WARNING: numerous issues with MBAM 3.7.1 premium or premium trial in 1903

[exile360]

Thanks, that makes sense as Ransomware Protection is by far the most likely to cause performance issues since it monitors all process activity in memory in real-time along with disk activity to watch for ransomware behavior.  All the other modules work in a more proactive/preventative way to guard against threats from getting into the system to begin with and tend to be far less invasive/resource intensive.

[Maurice Naggar]

Hi  @alQamar

Hi,
After reviewing the support tool report, which was run on May 5, I would suggest the following things to be considered for follow-up action.

[ A ]
Windows 10 shows to be on build 18362
You want to be on Build 18362.86
This is the Windows 10 May 2019 Update.
Do a Windows Update run.
Invest the time to get all up to date.

[ B ]
I further suggest these adjustments on Malwarebytes for Windows.
I mentioned this one before but it was not applied on this box.

 Start Malwarebytes.   Click Settings.   Click the Application tab.

Scroll down to the section "Impact of Scans on System".

Click the choice "Lower the priority of manual scans to improve multitasking".

[ C ]
Windows Defender is reported to be disabled.   This means a revisit to this set of hints.
Start Malwarebytes.   Click Settings.   Click the Application tab.
Scroll down to Windows Action Center.
Click the line for "Never register Malwarebytes in the Windows Action Center".
When done, close the window.

My next suggestion is to double check Windows 10 "Windows Security".
Click on Open Windows Security.  Double check that Windows Defender is ON.

[ D ]
The scheduled Scan task is showing to be set to 02:41:57   AM      ( effectively pushing it to or very near  the load-startup time for Windows
Please, lets set that to a more realistic time of day.    Whatever is the most frequently normal start time of the work day, lets add say 40 minutes to that. take that value and plug that in as the Scheduled Scan start time.   The theory is to pad it with enough time that the program scheduler has decent enough time to be up, before  the set start for scan.

Let us know what time of day you selected.

 

[alQamar]

@LiquidTension we have reached a safe / thoroughly tested point now.

 

Quote

observed issues:
- your system may take a lot of time for proceeding boot and startup process after login screen has been confirmed

- your system may be unresponsive in the login screen

- your system may get entirely inresponsive during normal workloads

- start screen (start menu), systray, mouse may become unresponsive or lag

- screen may get black for some minutes and then all inputs and commands will be stacked and excuted later after the freeze

- Defender will be disabled as soon MBAM 3.7.1 is installed and either Premium Trial or Premium trial is enabled 
This behaviour is by design. However: if the MBAM Premium Trial ends after 14 days: MBAM will remain the default AV and you CANNOT enable Defender without uninstalling MBAM! There is no button in Security Center to take over Defender as Default AV solution.

all these issues are reproducible on 2 machines (at least) running 1903 18362.86

- as soon Ransomware realtime protection is enabled

- all issues are gone in case of Ransomware realtime protection got disabled, or equivalently using the free version without RT protections or uninstall Malwarebytes 3.7.x.

- neither the KB patch KB4497093, nor the current available MBAM version b3-setup-consumer-3.7.1.2839-1.0.586-1.0.10464.exe has brought any difference to the quoted issues.

 

 

mbst-grab-results_i7-7700K.zip mbst-grab-results_i5-9600K.zip

[alQamar]

Hi Maurice, thanks for your help!

[A] there are no new updates available

 to be honest I cannot be bothered to alter default settings in MBAM. It should work in default settings as designed. The current update fixed some of the issues but not yet entirely. See [C]

[C] This is a mix of MBAM issue and Windows bug. As soon you disable Web Protection you are able to enable Defender. However as soon Web Protection is enabled you cannot enable Defender as the button is missing in GUI and periodic scans will be disabled after reboot. This is not intended. 
Defender should be enabled by default as soon Web Protection is disabled. Currently it is only enabled manually or when uninstalling MBAM. This may leave customers without an AV protection in few scenarios.

