WARNING: numerous issues with MBAM 3.7.1 premium or premium trial in 1903

[alQamar]

hi all,

I'd like to give out a usage warning for Malwarebytes 3.7.1 in companion with Windows 10 1903 (Release Preview) 18362.52

following issues have been observed for some weeks now during 1903 was in insider fast / release preview now.
There have been cross test on same hardware (Dualboot) without MBAM, that did not show the issues and they are reproducible gone after running mb-clean-3.1.0.1035.exe

affected products:
Malwarebytes 3.7.1
Windows 10 1903 (Release Preview) 18362.52

observed issues:
- your system may take a lot of time for proceeding boot and startup process after login screen has been confirmed

- your system may be unresponsive in the login screen

- your system may get entirely inresponsive during normal workloads

- start screen (start menu), systray, mouse may become unresponsive or lag

- screen may get black for some minutes and then all inputs and commands will be stacked and excuted later after the freeze

- Security Center may report a warning about Malwarebytes that cannot be confirmed

- Security Center may go through different states of being OK (Defender enabled, then MBAM services will disable it, leading to the status above)

- Defender will be disabled as soon MBAM 3.7.1 is installed and either Premium Trial or Premium trial is enabled 
This behaviour is by design. However: if the MBAM Premium Trial ends after 14 days: MBAM will remain the default AV and you CANNOT enable Defender without uninstalling MBAM! There is no button in Security Center to take over Defender as Default AV solution.

- Enabling Defender periodic scan can be enabled in Security Center but will be disabled after restart or shutdown, so Defender is completely disabled

So far I've been able to reproduce this on 3 systems being in release preview. I've the last weeks I've tried to flag this at MSFT Insider Team, but since the uninstall solve the issue I guess it is malfunction or wrong implementation with the AV handling of MBAM in 1903 in Security Center. 
 

workaround:
uninstall MBAM, as disabling RT protections will not solve that Defender is disabled and periodic Defender scans get disabled, too.

 

If you are affected: 

please check the Feedback hub and comment / upvote
https://aka.ms/AA4w44t
https://aka.ms/AA4wmhs
 

 

mb-clean-results.txt mb-clean-results2.txt

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[LiquidTension]

Thanks for the information, alQamar. Whilst 1903 is a preview build and issues are to be expected, we're still interested in learning more about what you've experienced given how close to release this version of Windows 10 is.
 

1 hour ago, alQamar said:

- your system may take a lot of time for proceeding boot and startup process after login screen has been confirmed

- your system may be unresponsive in the login screen

- your system may get entirely inresponsive during normal workloads

- start screen (start menu), systray, mouse may become unresponsive or lag

- screen may get black for some minutes and then all inputs and commands will be stacked and excuted later after the freeze

Are these issues only seen when the Malwarebytes license state is trial or premium?

You mentioned trial expired/free in one of the points. When Malwarebytes is no longer in trial/premium mode, do the issues quoted above no longer occur?
 

Quote

- Defender will be disabled as soon MBAM 3.7.1 is installed and either Premium Trial or Premium trial is enabled 
This behaviour is by design

If no other security product is registered in the Security Centre, this is not expected behaviour. When Malwarebytes is running in trial/premium mode, the default setting is for the program not to register in the Security Centre providing no other third-party program is registered.

If you experience this behaviour again, please run the Malwarebytes Support Tool immediately after (refer to post #2) so we can take a closer look.
 

Quote

However: if the MBAM Premium Trial ends after 14 days: MBAM will remain the default AV

It's expected for Malwarebytes to remain registered in the Security Center for a few days after reverting to trial expired/free. However, it's not expected for Malwarebytes to register in the first place if Windows Defender is the only installed security product and the Malwarebytes settings are left as default.

To confirm, you left the following setting as default?

Edited April 25, 2019 by LiquidTension

[alQamar]

Hi @LiquidTension I am pleased to meet you again. I've seen this setting and it was set like in your screenshot. However it could need a renaming.

