Jump to content
Pluto

Ransomware protection over sensitive?

Recommended Posts

Hello -- I am a long time user of Malwarebytes & Adobe Audition, the latter occasional rather than every day. Today, I had an issue with very slow loading (about 8× slower than usual) audio files (WAV & FLAC) into Audition which I traced to your Ransomware protection feature. Turned that feature off and load speed was as expected. Oddly, re-enabling that feature after loading the first file and subsequent file loads were OK, until Audition was closed and re-opened. I should at emphasize that at no point was there any hint of a false positive, just a massive drop in the speed of file load.

I have never had this problem before although it has been a few weeks since I last used Audition, hence the reason I am posting here.

Version 4.1.0.56, Update 1.0.23364, Component 1.0.889

Please advise how you would like to proceed.

Share this post


Link to post

p.s. Windows 10 1909

Share this post


Link to post

Are you able to exclude Adobe Audition in the allow list in Malwarebytes and fix the issue?

Share this post


Link to post

@Porthosyes, excluding the main executable from detection as ransomware only does fix the problem. Just to dive a bit further down that rabbit hole: when you exclude a particular executable, does that also exclude DLLs. etc. subsequently called by that executable? I would assume not, as to do so strikes me as a vulnerability!

@LiquidTension – in the light of the above, do you still need logs? As I explained earlier, there are no positive or false positive aspects to the process so I doubt the logs will show anything other than a slow scan! The problem seems consistent regardless of the audio file format being loaded. Performing a simple file manager scan of the files goes through like a shot. For the sake of absolute accuracy, Audition actually loads the files as it ought – it's the subsequent process of scanning the files for the creation of waveforms that takes about 15× longer than expected.

Share this post


Link to post
46 minutes ago, Pluto said:

@Porthosyes, excluding the main executable from detection as ransomware only does fix the problem. Just to dive a bit further down that rabbit hole: when you exclude a particular executable, does that also exclude DLLs. etc. subsequently called by that executable? I would assume not, as to do so strikes me as a vulnerability!

For Ransomware Protection it probably doesn't matter since Ransomware Protection primarily monitor's an application's on-disk activity to look for ransomware behavior (file creation/deletion/destruction and encryption etc.).

Share this post


Link to post

Audition does appear to do an awful lot of writing to a file called…

\Users\*********\AppData\Roaming\Adobe\Audition\13.0\d0bee765-f847-45fc-9253-6bd98732a5a9changes every run\Audition13BlockRecovery

which ends up as several MB when the file load is completed and is deleted as and when the file is unloaded. Observing this happening under Process Monitor, it suggests that Malwarebytes is taking its time to scrutineer this file.

Share this post


Link to post

That makes sense since the primary function of Ransomware Protection is to monitor disk activity to look for ransomware behavior.  They can probably code something to eliminate the issue in the future but my guess is that it will require a change in the code to do so meaning it probably won't be possible until a future release.

I would still advise providing the logs requested by LiquidTension above though, as the information they contain may aid the Devs in isolating the issue and getting it fixed.

Share this post


Link to post

Thanks. The reason I am posting this here in the beta test department is that at the time I last used Audition, several weeks ago, I was on the release issue of Malwarebytes and all was well with Audition.

I went over the beta build when discussion of the slow DNS problem arose (which I have experienced) and now have this issue with Audition. Taken together, these two facts imply that the problem which slows the loading of files in Audition is something that has happened recently, hence my posting here in the beta test area.

Share this post


Link to post

Hi @Pluto,

Could you try the latest version of Malwarebytes Anti-Ransomware standalone, which is more up-to-date than the Ransomware Protection in your Malwarebytes installation.
https://forums.malwarebytes.com/topic/258918-latest-version-of-mbarw-beta-v091956-build-330-released-23-april-2020/

You will need to uninstall Malwarebytes first before installing Anti-Ransomware standalone.

Please let us know how you get on with this (and no exclusions configured).

If you still encounter an issue with Anti-Ransomware standalone, the logs mentioned earlier would be helpful to see environment information. This will assist us with reproducing the issue.