[D] I have already deleted all scheduled scans (one was default) on both machines, with no effect

 

 

[alQamar]

[ B ] without spaces converted to bold text. Pardon. Is there no way to edit posts?

[Porthos]

I have made it a habit for a long time to change the setting of MB to never register in Windows 10 for all my client installs. I personally think the install should switch to that setting on all Win 10 computers by default. I have always believed in having both fully active.

I have 1903 18362.86 on several machines now and with the above settings, there are ZERO issues. These have been all upgrades (ISO method) from 1809 so far.

 

[Maurice Naggar]

Same sentiments, views, and experience as Porthos.

 

@alQamar

It is quiet sad to read of your  not applying the tips.   They are known to help.

And as to the Windows Defender status, as previously mentioned, it does take some efforts in Windows Settings.   If only you drill thru all the options .

Settings >> Update & Security >> Windows Security >> Open Windows Security

 

p.s. I have never seen the status of Windows Defender ( in WIN10)  to have anything to do with the web protection.

What I have been trying to convey to you is that the Windows 10 Windows Defender status can all be reset properly back to on thru Windows Settings.

Edited May 8, 2019 by Maurice Naggar

[Porthos]

49 minutes ago, Maurice Naggar said:

It is quiet sad to read of your  not applying the tips.   They are known to help.

 

1 hour ago, alQamar said:

to be honest I cannot be bothered to alter default settings in MBAM. It should work in default settings as designed.

He is correct, It just should work. The average user of the program should not have to find workarounds. I do understand until 1903 is out to the public it seems not to be a high priority to fix or change the program to not ever register by default on Windows 10 period.

[alQamar]

Maurice, I am not ignoring your advice and expertise, but as Porthos said it should work fine by default.

If you like we can have a remote session via Teamviewer to demonstrate the issue with Security Center, Liquidtension is invited to join.
Please know that these are unrelated to the performance issues.

I have to outline that this is exclusive to 1903 and I just to make sure there will be no horrific impact on release. 1809 does not need any changes off the default and work fine with MBAM 3.6.x and 3.7.x. It may be it is a issue that is not widespread, however I would not have spent so much time with this if it was a local issue on one machine. 

I would like to wait for @LiquidTension analysis of the logfiles and see what's next. 

[alQamar]

 

Please let me know if this setting remains enabled with 1903 and web protection enabled after a reboot

Disable web protection and experience the difference in behaviour on your own. alternatively as proposed we can have an appointment and live demo on my rigs.

[alQamar]

ok good news, the security center issues seems to be fixed in current state as of mb3-setup-consumer-3.7.1.2839-1.0.586-1.0.10464.exe .
Sorry I was focused so much on the performance impacts and did not review this part before posting.

With default settings in MBAM it is now possible to enable defender in the settings above and it will remain enabled after reboot, not matter if web protection is enabled or disabled.

Enabling or disabling will no longer enable or disable Defender. I will test it on other devices tomorrow.

If this is reproducible then it got fixed with the latest release - Liquidtension confirmed the wrong behaviour in post #17 - we can focus on the performance issues on my system with the ransomware protection.

[Maurice Naggar]

Glad to read that you have Windows Defender back on.    Bravo.

Let me just reduce the tips to just 2.   This only takes a very few minutes.

 

[ 1 ]
I further suggest these adjustments on Malwarebytes for Windows.
I mentioned this one before but it was not applied on this box.

 Start Malwarebytes.   Click Settings.   Click the Application tab.

Scroll down to the section "Impact of Scans on System".

Click the choice "Lower the priority of manual scans to improve multitasking".

 

[ 2 ]
The scheduled Scan task was showing to be set to 02:41:57   AM      ( effectively pushing it to or very near  the load-startup time for Windows

I understand from your later notes, you said you deleted the scheduled scan task.

Please, lets set that to a more realistic time of day.    Whatever is the most frequently normal start time of the work day, lets add say 40 minutes to that. take that value and plug that in as the Scheduled Scan start time.   The theory is to pad it with enough time that the program scheduler has decent enough time to be up, before  the set start for scan.

