Event Log Data to On and then perform another scan, that may provide more useful data for them.  Once the scan is done you may disable the option under Event Log Data again (you don't want to leave it on as those logs can get very large very quickly, wasting a lot of disk space).

Once that's done, go ahead and run the Support Tool again and provide the ZIP file it creates and it will contain all the new logs, including the Event Data Logs created by Malwarebytes.

Share this post


Link to post
Share on other sites

I am concerned with maintaining my privacy so I'll be examining the logs before posting anything more publicly here. 

 

Share this post


Link to post
Share on other sites
Posted (edited)
32 minutes ago, slovokia said:

I am concerned with maintaining my privacy so I'll be examining the logs before posting anything more publicly here. 

 

Let us get @LiquidTension to step in and you can PM the logs directly to him if you are concerned about privacy.

You also might also install the new component update package and rescan.

 

Edited by Porthos

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, slovokia said:

I am concerned with maintaining my privacy so I'll be examining the logs before posting anything more publicly here. 

 

Yep, that's fine, you can follow Porthos' instructions above if you wish, or if you prefer to do this via email with Support directly you may create a support ticket about this issue (just provide them with a brief description and a link to this thread for their reference) by filling out the form on the bottom of this page.

One more thing we might try is creating a Procmon log during a scan as that should show immense detail about what's going on with the various processes etc. on your system during the scan and may reveal what is causing the lag/slowness:

Create a Process Monitor Log:

  • Create a new folder on your desktop called Logs
  • Please download Process Monitor from here and save it to your desktop
  • Double-click on Procmon.exe to run it
  • In Process Monitor, click on File at the top and select Backing Files...
  • Click the circle to the left of Use file named: and click the ... button
  • Browse to the Logs folder you just created and type MB3 Log in the File name: box and click Save
  • Exit Process Monitor and open it again so that it starts creating the logs
  • Open Malwarebytes and perform a scan.
  • Once it completes, close Process Monitor
  • Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Please upload Logs.zip file you just created to WeTransfer and provide Support or LiquidTension with the link

To upload the file to WeTransfer:

Open the WeTransfer.com website.

  • Click Add your files, navigate to your Desktop and double-click the zip on your desktop.
  • Click (...) and select the link radio button under Send as.
  • Click Transfer.
  • Copy the download link and paste into your support ticket or private message to LiquidTension. 
Edited by exile360

Share this post


Link to post
Share on other sites

O.K. Cannot promise how quickly I will get this done since I am busy with other things.

 

Share this post


Link to post
Share on other sites

5 minutes = 5.34 GB of procmon logs. Therefore the entire run will probably be on the order of 60GB.

Share this post


Link to post
Share on other sites

Yikes, well it would probably be best to just let it run for a few minutes, and maybe start it during the slowest part (which I assume is the longest filesystem object scan phase that makes up the bulk of the scan) then save it, compress it and upload it.  Also, if you use WinRAR that should be able to compress the file smaller than the built in ZIP utility in Windows (even if you still compress it into a ZIP file rather than RAR, especially if you select the 'Best' compression option).

Share this post


Link to post
Share on other sites

That's great, thanks.  Hopefully he'll be able to determine what might be going on and if not, he'll provide it to the Devs so that they may investigate the issue further but hopefully it's just a matter of some incompatible software or driver that needs updating to resolve it.

Share this post


Link to post
Share on other sites

Hi @slovokia,

Thanks for providing the data.

We recently made some changes to how files are queried against some of our internal systems during an online scan. To test, please could you try running the same scan whilst the machine is disconnected from the Internet and check what impact this has on the completion time.

Could you also try out latest components package version (1.0.563) please. Details here: https://forums.malwarebytes.com/topic/242280-ladies-and-gentlemen-mb371/?do=findComment&comment=1304385

-----

Please do the following as well:

  • Press the Windows Key + R on your keyboard at the same time. Type eventvwr.msc and click OK.
  • Expand Applications and Services Logs.
  • Expand Microsoft followed by Windows. Scroll down the list and expand CodeIntegrity.
  • Right-click Operational and click Save All Events As.... Name the file codeinteg and click OK.
  • Navigate to the location of the file. Right-click the file and click Send to followed by Compressed (zipped) folder.
  • Name the Zip file EventLogs.zip and send the file to me.

Share this post


Link to post
Share on other sites

O.K. not sure how soon I can get around to this - it may be a few days.

Share this post


Link to post
Share on other sites

Updated MB, Disabled Ethernet interface, Ran scan.

Objects Scanned: 389523
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 35 min, 35 sec

Will PM detailed logs. Most of the time Malwarebytes was only using a single core of my 4 core processor. The SSD utilization was low for much of the time as well. Clearly the process is CPU bound and is not making good use of multithreading to use more processor cores. I'd suggest instrumenting your code to log the following:

How long does it take to read all the entries in a directory.

How long does it take to do each read of a given file.

How long does it take to scan the data once you have read it.

How long are you blocking for network I/O.

With better instrumentation you will not be guessing as to what the problem is - instead you will be able to zero in to the areas that are causing the problem.

mbamnointwindefdisabled.txt

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.