 Windows Action Center - in my head - relates more to "Notification Center" than Microsoft Security Center in Windows 10, which it is named now for while. Do you see my point?

to your questions:

 

Quote

Are these issues only seen when the Malwarebytes license state is trial or premium?

You mentioned trial expired/free in one of the points. When Malwarebytes is no longer in trial/premium mode, do the issues quoted above no longer occur?

To be honest I cannot tell if the performance issues will be gone as soon the premium trial is expired because all machines tested have a premium subcription active. I could think of that a certain module is causing the performance troubles - you'll certainly remember the Win7 incident some months ago.
At least in Premium (trial) the issues will be reproducible for me. On all machines there is full Spectre / Spectre NG protection enabled and Retpoline. This includes one setting is not enabled in 1903 by default such as SSBD
 

This is the output from SpeculationControlSettings on all affected systems
 

BTIHardwarePresent                  : True
BTIWindowsSupportPresent            : True
BTIWindowsSupportEnabled            : True
BTIDisabledBySystemPolicy           : False
BTIDisabledByNoHardwareSupport      : False
BTIKernelRetpolineEnabled           : False
BTIKernelImportOptimizationEnabled  : True
KVAShadowRequired                   : True
KVAShadowWindowsSupportPresent      : True
KVAShadowWindowsSupportEnabled      : True
KVAShadowPcidEnabled                : True
SSBDWindowsSupportPresent           : True
SSBDHardwareVulnerable              : True
SSBDHardwarePresent                 : True
SSBDWindowsSupportEnabledSystemWide : True
L1TFHardwareVulnerable              : True
L1TFWindowsSupportPresent           : True
L1TFWindowsSupportEnabled           : True
L1TFInvalidPteBit                   : 45
L1DFlushSupported                   : True

 

 

The logon issues were reproducible on my computer, whilst the temporary freezes affected only the other one (both are very new machines).

 

Quote

If no other security product is registered in the Security Centre, this is not expected behaviour. When Malwarebytes is running in trial/premium mode, the default setting is for the program not to register in the Security Centre providing no other third-party program is registered.

If you experience this behaviour again, please run the Malwarebytes Support Tool immediately after (refer to post #2) so we can take a closer look.

It's expected for Malwarebytes to remain registered in the Security Center for a few days after reverting to trial expired/free. However, it's not expected for Malwarebytes to register in the first place if Windows Defender is the only installed security product and the Malwarebytes settings are left as default.

Unfortunately this is no longer the case in 1903, but it is / was the case in 1809. The issues in this context are easily reproducible.

If you can install a 1903 and install MBAM I think you will get a sufficient picture of the misbehaviour. MSFT team said it is ok that is registering per default. I am also ok with it - but it should not happen that an expiration of trial premium will leave the customer unprotected. 

Also it is not expected that the option to setup sporadic scans for Defender will turn off.
The issue that the Security Center does not show up a button to re-enable Defender is supposingly a Windows releated.

Hopefully I will able to proceed with further steps and the tool as in post #2 on Tuesday or earlier. I also consider to stop my Acronis Backups weekly so we can revert to the state before the uninstalls today. 

[Maurice Naggar]

Hi @alQamar

I am running the same O.S.   I am writing to suggest a couple of tweaks that you should consider.  Just to be clear up front, I am not seeing the issues described above.

But first, the Windows Action Center section in Malwarebytes  ( on Windows 10 pc) does indeed relate to the Windows 10 "Windows Security".

I am running Malwarebytes Premium & the 19H1 May 2019 Windows 10  ( build 18362.53 )
Malwarebytes does not turn off Windows defender.
Matter of fact, there is a provision that can be used in the program so that Malwabytes is not taken by Windows as a alternate antivirus.
Start Malwarebytes.   Click Settings.   Click the Application tab.
Scroll down to Windows Action Center.
Click the line for "Never register Malwarebytes in the Windows Action Center".
When done, close the window.

