Jump to content

Recommended Posts

While trying to reduce my systems background CPU usage I noticed some unexpected disk activity. NirSoft's AppReadWriteCounter.exe pointed out MBAMService.exe as having a lot of disk write activity:

Application Name    Application Path    Read Count    Write Count    Read Bytes    Write Bytes    Read Speed    Write Speed    Maximum Read Speed    Maximum Write Speed    First Activity Time    Last Activity Time    Product Name    Product Version    File Description    Company Name   
MBAMService.exe     MBAMService.exe     9,859         3,215,572      882,565,061   352,637,896    0.6 KiB/Sec   15043.5 KiB/Sec    2473.5 KiB/Sec    8/10/2020 2:17:27 AM    8/10/2020 3:12:09 AM         

Then I used Process Monitor and discovered it was writing to C:\ProgramData\Malwarebytes\mbamservice\LOGS\MBAMSERVICE.LOG.   That log file showed the following 3 lines (including 2 revolutions to better illustrate the timing...) being spammed, all having something to do with HWiNFO64:

08/10/20        " 02:51:26.055" 114385758       23bc    3084    WARNING MBAMChameleon   RegistryNotifyRoutine   "regprot.c"     728     "RegFilter: Changing access to MBAMFarflt from \Device\HarddiskVolume9\Program Files\HWiNFO64\HWiNFO64.EXE"
08/10/20        " 02:51:26.055" 114385758       23bc    3084    WARNING MBAMChameleon   RegistryNotifyRoutine   "regprot.c"     728     "RegFilter: Changing access to MBAMProtection from \Device\HarddiskVolume9\Program Files\HWiNFO64\HWiNFO64.EXE"
08/10/20        " 02:51:26.056" 114385759       23bc    3084    WARNING MBAMChameleon   RegistryNotifyRoutine   "regprot.c"     728     "RegFilter: Changing access to MBAMChameleon from \Device\HarddiskVolume9\Program Files\HWiNFO64\HWiNFO64.EXE"
08/10/20        " 02:51:26.060" 114385763       23bc    3084    WARNING MBAMChameleon   RegistryNotifyRoutine   "regprot.c"     728     "RegFilter: Changing access to MBAMFarflt from \Device\HarddiskVolume9\Program Files\HWiNFO64\HWiNFO64.EXE"
08/10/20        " 02:51:26.060" 114385763       23bc    3084    WARNING MBAMChameleon   RegistryNotifyRoutine   "regprot.c"     728     "RegFilter: Changing access to MBAMProtection from \Device\HarddiskVolume9\Program Files\HWiNFO64\HWiNFO64.EXE"
08/10/20        " 02:51:26.061" 114385764       23bc    3084    WARNING MBAMChameleon   RegistryNotifyRoutine   "regprot.c"     728     "RegFilter: Changing access to MBAMChameleon from \Device\HarddiskVolume9\Program Files\HWiNFO64\HWiNFO64.EXE"

I'm running the most-recent, standard release (not beta) of HWiNFO64. It's configuration is mostly vanilla, although I do have one custom sensor configured via the following registry key:

[HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Sensors\Custom\GPU Extra\Fan0]
"Name"="GPU Fan RPM"
"Value"="\"GPU Fan\" * 2750 / 100"

HWiNFO64 only reads that key, so my instinct is that it's not relevant, but I could be wrong... (To confirm my instinct I disabled the custom counter and restarted HWiNFO64. Upon restart the log was still being spammed.  It did cease when HWiNFO64 wasn't running)

I'm kinda stumped at this point. I assume the MBAMSERVICE.LOG entries are telling, but I don't know what to make of them...  Any ideas?

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings,

MBAMChameleon refers to the Chameleon self-protection driver used by Malwarebytes to guard itself against malicious modification or termination by threats.  It looks like HWInfo is simply trying to access something that is protected by Chameleon self-protection, resulting in the entries in the logs, but they should be harmless.  It's just the driver doing its job and logging the access attempts by HWInfo.

Link to post
Share on other sites

16 hours ago, exile360 said:

MBAMChameleon refers to the Chameleon self-protection driver used by Malwarebytes to guard itself against malicious modification or termination by threats.  It looks like HWInfo is simply trying to access something that is protected by Chameleon self-protection, resulting in the entries in the logs, but they should be harmless.  It's just the driver doing its job and logging the access attempts by HWInfo.

I have a hard time believing that this much disk activity is normal. Either HWiNFO is misbehaving or MBAM is being too sensitive. I did find what I suspect to be the activity that Chameleon deems important enough to log:

