Slow DNS resolution with potential to completely free system

[pal1000]

Since I began testing MB4 I noticed one issue that can happen when Malwarebytes real time protection starts for the first time until Windows is rebooted. This may or may not happen. It's like a lottery. When it does happen it causes heavy delays to DNS resolution, without actually affecting network bandwidth. Also in this state 2 use scenarios can completely hang the system:

- Windows is shutdown with fast startup enabled. In this case Windows takes almost double time than usual on shutdown and completely hangs on next startup to black screen with mouse cursor that is unresponsive too,

- current user logs out. In this case Windows completely hangs to black screen before displaying the login screen.

As an extra, when this issue occurs Malware protection cannot be turned off and if it's attempted the UI can no longer be opened. It probably hangs too.

[LiquidTension]

Hello,

Thank you for reporting the issue. We haven't encountered any behaviour like this during testing.

Please could you provide troubleshooting logs so we can take a closer look:
https://support.malwarebytes.com/docs/DOC-2396

[pal1000]

Attached the logs. Some notes though:

- I chose to disable ransomware protection by weighting protection need for my attack surface with potential for even more bugs like ones that existed in the past and my ability to respond to such an attack;

- I also have Malwarebytes Anti-Exploit Beta 1.13.1.117. I chose to delay real time protection by 45s in Malwarebytes Anti-Malware to avoid the boot time race condition that can occur if both products are installed simultaneously.

mbst-grab-results.zip

[LiquidTension]

Thanks for providing the file and information.

Unfortunately, some of the logs are missing from the generated zip file. Could you also carry out the following instructions please: https://support.malwarebytes.com/docs/DOC-1318

[pal1000]

I think some logs were missing because I ran the support tool with this issue in effect so downloads timed out. Attached FRST logs.

I noticed some errors in Addition.txt that are more or less on the mark:

- Error: (10/15/2019 05:10:18 PM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

- Date: 2019-10-14 20:43:57.969
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Consequences of the issue

- Error: (10/14/2019 07:07:01 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Malwarebytes Service service did not shut down properly after receiving a preshutdown control.

- Error: (10/12/2019 09:53:40 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:31:59 PM on ‎10/‎12/‎2019 was unexpected.

 

 

FRST-Logs.zip

[LiquidTension]

Thanks for the logs. Note that as you are running a Windows Insider Preview version, less testing has been performed for this OS version. Have you encountered this issue with other computers?

Could you disable Web Protection (using the toggle on the Dashboard) and then shut down/power back on the machine. Do you still experience the issue with Web Protection disabled?

Does setting Malwarebytes Service to delayed start have any impact?

• Download mbamservice_delayed.reg using the link below:
  → https://malwarebytes.box.com/s/15jbt7tifcetlhcgmszzb6appbak56w4
• Right-click the Malwarebytes icon in your notification area.
• Click Quit Malwarebytes followed by Yes if prompted by User Account Control.
• Open your Downloads folder or location of the downloaded mbamservice_delayed.reg file.
• Double-click mbamservice_delayed.reg and click Run followed by Yes if prompted by User Account Control.
• Click Yes when prompted to continue.
• Click OK.
• Now please restart the machine

[pal1000]

6 hours ago, LiquidTension said:

Note that as you are running a Windows Insider Preview version, less testing has been performed for this OS version. Have you encountered this issue with other computers?

I only have 1 computer running MB4 which is also the only computer running an insider build even though I haven't enrolled this computer into Windows insider program.

6 hours ago, LiquidTension said:

Does setting Malwarebytes Service to delayed start have any impact?

No impact. I actually changed it to manual at some point and made no difference.

[pal1000]

6 hours ago, LiquidTension said:

Could you disable Web Protection (using the toggle on the Dashboard) and then shut down/power back on the machine. Do you still experience the issue with Web Protection disabled?

Disabling malware protection seams  to paradoxically help with slow DNS resolution. And disabling both malware and web protection is necessary to avoid hangs on logout and fast boots.

Currently I am using Windows Defender with Malwarebytes without real-time protection. I also use NoScript and Malwarebytes Browser Guard in Firefox.

[pal1000]

This still seam to happen with 4.0.4.49 CU 1.0.793. But I think I know how to reproduce more reliably now. Any of the following could do it:

- delay real time protection by 45s;

- apply Windows updates on a computer with CPU clock < 2GHz and with HDD instead of SSD, Malwarebytes naturally takes longer to start when Windows is patched;

I don't think this can be reproduced on a computer with SSD due to very short boot. So only slow computers can reproduce it.

[pal1000]

I was able to encounter this on 2 systems:

- Windows 10 Version 1809, Intel Core i3-3220;

- Windows 10 Version 1909, Intel Core i3-2375M.

[pal1000]

Going into safe mode then rebooting to normal mode increases chances of encountering this problem. It can still happen with 4.0.4.49 CU 1.0.804.