My next suggestion is to double check Windows 10 "Windows Security".
Click on Open Windows Security.  Double check that Windows Defender is ON.

 

One other suggestion, about the "" startup process after login screen has been confirmed "".

You want to re-check in your Premium Malwarebytes, the setting for the Start time of the scheduled auto-scan task in Malwarebytes.

You do not want to have it set for 2 AM.    But rather for a more realistic time when your Windows has been logged-into & up and running, with an additional pad of added time so that the Malwarebytes scheduler has had time to kick in.  Point being, be sure the auto scan is not a task that kicks ON just at near the time Windows is loaded up.

 

One other tip, you may also benefit from this next tweak.

Start Malwarebytes.   Click Settings.   Click the Application tab.

Scroll down to the section "Impact of Scans on System".

Click the choice "Lower the priority of manual scans to improve multitasking".

 

Cheers,

 

 

 

[Porthos]

 

 

I can confirm that when MB is installed on 1903 it will turn off Defender until the never register function is ticked in MB and a few seconds Defender will come back on. I will get logs when I do one again.

[exile360]

25 minutes ago, Porthos said:

I can confirm that when MB is installed on 1903 it will turn off Defender until the never register function is ticked in MB and a few seconds Defender will come back on. I will get logs when I do one again.

I recall Malwarebytes had the same issue a while back with an earlier Windows 10 build that was later fixed.  I assume that this issue will be addressed by the time the new build goes RTM assuming MS doesn't address whatever change was made on their end if they had a hand in the issue.  Hopefully the logs will provide whatever info the Devs might need to fix it if necessary.  I just hope it's not something silly like Defender detecting that Malwarebytes is being installed and automatically turning it off on their end regardless of the setting in Malwarebytes/the installer.

[Porthos]

3 hours ago, Porthos said:

I can confirm that when MB is installed on 1903 it will turn off Defender until the never register function is ticked in MB and a few seconds Defender will come back on. I will get logs when I do one again.

 

Ok, Loaded another one and same results. Attached logs from before and after a restart. (same results.) Also a note, 1903 has been released on MSDN. So good chance that only CU's will be the only changes between now and consumer release.

After the trial was ended, Defender went back to normal and active.

@LiquidTension

 

. 

mbst-grab-results after restart.zip mbst-grab-results.zip

Edited April 26, 2019 by Porthos

[Maurice Naggar]

@Porthos

Thank you for your notes.   Just to add some info on my setup, I have for a long time had the never register selection in MB3.   I have also not had the need to install MB3 as a new install, since it has been installed all along, and am running 1903 / 19H1  on live metal  / resident OS.

[Porthos]

1 hour ago, Maurice Naggar said:

Just to add some info on my setup, I have for a long time had the never register selection in MB3.   I have also not had the need to install MB3 as a new install, since it has been installed all along, and am running 1903 / 19H1  on live metal  / resident OS.

I too have always used never register on my own computers and any I set up for clients. I personally have no issues and never have and I am using 1903 upgraded from 1809.

The above tests were done just to see how a default install would act on 1903 and to give feedback about the default install.

[alQamar]

There has been an update for MBAM 3.7.1 to build 2839, any chance this may contain a fix?

@LiquidTension I've also had a customer that was reporting startup issues and freezes (same to the W7 problems) which also disappeared after mbam clean.

He was running W10 1809 (May CU) and 3.7.1 premium.

[alQamar]

Quote

 

One other suggestion, about the "" startup process after login screen has been confirmed "".

You want to re-check in your Premium Malwarebytes, the setting for the Start time of the scheduled auto-scan task in Malwarebytes.

 

Hi thanks for all the suggestions. I am reporting on default settings and they should work as intended without user interaction. 

The startup / logon issues are reproducible with every reboot so I might want to exlcude that a scheduled scan is the reason, also there is no indication in Taskmanager.

