Jump to content

Slow DNS resolution with potential to completely free system


pal1000

Recommended Posts

Since I began testing MB4 I noticed one issue that can happen when Malwarebytes real time protection starts for the first time until Windows is rebooted. This may or may not happen. It's like a lottery. When it does happen it causes heavy delays to DNS resolution, without actually affecting network bandwidth. Also in this state 2 use scenarios can completely hang the system:

- Windows is shutdown with fast startup enabled. In this case Windows takes almost double time than usual on shutdown and completely hangs on next startup to black screen with mouse cursor that is unresponsive too,

- current user logs out. In this case Windows completely hangs to black screen before displaying the login screen.

As an extra, when this issue occurs Malware protection cannot be turned off and if it's attempted the UI can no longer be opened. It probably hangs too.

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Attached the logs. Some notes though:

- I chose to disable ransomware protection by weighting protection need for my attack surface with potential for even more bugs like ones that existed in the past and my ability to respond to such an attack;

- I also have Malwarebytes Anti-Exploit Beta 1.13.1.117. I chose to delay real time protection by 45s in Malwarebytes Anti-Malware to avoid the boot time race condition that can occur if both products are installed simultaneously.

mbst-grab-results.zip

Link to post
Share on other sites

I think some logs were missing because I ran the support tool with this issue in effect so downloads timed out. Attached FRST logs.

I noticed some errors in Addition.txt that are more or less on the mark:

- Error: (10/15/2019 05:10:18 PM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

- Date: 2019-10-14 20:43:57.969
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Consequences of the issue

- Error: (10/14/2019 07:07:01 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Malwarebytes Service service did not shut down properly after receiving a preshutdown control.

- Error: (10/12/2019 09:53:40 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:31:59 PM on ‎10/‎12/‎2019 was unexpected.

 

 

FRST-Logs.zip

Link to post
Share on other sites

Thanks for the logs. Note that as you are running a Windows Insider Preview version, less testing has been performed for this OS version. Have you encountered this issue with other computers?

Could you disable Web Protection (using the toggle on the Dashboard) and then shut down/power back on the machine. Do you still experience the issue with Web Protection disabled?

Does setting Malwarebytes Service to delayed start have any impact?

  • Download mbamservice_delayed.reg using the link below:
    https://malwarebytes.box.com/s/15jbt7tifcetlhcgmszzb6appbak56w4
  • Right-click the Ky7CZ60.png Malwarebytes icon in your notification area.
  • Click Quit Malwarebytes followed by Yes if prompted by AVOiBNU.jpg User Account Control.
  • Open your Downloads folder or location of the downloaded mbamservice_delayed.reg file.
  • Double-click mbamservice_delayed.reg and click Run followed by Yes if prompted by AVOiBNU.jpg User Account Control.
  • Click Yes when prompted to continue.
  • Click OK.
  • Now please restart the machine
Link to post
Share on other sites

6 hours ago, LiquidTension said:

Note that as you are running a Windows Insider Preview version, less testing has been performed for this OS version. Have you encountered this issue with other computers?

I only have 1 computer running MB4 which is also the only computer running an insider build even though I haven't enrolled this computer into Windows insider program.

6 hours ago, LiquidTension said:

Does setting Malwarebytes Service to delayed start have any impact?

No impact. I actually changed it to manual at some point and made no difference.

Link to post
Share on other sites

6 hours ago, LiquidTension said:

Could you disable Web Protection (using the toggle on the Dashboard) and then shut down/power back on the machine. Do you still experience the issue with Web Protection disabled?

Disabling malware protection seams  to paradoxically help with slow DNS resolution. And disabling both malware and web protection is necessary to avoid hangs on logout and fast boots.

Currently I am using Windows Defender with Malwarebytes without real-time protection. I also use NoScript and Malwarebytes Browser Guard in Firefox.

Link to post
Share on other sites

  • 2 months later...

This still seam to happen with 4.0.4.49 CU 1.0.793. But I think I know how to reproduce more reliably now. Any of the following could do it:

- delay real time protection by 45s;

- apply Windows updates on a computer with CPU clock < 2GHz and with HDD instead of SSD, Malwarebytes naturally takes longer to start when Windows is patched;

I don't think this can be reproduced on a computer with SSD due to very short boot. So only slow computers can reproduce it.