[exile360]

Greetings,

Is fast startup enabled on this system?  If so, that could explain why booting into Safe Mode then rebooting into normal mode might cause the issue to be more likely to occur.

You can test by disabling fast startup and checking to see if it resolves the issue.  Instructions on doing so can be found here as well as here.

[pal1000]

Yes, fast startup is enabled. Disabling fast startup doesn't solve the problem because as soon as this issue starts happening the more likely is to happen again. I noticed this issue can even happen during the same Windows session Malwarebytes is installed if Support tool was used for removal.

[pal1000]

My problem seams to resemble to some reports from here:

Currently running MBAM 4.0.4.49 CU 1.0.810.

[pal1000]

Just now, pal1000 said:

My problem seams to resemble to some reports from here:

Currently running MBAM 4.0.4.49 CU 1.0.810.

Everything seams to be fine so far. Did a license and deactivation and reactivation to put real-time protection drivers through a stop/start cycle which went through without incidents.

[pal1000]

This problem can still occur with 4.1.0.56 CU 1.0.835.

[VMMainFrame]

I have been having this same problem for over a month now.  I have had several occurrences of the slow DNS and one occurrence of the boot to black screen.  This happens under 4.0.9 and 4.1.0.  The slow DNS affects PING commands, web browsers, the password prompt from Thunderbird, etc.  Strangely it does NOT affect Microsoft Edge.  Edge runs at full speed when Firefox and Google Chrome are being delayed by slow DNS.  Microsoft Edge 44.18362.449.0, Microsoft EdgeHTML 18.18363.

A reboot usually fixes the problem.  Some days it doesn't happen, other days it happens more than once.  I shutdown my PC every night.

 

[Porthos]

1 hour ago, VMMainFrame said:

I have been having this same problem for over a month now.  I have had several occurrences of the slow DNS and one occurrence of the boot to black screen.  This happens under 4.0.9 and 4.1.0.  The slow DNS affects PING commands, web browsers, the password prompt from Thunderbird, etc.  Strangely it does NOT affect Microsoft Edge.  Edge runs at full speed when Firefox and Google Chrome are being delayed by slow DNS.  Microsoft Edge 44.18362.449.0, Microsoft EdgeHTML 18.18363.

A reboot usually fixes the problem.  Some days it doesn't happen, other days it happens more than once.  I shutdown my PC every night.

 

We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system and is only available to authorized members and the original poster. Others see the following and can not access.

Can you please follow the directions from the following KB article and post back your logs so that we can review

Upload Malwarebytes Support Tool logs manually

Thank you

Edited March 12, 2020 by Porthos

[VMMainFrame]

Here are the files. The problem was not occurring at the time.

 

mbst-grab-results.zip

[Porthos]

2 hours ago, VMMainFrame said:

The problem was not occurring at the time.

Quote

Fast Startup:                    On

I suggest turning off fast startup in Windows. Then restart.

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

Quote

Anti-Virus Product :     Norton Security

I would  also recommend creating exclusions between Malwarebytes and Your AV to help prevent any possible conflicts or performance issues.  Please add the items listed in this support article to Your AV 's allow list(s)/trust list(s)/exclusion list(s) particularly for any of its real-time protection components and likewise add Your AV 's program folder(s) (likely located under C:\Program Files and/or C:\Program Files (x86)) to Malwarebytes' Allow List using the method described under the Allow a file or folder section of this support article and do the same for its primary data folder which is likely located under C:\ProgramData (you may need to show hidden files and folders to see it).

 

[cchilderhose]

I have seen this as well on 4.1 and have since reverted to 4.0.4 for now.  The RAM usage on the new builds was getting retarded and constantly eating up CPU cycles (staying near the top of Task Manager).  I am using 19041.153 build of Windows 10 (2004 release - Slow Ring).  After going back to 4.0.4 everything seems good.

I saw today there was a new Beta but no mention of Resource fixes or DNS so will monitor and wait for a new build that addresses these things.

[VMMainFrame]

I decided to run a simple test program.  It issues a PING command once a minute and times how long it takes for the output to complete.  This is displayed in a Command window.  The output is "date" "time" and the "number of seconds for PING to complete".  I am running Malwarebytes 4.1.0  and it is setup to run a Scan once a day at 11:30 am.  I ran my test program for three days without the problem occurring.  Today the problem (slow DNS) occurred between 11:30 and 11:31.  See the attached screenshot.  Quitting Malwarebytes did not fix the problem.  I looked in the Task Manager and found Malwarebytes Service was still showing in the Processes window, MBAMService.exe still showed in the Details window and MBAMService showed Stopping in the Services window.

[cchilderhose]

Do we know if the latest 860 update fixes the DNS issues by chance?  I know they are not mentioned but someone will ask.

[exile360]

I did see this, however I don't know if it also applies to this issue or not:

Fixed: web protection prevents Avast SecureLine VPN from turning off

[Porthos]

2 hours ago, exile360 said:

I did see this, however I don't know if it also applies to this issue or not:

 

 

No it does not. Per Ron.