A service was installed in the system. MBAMSwissArmy

[Sam314]

My computer suddenly shutdown while I was watching a video. I waited a few seconds (perhaps 5?) after shutdown.  It did not automatically restart, so I pressed the power button to restart.  Based on messages on my monitor, both the shutdown and the startup were related to Windows Updates.  But when I checked my Windows Update page I saw there was no update that took place today, or recently.  Next I checked the event log to try to determine the cause of the shutdown.  I found this entry:  

A service was installed in the system.

Service Name:  MBAMSwissArmy
Service File Name:  \SystemRoot\system32\DRIVERS\mbamswissarmy.sys
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account:  

I confirmed file "C:\Windows\System32\drivers\mbamswissarmy.sys" exists on my computer with a timestamp which matches the timestamp of the event in the event log.  The file size of this file is 278,344 bytes.  Googling confirms that Malwarebytes does have a file with this name.  Two questions:

1.  I want to validate that this file really is a legitimate Malwarebytes file. Is there an MD5 or something similar that Malwarebytes publishes for this file that I can use to validate the correctness of my file?  

2.  Is it normal behaviour for my computer to shutdown when Malwarebytes updates this file with zero notification to me as the user?  Is there a way to change this so that I am at least notified of the pending update and so that I can choose when to shutdown and restart my computer?

Thanks,

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab on the left column
   
   
    
7. Click the Gather Logs button
   
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
   
    
9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK
   
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
    
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

[exile360]

Greetings,

The file mbamswissarmy.sys is the kernel mode driver used for the scan engine in Malwarebytes and my guess is that this occurred during the start of a scheduled scan, though why the system restarted/shut down I do not know.  You can check your scheduled scan settings as this may be the reason as there is an option to have Malwarebytes restart the system automatically to clean up any detected threats following a scheduled scan if required for the cleanup process, however this option is disabled by default.

You can find the full details on scheduled scan settings in this support article.

Please let us know if you encounter this issue again or if any further issues occur.

Thanks