7:21:15.5313547 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMFarflt\INSTANCES				REPARSE	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5313746 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMFarflt\INSTANCES				SUCCESS	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5314304 PM	HWiNFO64.EXE	8964	RegEnumKey		HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances				SUCCESS	Index: 0, Name: MBAMFarflt	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5314477 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt			SUCCESS	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5315105 PM	HWiNFO64.EXE	8964	RegQueryKeySecurity	HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt			SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5315254 PM	HWiNFO64.EXE	8964	RegQueryValue		HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt\FLAGS		SUCCESS	Type: REG_DWORD, Length: 4, Data: 0	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5315533 PM	HWiNFO64.EXE	8964	RegQueryValue		HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt\ALTITUDE		SUCCESS	Type: REG_SZ, Length: 14, Data: 268150	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5318332 PM	HWiNFO64.EXE	8964	RegCloseKey		HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt			SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5318523 PM	HWiNFO64.EXE	8964	RegEnumKey		HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances				NO MORE ENTRIES	Index: 1, Length: 80	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5318729 PM	HWiNFO64.EXE	8964	RegCloseKey		HKLM\System\CurrentControlSet\Services\MBAMFarflt\Instances				SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5321835 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMProtection\INSTANCES				REPARSE	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5322046 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMProtection\INSTANCES				SUCCESS	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5322596 PM	HWiNFO64.EXE	8964	RegEnumKey		HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances				SUCCESS	Index: 0, Name: MBAMProtection	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5322780 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection		SUCCESS	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5323492 PM	HWiNFO64.EXE	8964	RegQueryKeySecurity	HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection		SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5323643 PM	HWiNFO64.EXE	8964	RegQueryValue		HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection\FLAGS	SUCCESS	Type: REG_DWORD, Length: 4, Data: 0	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5323807 PM	HWiNFO64.EXE	8964	RegQueryValue		HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection\ALTITUDE	SUCCESS	Type: REG_SZ, Length: 14, Data: 328800	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5324041 PM	HWiNFO64.EXE	8964	RegCloseKey		HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection		SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5324179 PM	HWiNFO64.EXE	8964	RegEnumKey		HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances				NO MORE ENTRIES	Index: 1, Length: 80	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5324350 PM	HWiNFO64.EXE	8964	RegCloseKey		HKLM\System\CurrentControlSet\Services\MBAMProtection\Instances				SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5326511 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMChameleon\INSTANCES				REPARSE	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5326728 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMChameleon\INSTANCES				SUCCESS	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5327531 PM	HWiNFO64.EXE	8964	RegEnumKey		HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances				SUCCESS	Index: 0, Name: MBAMChameleon	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5327719 PM	HWiNFO64.EXE	8964	RegOpenKey		HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon		SUCCESS	Desired Access: Read	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5328715 PM	HWiNFO64.EXE	8964	RegQueryKeySecurity	HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon		SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5328862 PM	HWiNFO64.EXE	8964	RegQueryValue		HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon\FLAGS	SUCCESS	Type: REG_DWORD, Length: 4, Data: 0	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5329012 PM	HWiNFO64.EXE	8964	RegQueryValue		HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon\ALTITUDE	SUCCESS	Type: REG_SZ, Length: 14, Data: 400900	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5329245 PM	HWiNFO64.EXE	8964	RegCloseKey		HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon		SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5329386 PM	HWiNFO64.EXE	8964	RegEnumKey		HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances				NO MORE ENTRIES	Index: 1, Length: 80	"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan
7:21:15.5329561 PM	HWiNFO64.EXE	8964	RegCloseKey		HKLM\System\CurrentControlSet\Services\MBAMChameleon\Instances				SUCCESS		"C:\Program Files\HWiNFO64\HWiNFO64.EXE"	DAN-10\dan

All reads, as I assumed..  No clue why HWiNFO needs to even read those keys, couldn't find anything illuminating on their forum. My main question atm is why the heck does chameleon need to log this? The associated disk activity is unnecessary and unwelcome, MBAMService is rolling over its 10Mb log file every 70 minutes or so:

1376116455_Image002.thumb.png.ce377ff6d287f31e7f2fde7bae735aca.png

It may not be a lot but it sure as heck ain't nothing, over time it'll add up. And this is surely consuming a few extra CPU cycles, not a lot but MBAM is heavy enough as it is I'd prefer it not to consume any more resources than is necessary.

Link to post
Share on other sites

HWInfo, as I'm sure you're aware, is a hardware monitoring tool.  This means one of the things it does is to query and monitor all drivers installed on the system (even if they don't apply to any actual hardware, as is the case for the Chameleon self-protection driver and the other Malwarebytes protection drivers it is querying).  Unless there is some way to tell HWInfo not to monitor specific drivers, there likely is no way to stop it short of disabling self-protection in Malwarebytes, though even then, Malwarebytes still might log the attempts just for diagnostics purposes (you'd have to disable self-protection to test and see what it does).

Keep in mind that it is HWInfo performing all those reads; Malwarebytes is simply doing its job to log the attempts (very useful for hunting malware that might be trying to access/terminate the drivers).

Link to post
Share on other sites

By the way, I have made a note of this issue for the Developers, however it may not be possible for them to do anything about it without compromising Malwarebytes' protection.  I'm not a developer so I don't really know, but hopefully there is something they can do about it without compromising the security of Malwarebytes' customers.

Link to post
Share on other sites

4 hours ago, exile360 said:

By the way, I have made a note of this issue for the Developers, however it may not be possible for them to do anything about it without compromising Malwarebytes' protection.  I'm not a developer so I don't really know, but hopefully there is something they can do about it without compromising the security of Malwarebytes' customers.

Thanks. I think I'll raise the issue with HWiNFO as well, see if there is or if they can add a way to leave MBAM alone...

Link to post
Share on other sites

Yes, if they can code in some kind of read exclusion for Malwarebytes' drivers keys, that should resolve the issue.  I'm an HWInfo user myself, so I definitely get where you're coming from.  You likely just want to be able to monitor your hardware to make sure temps, voltages and clocks are good (without any heat issues, hopefully), and with as little additional load on your system as possible (especially if measuring performance during gaming, benchmarks and other resource intensive tasks).

Either way, I hope that one company or the other (or both, if necessary) can compile a fix for it in an upcoming release.

And thanks for bringing this to our attention.

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.