[Maurice Naggar]

It is always a good idea to Update Malwarebytes to the latest version or component update.
Start Malwarebytes.
Click Settings.  Click on the Application tab.
Click on the button Install Application Updates.

Watch as it updates.   Then click the about tab.
See that it shows Component Update 1.0.586

As to the Scheduled Scan task.   Take an inventory of each machine.
See what Start time is shown.
Click Scan Schedule tab.
See what Time of day is selected as the start time for the scan.

[alQamar]

Maurice, I am familiar with the process, thanks for taking your time to explain it.

 

Quote

@LiquidTension I've also had a customer that was reporting startup issues and freezes (same to the W7 problems) which also disappeared after mbam clean.

He was running W10 1809 (May CU) and 3.7.1 premium.

This is a false alert. We have identified the GPU to be the issue at the end. 

 

The issues from the original post are not hardware related though. @LiquidTension which logs may you need for further investigations?

 

[alQamar]

I would need to reinstall MBAM on all affected machines and allow log collection with the support tool. However before I do so I would like to receive an answer if the issues could be fixed in the latest release see #11

[exile360]

Here's the official changelog from build 2839 if that helps at all:

Malwarebytes 3.7.1.2839

Performance/protective capability
•   Improved detection and remediation

Usability
•   Removed default monthly Scheduled Scan in Free mode 
•   Updated the installer to allow installation to standalone Business mode when certain conditions are met

Stability/issues fixed
•   Fixed BSOD involving farflt.sys
•   Fixed issue with exclusion involving short filenames 
•   Fixed issue where Real-Time Protection did not enable properly
•   Addressed other miscellaneous defects

[LiquidTension]

Thanks for all the feedback and information. We can reproduce the issue with Malwarebytes erroneously registering in the Windows Security Center when settings are left as default (along with other Security Center related issues, such as the non-actionable warning). This is being looked into further.

We have not been able to reproduce the performance-related issues mentioned in the first post and have not made any changes that are intended to specifically address this.

Quote

- your system may take a lot of time for proceeding boot and startup process after login screen has been confirmed

- your system may be unresponsive in the login screen

- your system may get entirely inresponsive during normal workloads

- start screen (start menu), systray, mouse may become unresponsive or lag

- screen may get black for some minutes and then all inputs and commands will be stacked and excuted later after the freeze 

To confirm, the above issues disappear when Malwarebytes has been uninstalled? Does disabling individual Real-Time Protection modules have any impact?

Would it be possible to run Malwarebytes Support Tool log gathering on each of the affected machines and provide the generated output?

[alQamar]

Hi @LiquidTension I haven't had the chance yet to reinstall MBAM and collect the logs also to try if it disabling RTP is solving it but I will try as soon as possible, sorry for the delay.

I am happy that you see the issues with Defender Security Center and MBAM trial / pro. For now all affected machines run very well with none of the previous issues since MBAM is uninstalled but of course I understand that you need logs. 

As a first step i will install Malwarebytes 3.7.1.2839 now on 2 previously affected machines. 

[alQamar]

Hi @LiquidTension on one of the computers the issue is back. The problem is that the whole system is so unresponsive (all that you do takes many seconds and will be executed) so that I find a hard time to launch mbam support tool. I am waiting for the explorer to open for 5 minutes now. 

noteably in Taskmanager (TM) is that the process "system interuption" is taking 50-60% of the CPU - we are speaking about  6 i5-8600K cores here.

There was no scan running. No process (like browsers were open later)

I've then used the mbam systray (not responding in TM) and disabled realtime protection one by one (took 3 more minutes till UAC popped up)  Web seems to be the first hit. So i suppose it is the webfilter causing this. see logs attached. I will leave web protection disabled. 

if it is web protection, I have to say that this seems to be the most picky feature since MBAM 3.7, I think it was also causing the Windows 7 freezes, wasn't it.