Let us know what time of day you selected.

 

Not to spook anyone, But Windows 10 May 2019 update is available for anyone thru just a manual Windows Update check.

running fine on my box.

 

Edited May 8, 2019 by Maurice Naggar

[dagar74]

Since there may not be too many people running Windows 10 version 1903, I installed Malwarebytes on my test machine that was clean installed to 18362.53 via an ISO from UUP Dump and then updated to 18362.86 via Windows Update to provide some additional experiences. I did use the settings recommended by Maurice Naggar in post 27, above, and there are no performance problems or Window Security Issues on this machine. Defender works fine and was enabled as soon as I selected Never Register Malwarebytes in the Action Center.

[alQamar]

again I have reason to not alter the settings Maurice. They should work well as default. I will setup a scan to a different time as suggested. now that I can pinpoint that the issue of slow startup is not due to the scan but Ransomware protection I am happy with that - restoring a default setting. 

About the lag and freezes on the other we will investigate a possible relation to Acronis True Image 2019 Ransomware, means we disable ATIH Ransonware and fully enable MBAM.
Again, there were no such issues - in default settings - in 1809 on all affected machines, and I hope that @LiquidTension is able to either get something out of the logs.

I would like to reinforce that a remote session via Teamviewer is still a way to demonstrate the remaining issues live.

[LiquidTension]

Thanks for the information.

Regarding the performance issues - this isn't something we've able to reproduce (with programs such as Acronis True Image) and is most likely the result of interaction between the Ransomware Protection module in Malwarebytes and the specific configuration of one or more third-party programs installed on your affected computers. 

Can you perform a clean boot, but leave Malwarebytes Service enabled.
After the reboot, ensure Ransomware Protection is enabled and check if you still encounter the lag/freezing.

https://support.microsoft.com/en-gb/help/929135/how-to-perform-a-clean-boot-in-windows

[alQamar]

please delete #26 - still cannot edit posts. mixed up A and B 

 

As this thread has gotten long:

We have 2 sets of remaining issues 

( a ) PC 1 (i7 7700k)

- your system may take a lot of time for proceeding boot and startup process after login screen has been confirmed

- your system may be unresponsive in the login screen

 

( b ) PC 2 (i5 9600k)

- your system may get entirely inresponsive during normal workloads

- start screen (start menu), systray, mouse may become unresponsive or lag

- screen may get black for some minutes and then all inputs and commands will be stacked and excuted later after the freeze

 

@Maurice Naggar I do not want you to think I am stubborn, I have followed all suggestions but they did not help on both machines.

 

lowering priority has no impact on startup performance ( a ) not registering with the security center (an issue that I marked solved with the latest MBAM version) did not help with ( a ), too.

I also tried clean boot -and so far can only say that this does not solve the startup performance / logon issues* ( a ) @LiquidTension - the only measure is to disable ransomware protection. *of course logon got a bit faster due lesser startup processes but the remaining ones loaded up slow.

Also I can say that disabling ATIH Ransomware Protection had no effect on ( a ) and ( b )

Wy wife ( b ) has recorded a video of this the issue that I could provide for demonstration as her's is not so easy to reproduce and affects her several times a day.
While my issue ( a ) can be reproduced on every startup.

I am still confident that this is not a local issue. The fact that clean boot will not help reinforces this, imho.

Quite sure this may also affect - an unknown number - of other users when 1903 is released and I personally do not think that reinstalling Windows is a solution when everything else works fine as soon ransomware protection is disabled or MBAM is uninstalled. My goal is to find a solution for me and to avoid struggles that might decrease the good reputation of this otherwise well working MBAM application. 

We checked that during the affected periods of time no scheduled scan have been running. 
 

Next steps:

for setup msconfig to clean boot except mbam
enable all mbam RTP services
leaving the changes (low prio) as proposed by Maurice

anything else we could do? How to provide the video? Onedrive is okay?