Link to post
Share on other sites

  • 2 weeks later...

Yes, fast startup is enabled. Disabling fast startup doesn't solve the problem because as soon as this issue starts happening the more likely is to happen again. I noticed this issue can even happen during the same Windows session Malwarebytes is installed if Support tool was used for removal.

Link to post
Share on other sites

Just now, pal1000 said:

My problem seams to resemble to some reports from here:

Currently running MBAM 4.0.4.49 CU 1.0.810.

Everything seams to be fine so far. Did a license and deactivation and reactivation to put real-time protection drivers through a stop/start cycle which went through without incidents.

Link to post
Share on other sites

  • 1 month later...
  • 2 weeks later...

I have been having this same problem for over a month now.  I have had several occurrences of the slow DNS and one occurrence of the boot to black screen.  This happens under 4.0.9 and 4.1.0.  The slow DNS affects PING commands, web browsers, the password prompt from Thunderbird, etc.  Strangely it does NOT affect Microsoft Edge.  Edge runs at full speed when Firefox and Google Chrome are being delayed by slow DNS.  Microsoft Edge 44.18362.449.0, Microsoft EdgeHTML 18.18363.

A reboot usually fixes the problem.  Some days it doesn't happen, other days it happens more than once.  I shutdown my PC every night.

 

Link to post
Share on other sites

1 hour ago, VMMainFrame said:

I have been having this same problem for over a month now.  I have had several occurrences of the slow DNS and one occurrence of the boot to black screen.  This happens under 4.0.9 and 4.1.0.  The slow DNS affects PING commands, web browsers, the password prompt from Thunderbird, etc.  Strangely it does NOT affect Microsoft Edge.  Edge runs at full speed when Firefox and Google Chrome are being delayed by slow DNS.  Microsoft Edge 44.18362.449.0, Microsoft EdgeHTML 18.18363.

A reboot usually fixes the problem.  Some days it doesn't happen, other days it happens more than once.  I shutdown my PC every night.

 

We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system and is only available to authorized members and the original poster. Others see the following and can not access.

Auth members attaachment.png

Can you please follow the directions from the following KB article and post back your logs so that we can review

Upload Malwarebytes Support Tool logs manually

Thank you

Edited by Porthos
Link to post
Share on other sites

2 hours ago, VMMainFrame said:

The problem was not occurring at the time.

Quote

Fast Startup:                    On

I suggest turning off fast startup in Windows. Then restart.

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

Quote

Anti-Virus Product :     Norton Security

I would  also recommend creating exclusions between Malwarebytes and Your AV to help prevent any possible conflicts or performance issues.  Please add the items listed in this support article to Your AV 's allow list(s)/trust list(s)/exclusion list(s) particularly for any of its real-time protection components and likewise add Your AV 's program folder(s) (likely located under C:\Program Files and/or C:\Program Files (x86)) to Malwarebytes' Allow List using the method described under the Allow a file or folder section of this support article and do the same for its primary data folder which is likely located under C:\ProgramData (you may need to show hidden files and folders to see it).

 

Link to post
Share on other sites

I have seen this as well on 4.1 and have since reverted to 4.0.4 for now.  The RAM usage on the new builds was getting retarded and constantly eating up CPU cycles (staying near the top of Task Manager).  I am using 19041.153 build of Windows 10 (2004 release - Slow Ring).  After going back to 4.0.4 everything seems good.

I saw today there was a new Beta but no mention of Resource fixes or DNS so will monitor and wait for a new build that addresses these things.

Link to post
Share on other sites

I decided to run a simple test program.  It issues a PING command once a minute and times how long it takes for the output to complete.  This is displayed in a Command window.  The output is "date" "time" and the "number of seconds for PING to complete".  I am running Malwarebytes 4.1.0  and it is setup to run a Scan once a day at 11:30 am.  I ran my test program for three days without the problem occurring.  Today the problem (slow DNS) occurred between 11:30 and 11:31.  See the attached screenshot.  Quitting Malwarebytes did not fix the problem.  I looked in the Task Manager and found Malwarebytes Service was still showing in the Processes window, MBAMService.exe still showed in the Details window and MBAMService showed Stopping in the Services window.

PingProblem.jpg

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.