 

 

mbst-grab-results.zip

[alQamar]

Quote

- Security Center may report a warning about Malwarebytes that cannot be confirmed

- Security Center may go through different states of being OK (Defender enabled, then MBAM services will disable it, leading to the status above)

- Defender will be disabled as soon MBAM 3.7.1 is installed and either Premium Trial or Premium trial is enabled 
This behaviour is by design. However: if the MBAM Premium Trial ends after 14 days: MBAM will remain the default AV and you CANNOT enable Defender without uninstalling MBAM! There is no button in Security Center to take over Defender as Default AV solution.

- Enabling Defender periodic scan can be enabled in Security Center but will be disabled after restart or shutdown, so Defender is completely disabled

 

I can confirm following things to be fixed in mb3-setup-consumer-3.7.1.2839-1.0.586-1.0.10464.exe

- Security Center may report a warning about Malwarebytes that cannot be confirmed
- Security Center may go through different states of being OK (Defender enabled, then MBAM services will disable it, leading to the status above)

 

partly fixed (behaviour is as expected when realtime web protection is disabled, when realtime web protection is enabled the behaviour is the same as reported before):

- Defender will be disabled as soon MBAM 3.7.1 is installed and either Premium Trial or Premium trial is enabled 
This behaviour is by design. However: if the MBAM Premium Trial ends after 14 days: MBAM will remain the default AV and you CANNOT enable Defender without uninstalling MBAM! There is no button in Security Center to take over Defender as Default AV solution.

- Enabling Defender periodic scan can be enabled in Security Center but will be disabled after restart or shutdown, so Defender is completely disabled

[alQamar]

After finding out that the performance degradation is still reproducible in default settings I will now install the suggested Windows Update KB4497093 on both machines.
I will leave one machine as default (that causes the slow startup behaviour) and leave the other machine (that causes the reproduced system slow / freeze) with web protection disabled, but default settings in MBAM, too

[alQamar]

Quote

- your system may take a lot of time for proceeding boot and startup process after login screen has been confirmed

- your system may be unresponsive in the login screen

Hi I can confirm that the slow logon issues are related to a scan that will be executed during "late boot time" via MBAM Service.

So with more thourough testing @Maurice Naggar was right, sorry.

@LiquidTension is it new that a scheduled scan will be executed later if the planned wasn't executed (likely never will with the default time)

There should be "wait x minutes after boot up" because the impact of a 9 minutes scan at boot / logon is drastic even with my high specs ! I've never seen this before.

---

Quote

- your system may be unresponsive in the login screen

- your system may get entirely inresponsive during normal workloads

- start screen (start menu), systray, mouse may become unresponsive or lag

- screen may get black for some minutes and then all inputs and commands will be stacked and excuted later after the freeze

Follow up to post #1 and #19 disabling Web Protection does not solve the issue. We found out that the issue happens more likely if you leave the PC alone for some minutes.
I do not see anything in TM except this what I've stated before. It took me 10 minutes to get the next real time feature off (exploit protection) I will continue this until either the issue is gone or all realtime protections are off.

workaround: press control alt delete > log off user (may take 5-10 minutes to be executed

I still wonder why the behaviour is not the same on all machines (she has the same OS but i5 9600k / me i7 7700k) - all same drivers and GPU.

[alQamar]

@LiquidTension this is a follow up for the following issues reported

Quote

 

- your system may get entirely inresponsive during normal workloads

- start screen (start menu), systray, mouse may become unresponsive or lag

- screen may get black for some minutes and then all inputs and commands will be stacked and excuted later after the freeze

 

 

over the past day we disabled one realtime protection by another, and finally when all RT protection were disabled the issue is gone.

Do you need additional logs?

[exile360]

What was the last protection component you disabled and what happens if you disable only that component and leave the others enabled?

[alQamar]

@exile360 we disabled top to down in systray / app , so last one was ransomware.

I will try to activate all others except ransomware and wait for results.