[alQamar]

next steps refer to system / issue complex ( b )

[Porthos]

2 hours ago, alQamar said:

still cannot edit posts.

Without going into a long story, It takes MANY posts till you will be able to edit.

[alQamar]

next steps refer to system / issue complex ( b )

Thank you @Porthos.

 

@LiquidTension results of clean boot in case ( b ). It is a bit better but not solved. Means the slowdowns still appear often but not that drastic and long, and the PC recovers faster from these phases.

I can just reinforce my invitation to make an appointment and to have a look remote on the systems.
If Microsoft suggested clean boot does not solve it but MBAM ransonware realtime disabling does, i clearly find it complicated to blame anything else but the protection to cause it. 
If we cannot find a solution, I guess I'll go on without MBAM premium.

[exile360]

10 minutes ago, alQamar said:

If we cannot find a solution, I guess I'll go on without MBAM premium.

You'd be much better off just keeping the individual Ransomware Protection component disabled than doing without Malwarebytes Premium completely as its other layers of protection are well worth it, especially since they tend to be far more proactive than that particular module anyway (the Ransomware Protection component literally sits in memory watching for ransomware activity in memory and on disk for ransomware that has already gotten through and infected your system and is attempting to encrypt your data; the other modules tend to render it moot since they more proactively prevent infection in the first place, especially since most ransomware uses some kind of exploit to get the ransomware payload onto systems in the first place so Exploit Protection is a far more effective tool in preventing ransomware than the Ransomware Protection component).  This is actually how I run Malwarebytes on my own system only because I don't like the performance degradation from Ransomware Protection and don't see the need for it with the other modules active.  I have Ransomware Protection disabled and have Malwarebytes configured not to notify me about real-time protection components being disabled to avoid the unnecessary alerts about it:

[LiquidTension]

On 5/11/2019 at 11:38 PM, alQamar said:

next steps refer to system / issue complex ( b )

Thank you @Porthos.

 

@LiquidTension results of clean boot in case ( b ). It is a bit better but not solved. Means the slowdowns still appear often but not that drastic and long, and the PC recovers faster from these phases.

I can just reinforce my invitation to make an appointment and to have a look remote on the systems.
If Microsoft suggested clean boot does not solve it but MBAM ransonware realtime disabling does, i clearly find it complicated to blame anything else but the protection to cause it. 
If we cannot find a solution, I guess I'll go on without MBAM premium.

Thank you for the information and remote session offer. We are still investigating, but have so far been unable to reproduce the various performance issues you've mentioned.

I'll message you in private to discuss the remote session.

[pbcopter]

Hi,

I am facing this same issue and I have resorted to just turning off Ransomware protection.

I first discovered the slowdown when using an portable application called Autoruns from Microsoft.

If Ransomware protection is on, the Autoruns populates very slowly.  Turn it off and everything returns to normal.

Other issues occurred as well with Explorer which have stopped when Ransomware protection is turned off.

[alQamar]

Hi everyone,

due to other inconsistencies (in feedback hub) of my Windows 10 system ( a ), I have refreshed Windows 10 completely.
The slow startup / logon issues are now better, now that I restored the system to a near similar state after the reinstall. In summary I still see that MBAM is slowing the system. 

For the other system ( b ) and there have been no improvements yet and we even saw the issues of slowness and freezes even with ransomware disabled - but the system will recover much better. So nothing changed till post #44.

It is a pity that the whole thing is quite complex and not to be reproduced for anyone. I proposed my wife to refresh her Windows 10 aswell but she declined as there are no other issues without MBAM. I will contact LiquidTension for further diagnosis and would like say thanks for anyone involved and trying to help so far. Please forgive me if it seemed that I was to ignore the suggestions made. I did not, just wanted to make sure that the product will work as intended with default settings.
 

[alQamar]

Hi the issues with Security Center could be respawned on 18632.116. I will upload a video.