Share this post


Link to post

I shall go ahead and try this, first of all on a virtual machine so I don't loose all my settings within Malwarebytes Premium.

Is there a way of storing all my Malwarebytes Premium settings to easily restore them later?

Share this post


Link to post

You shouldn't lose your settings if you just uninstall Malwarebytes and reinstall it later.  It should leave its settings behind I believe.

Share this post


Link to post

By the way, I would still request the logs as well.  They are very useful for diagnosing issues with the software.  If you are not comfortable posting them publicly then you may send them in a private message to LiquidTension directly.

Share this post


Link to post

Do I need to truly do a full uninstall or will a full switch off suffice?

So far I have down the latter and there appears to be nothing left of Malwarebytes in the works and the service is stopped.

Share this post


Link to post
Posted (edited)

Unfortunately it must be uninstalled I believe.  There are drivers and other components which may remain active and are shared between the two which is where much of the issue exists between them.  In fact, Malwarebytes possibly would not function without being reinstalled after installing the standalone anyway since it uses different versions of some of the same drivers and other files.

Edited by exile360

Share this post


Link to post

So far, I cannot get past the opening screen of the AR product as I do not have a valid license. The blue text "start protection" implies a link (the cursor changes) but nothing happens.

I await.

Share this post


Link to post

That's strange, and you downloaded the latest build posted here?:

 

Share this post


Link to post

Yup,

arw-setup-consumer-0.9.19.56-1.1.330.exe

having first completely uninstalled Premium.

"Your license failed to activate". Get Details goes here, start protection does nothing. I think this beta still has some way to go  🥺

Share this post


Link to post

Hello @Pluto

Well we need to get "some" logs. There is just way too much guessing as to what is going on here. Please run the following so we can get some logs to see what is running on your system.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Share this post


Link to post

Thank you. I have replied to your PM. Please run that fix which should hopefully restore your network connectivity properly.

 

Share this post


Link to post

Thanks, @AdvancedSetup for your advice. The reason Anti-Ransomware would not install was because of the firewall (your firewall incidentally, which I think is superb). I usually don't allow installer programs access; my bad in this instance. Running the installer a second time got it moving. That's the good news.

The not so good is that MB Anti-Ransomware has exactly the same deleterious effect on Audition's file loading as the anti-ransomware module within MB Premium. I cross-checked at least a dozen times and can state with confidence that either exclusion of Audition's main executable (within the exclusions area of the interface) or disabling the Anti-Ransomware software returns Audition's performance to normal.

Good luck in the pursuit.

Share this post


Link to post

Hi @Pluto,

Thank you for confirming the issue is still exhibited with Malwarebytes Anti-Ransomware.

We'll need some additional information to investigate the issue further.


Please send us the following:

  • Zipped up Process Monitor log
  • Zipped up ARW folder
  • mbst-grab-results.zip


Could you also provide more explicit information on the steps you're taking that result in the issue occurring?
What size files are you using? How are you loading the files in Adobe Audition? What other steps are you taking when interacting with Adobe Audition? etc.

Thank you!

Share this post


Link to post

OK -- I have done as requested and will be sending the files to your private MBX. Please note the following with regard to the Process Monitor logs which, I hope, will make things easier: in the interests of keeping the file size manageable, I have restricted the capture, on this occasion, to the Audition process and the MBAM service. There are two Process Monitor logs, one captured with MB anti-ransomware ON, the other with it OFF and you will see they are very different. At no point were any changes made to the audio 'documents'.

To assist you, please note the following event times:

with Anti-Ransomware ON --

file open operation commences 13:09:00 and took a few minutes

GAP

file close operation commences 13:12:00 and took a few minutes

with Anti-Ransomware OFF --

file open operation commences 13:28:00 and took a few seconds

GAP

file close operation commences 13:29 and took a few seconds

Observe, if you will, the number of Process Monitor entries connected to the creation (and eventual destruction) of file Audition13BlockRecovery which, although a normal part of the way Audition seems to do things, is not in one of the usual places to build what appears to be a temporary file of some kind. Could you be mistaking this for possible ransomware-like behaviour?

Happy hunting!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.