Jump to content

Memory Leak ?


Recommended Posts

A couple of days ago I noticed that my computer was running very slowly, taking much longer to start apps and load websites. I took a look at statistics in Task Manager and saw that the Malwarebytes Service was using the most memory but it didn't look excessive. I had not yet updated this PC to 4.1.0 so I decided to do that and hoped the problem would go away. Unfortunately the problem still persists. I'm assuming that it is MWB causing the problem, if I'm wrong I apologise in advance.

Task Manager showed that there were many GB of memory being used in the non-paged pool. I ran poolmon.exe and the driver that seemed to be using a lot of memory was listed with the tag FLTT. Using fndstr the only hit I got for a driver with that tag was mwac.sys which I believe is part of MWB.

I don't have the details of the poolmon when the system was really slow as I rebooted it about 7 hours ago. The non-paged pool is already at 3.9B and growing. I'm attaching the logs and a screen shot from poolmon.

Can you confirm for me that it is mwac.sys thatis using the FLTT tag?

Mike

 

Annotation 2020-03-07 192736.png

mbst-grab-results.zip

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab on the left column

    mbst_get_started.jpg
     
  7. Click the Gather Logs button

    mbst_advanced_gather_logs.jpg
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer

    mbst_getting_logs.jpg
     
  9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK

    mbst_log_saved_desktop.jpg
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

Link to post
Share on other sites

Hi  MJL.

This is just to flag the attention of the Malwarebytes Staff   ( they likely will not see this until their return on Monday )

@LiquidTension    @nikhils

 

I will not make any remark as to poolmon, since I am not familiar with it.

I would suggest though,  that instead of looking at Task Manager,  that you get the Microsoft Process Explorer  and use that instead of Task Manager.

Process Explorer is a lot more detailed & useful than Task Manager.

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

 

Link to post
Share on other sites

Thanks Maurice. I've used Process Explorer before but just didn't in this case.

An update since yesterday. It's been about 19 hours since I rebooted the PC. The memory for the non-paged pool is now 11.5GB. The PC was left running overnight with just poolmon and the Task Manager running. I'm attaching another screenshot of poolmon.

 

Mike

Annotation 2020-03-08 085123.png

Link to post
Share on other sites

Just wondering if anyone on the Malwarebytes staff has had a chance to look at this. 

I'm away from home but restarted the PC around 10 am yesterday. My daughter just checked it for me and the monitor is just blank. She had to power the PC off and on again to restart it.

Thanks

Mike

Link to post
Share on other sites

Hi @MJL,

The FLTT pool tag is indeed associated with the MWAC/Web Protection driver used in Malwarebytes. What you're experiencing is certainly extremely severe. It's very strange to see so many memory allocations with zero freed.

Can you confirm that the issue does not occur with Web Protection disabled in Malwarebytes?

A few questions:

  • When did this first start occurring? Have you had Malwarebytes Web Protection enabled previously without experiencing this type of issue?
  • Were any significant changes made to the machine around the time this first started occurring?
  • Is this a consistent occurrence? Do you encounter this behaviour with every Windows session?
  • When this occurs, are you using any type of network filtering software or VPN?


If this is a consistent occurrence, can you perform a clean boot (leaving Malwarebytes Service enabled) and check if the issue is still exhibited?
https://support.microsoft.com/en-gb/help/929135/how-to-perform-a-clean-boot-in-windows

Please ensure Web Protection is enabled when performing the clean boot test.

Edited by LiquidTension
Link to post
Share on other sites

Thank you for the follow up. The answers to your questions are as follows

1. I have not tried disabling Web Protection to see if the problem still exists. I will do that and report back later today.

2. I first starting noticing this late last week. I upgraded to the 4.1 to see if that would help but it did not. I have been using Malwarebytes Premium for years and have not had any problems. This however is a relatively new PC (Dec 2019). It was not exhibiting this behaviour until last week. This PC is using an AMD CPU all my others use Intel.

3. I haven't made any major changes lately except for the fact that I downloaded and installed the Brave browser to play around with it. I have installed that same browser on other PC's running Windows 10 Pro and MWB Premium without issue. 

4. It's very consistent. On Sunday I restarted it around 10 am before leaving to drive to my son's house. So the PC was doing nothing all day Sunday and all day Monday. At some point on Monday it froze and I had my daughter restart it last night around 8 pm. This morning I logged in remotely and the memory usage was already up to 78%. I turned off MWB and restarted the PC , I just checked and it has been running smoothly at around 12% CPU and 152MB non-paged pool memory. 

5. There is currently no network filtering active on the PC and no VPN is active. My home network is however protected with an Untangle NG-Firewall which provides web filtering, however the same filtering rules are applied to all PC's on my LAN and all the other PC's (all running MWB Premium) are behaving normally.

i have logged in remotely again and restarted MWB and turned off Web Protection. I'll check back in a few hours and let you know if that changes anything. 

Mike

Link to post
Share on other sites

It has been more than 6 hours since I restarted the PC and disabled web protection. Everything seems to be normal. Memory usage has not increased at all.

let me know if you still want me to run the clean boot test on Thursday. I assume you want that test running with Web Protection enabled.

Mike

Link to post
Share on other sites

I set the system up for clean boot about 2 3/4 hours ago. The only non MS Service running is MWB with Web Protection enabled. Memory usage is already higher than it was with Web Protection disabled and looking at poolmon out put the mwac.sys driver's non-paged pool allocation continues to grow in 992 byte chunks.

There is a slight difference in behaviour as very occasionally  (5 times in 2 3/4 hours there are 4 "frees" executed) but overall the non-paged pool continues to grow.

Are there any other tests you would like me to run? 

Mike

 

Annotation 2020-03-12 122625.png

Link to post
Share on other sites

  • 2 months later...

I supplied @LiquidTension with additional details on this problem. After some back and forth he had be try a beta version of MWB which appeared to solve the memory leak problem. I am now running the latest release version of MWB 4.1.0.56 with Update package version 1.0.25262  and component package version 1.0.931 and everything seems to be working fine.

After running further tests on my network I noticed that there was an almost constant exchange of messages between my PC and an HP printer on my network. 

This exchange consisted of the same sequence of messages over and over including the printer sending a TCP out of order response and the PC responding with a TCP Dup Ack

It was my belief that  sending the Dup Ack corresponded to an unfreed alloc so that memory was being chewed up pretty quickly.

Turning the printer off then restarting it solved the problem of the chatter and hence the memory usage.

I'm assuming that a fix was added to the Web protection module to address this too.

Link to post
Share on other sites

  • 3 weeks later...

A new program version along with a new Component package for Malwarebytes for Windows was just announced on June 30th 2020.

Please be sure that you see the announcement

https://forums.malwarebytes.com/topic/257102-malwarebytes-41/?do=findComment&comment=1391173

 

Best regards.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.