Jump to content
pal1000

Slow DNS resolution with potential to completely freee system

Recommended Posts

Since I began testing MB4 I noticed one issue that can happen when Malwarebytes real time protection starts for the first time until Windows is rebooted. This may or may not happen. It's like a lottery. When it does happen it causes heavy delays to DNS resolution, without actually affecting network bandwidth. Also in this state 2 use scenarios can completely hang the system:

- Windows is shutdown with fast startup enabled. In this case Windows takes almost double time than usual on shutdown and completely hangs on next startup to black screen with mouse cursor that is unresponsive too,

- current user logs out. In this case Windows completely hangs to black screen before displaying the login screen.

As an extra, when this issue occurs Malware protection cannot be turned off and if it's attempted the UI can no longer be opened. It probably hangs too.

Share this post


Link to post

Attached the logs. Some notes though:

- I chose to disable ransomware protection by weighting protection need for my attack surface with potential for even more bugs like ones that existed in the past and my ability to respond to such an attack;

- I also have Malwarebytes Anti-Exploit Beta 1.13.1.117. I chose to delay real time protection by 45s in Malwarebytes Anti-Malware to avoid the boot time race condition that can occur if both products are installed simultaneously.

mbst-grab-results.zip

Share this post


Link to post

I think some logs were missing because I ran the support tool with this issue in effect so downloads timed out. Attached FRST logs.

I noticed some errors in Addition.txt that are more or less on the mark:

- Error: (10/15/2019 05:10:18 PM) (Source: SecurityCenter) (EventID: 17) (User: )
Description: Security Center failed to validate caller with error %1.

- Date: 2019-10-14 20:43:57.969
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Consequences of the issue

- Error: (10/14/2019 07:07:01 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Malwarebytes Service service did not shut down properly after receiving a preshutdown control.

- Error: (10/12/2019 09:53:40 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:31:59 PM on ‎10/‎12/‎2019 was unexpected.

 

 

FRST-Logs.zip

Share this post


Link to post

Thanks for the logs. Note that as you are running a Windows Insider Preview version, less testing has been performed for this OS version. Have you encountered this issue with other computers?

Could you disable Web Protection (using the toggle on the Dashboard) and then shut down/power back on the machine. Do you still experience the issue with Web Protection disabled?

Does setting Malwarebytes Service to delayed start have any impact?

  • Download mbamservice_delayed.reg using the link below:
    https://malwarebytes.box.com/s/15jbt7tifcetlhcgmszzb6appbak56w4
  • Right-click the Ky7CZ60.png Malwarebytes icon in your notification area.
  • Click Quit Malwarebytes followed by Yes if prompted by AVOiBNU.jpg User Account Control.
  • Open your Downloads folder or location of the downloaded mbamservice_delayed.reg file.
  • Double-click mbamservice_delayed.reg and click Run followed by Yes if prompted by AVOiBNU.jpg User Account Control.
  • Click Yes when prompted to continue.
  • Click OK.
  • Now please restart the machine

Share this post


Link to post
6 hours ago, LiquidTension said:

Note that as you are running a Windows Insider Preview version, less testing has been performed for this OS version. Have you encountered this issue with other computers?

I only have 1 computer running MB4 which is also the only computer running an insider build even though I haven't enrolled this computer into Windows insider program.

6 hours ago, LiquidTension said:

Does setting Malwarebytes Service to delayed start have any impact?

No impact. I actually changed it to manual at some point and made no difference.

Share this post


Link to post
6 hours ago, LiquidTension said:

Could you disable Web Protection (using the toggle on the Dashboard) and then shut down/power back on the machine. Do you still experience the issue with Web Protection disabled?

Disabling malware protection seams  to paradoxically help with slow DNS resolution. And disabling both malware and web protection is necessary to avoid hangs on logout and fast boots.

Currently I am using Windows Defender with Malwarebytes without real-time protection. I also use NoScript and Malwarebytes Browser Guard in Firefox.

Share this post


Link to post

This still seam to happen with 4.0.4.49 CU 1.0.793. But I think I know how to reproduce more reliably now. Any of the following could do it:

- delay real time protection by 45s;

- apply Windows updates on a computer with CPU clock < 2GHz and with HDD instead of SSD, Malwarebytes naturally takes longer to start when Windows is patched;

I don't think this can be reproduced on a computer with SSD due to very short boot. So only slow computers can reproduce it.

Share this post


Link to post

Going into safe mode then rebooting to normal mode increases chances of encountering this problem. It can still happen with 4.0.4.49 CU 1.0.804.

Share this post


Link to post

Greetings,

Is fast startup enabled on this system?  If so, that could explain why booting into Safe Mode then rebooting into normal mode might cause the issue to be more likely to occur.

You can test by disabling fast startup and checking to see if it resolves the issue.  Instructions on doing so can be found here as well as here.

Share this post


Link to post

Yes, fast startup is enabled. Disabling fast startup doesn't solve the problem because as soon as this issue starts happening the more likely is to happen again. I noticed this issue can even happen during the same Windows session Malwarebytes is installed if Support tool was used for removal.

Share this post


Link to post

My problem seams to resemble to some reports from here:

Currently running MBAM 4.0.4.49 CU 1.0.810.

Share this post


Link to post
Just now, pal1000 said:

My problem seams to resemble to some reports from here:

Currently running MBAM 4.0.4.49 CU 1.0.810.

Everything seams to be fine so far. Did a license and deactivation and reactivation to put real-time protection drivers through a stop/start cycle which went through without incidents.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.