Version 4.5.14 Weird Behavior / Part 2

[GuruGuy]

In continuation to the thread that I asked be locked; @treed I had a few minutes to poke around with this again yesterday on two MacBooks.

The missed scans are running now, just took them a minute after waking up the MacBooks.  So that leaves just the one remaining issue; Update Stamps.

 

It still looks to me like this is the last time it CHECKED, not updated.  I know you've said that was wrong, but something is wack a do with it.  

It will go hours without updating the time, even though it's set for hourly.  This is also while running on battery with it open continuously in use for more than an hour, no update timestamp.

I have noticed that a scheduled scan will force it to update and then scan.  The hourly stamps I see coincide with a scheduled scan.

 

The two Macs have both had the program uninstalled and reinstalled about three times, the last being yesterday morning around 9:30am.

The only strange thing I've noticed when poking in the system files is what I've attached here.  The time stamps on both of these are from the install time yesterday.  No other error after that initial install time.

 

So for now, my workaround to get it to update at least twice a day it to set to scheduled scans since it updates at the same time.  

 

[GuruGuy]

Forgot to mention that the logs posted are exactly the same on both MacBooks...

[GuruGuy]

3 minutes ago, GuruGuy said:

It still looks to me like this is the last time it CHECKED, not updated.

Wish I could edit posts.....meant to say looks to me like this is the last time it UPDATED

[exile360]

If it isn't intentional on the part of the Developers, then obviously it is a bug, however I do know that in the Malwarebytes UI on WIndows (as well as in the UI for most of the AV/AM products/tools I've ever used), it normally shows the last time that it actually downloaded/installed updates, rather than showing the last time it *tried* to update or just checked for updates, that way the info provided to the user more accurately reflects their actual protection status (i.e., signatures were updated most recently at *date/time*) rather than stating when it last checked for updates (though that info may be useful to determine whether or not Malwarebytes is honoring its scheduled update setting, it isn't very useful for determining how 'fresh' the installed signatures/definitions are or when they were created/published by the Research team).

That's just my opinion though, and I have seen products display both (i.e. the last time it checked as well as the last time it actually downloaded/installed new signatures) so that you get the best of both worlds.

[exile360]

Here's an example of what I mean:

That image is from the Windows version, and the particular wording used is Last updated: which, to me at least, indicates the last time it actually *downloaded/installed* updates, not just the last time it *checked* for updates (potentially finding no new signatures) because when I see a notification telling me that an application updated, I take that to mean that it installed an actual update, not just that it looked for updates and found nothing new.

It's a semantic argument, but I would personally find it confusing if it were worded as above but indicated the last update check and not the last update download/installation.  I just confirmed it as well by manually checking for updates 2 times; the first time it successfully downloaded and installed updated signatures at 9:02 as indicated, however I just checked for updates again at 9:05, yet the 'Last updated:' field did not change, it still states 9:02.

Again, this may be completely different on the Mac version, but if it is, I would ask what the actual usefulness is, because if I am a technical user trying to troubleshoot whether or not Malwarebytes is updating as it should, I would expect to dive into the Malwarebytes service/system logs.  However, if I am just a user trying to determine whether or not my signatures are current and whether Malwarebytes is out of date, I'd want to know that from the UI, just like the information about the latest installed component package and major program version (the other two fields listed on the same tab which, just like with the signatures, actually display what the most recent version is, rather than when the last time it tried to update it/them was).

[GuruGuy]

Mac version is different than windows.  If you read the other thread, @treed has stated that the wording is correct; Last Protection Update Check.  I had linked to a support article that stated it was the last check and also updated.  Treed said that was incorrect and that support article has since been updated.  The screenshot here is what you see in the Mac version.  That time stamp is from over two and a half hours ago and it's set to check hourly.  Anyway, I've said all that before here and the other thread, but wanted to have someone look at that log screenshot and see what's up with that...

[exile360]

Yeah, that wording definitely seems to indicate that it is stating the last time it checked for updates, so that makes sense.

[1PW]

Hello @GuruGuy:

1.) Given that the MacBook Pro(s) have been updated to Malwarebytes for Mac V4.5.14. please open the Malwarebytes for Mac Dashboard -> within the Title Bar, click the Settings  gear icon -> below, click within the "Detection History" card -> click the "Reports" tab -> visually scan down the "Kind" column for the most recent "Update" report line -> under the "Information" & "Date and Time" columns, please reply to this topic with the most recent database Protection version (e.g. 4.0.xxx) & Date and Time for that report line?

2.) BTW, if the MBPs are running macOS 10.15.6 Catalina, and if you have not already done so, you may wish to consider further updating to last Wednesday's supplemental build: (19G2021) per https://support.apple.com/kb/DL2049?locale=en_US.  IMHO, additional undocumented stability issues will be made.

Thank you.

Edited August 15, 2020 by 1PW

[GuruGuy]

1.  Shown below:  Updates are set for hourly, you can see here that they've updated once since yesterday morning.

2.  Answered in the first thread...

3.  This "detection history" tile is a very strange place to hold some of this info that one looks for and cannot find.....things that are not scan and detection items and more of general log items that you wonder about but can never find in the Mac version of this software.

[exile360]

Yeah, it shows a lot of the normally hidden stuff that would get logged to the service log in the Windows version; that's very interesting.

[GuruGuy]

That's kinda been a pain in the Mac version for awhile now, looking for things that are easily found in the windows version or buried in windows files and directories.  I've used windows since the DOS days and can find anything in the files & directories there.  With Mac, it's a LOT harder to find things.  Even so, this is still a little lacking (even if it's in the wrong place IMO).  The protection updated to version 4.0.493.  Great I finally now know that....is that the latest version?  How do I know what the latest version is?  What about the update checks that I've been complaining about and missing time stamps?  Don't see those listed here for the last 24 hours....so are they logged somewhere else, not logged at all, or is it not checking?  

[exile360]

For database versions, the automatic/scheduled update checks should keep things up to date, however if the Mac version works the same way the Windows version does (which I suspect it does), program version updates are metered out to users randomly over time after the new build becomes available.  This behavior can be overridden by checking for updates manually (likely via a button or link under settings if it is similar in layout to the Windows version).

Since the reason for metering out the updates is at least partially to avoid a massive bandwidth spike on the CDNs that distribute Malwarebytes' updates, it is likely they have implemented the same behavior across their entire product line (they want to avoid essentially DDoS'ing their own CDN's servers by pushing out a large update/download to all users simultaneously).

[1PW]

Hello @GuruGuy:

3 hours ago, GuruGuy said:

 The protection updated to version 4.0.493.  Great I finally now know that....is that the latest version?

I believe the V4.0.493 DTBS was first offered near the end of July.  Yes. It is the most recent.

I also believe your Malwarebytes for Mac app is working as well as the rest of us.  I believe the Malwarebytes devs are making improvements as soon as they are able.

Although the Malwarebytes' dashboards appear to have intentionally been made to look similar, it is not a simple matter to make further comparisons with the Windows based product.  Is that Malwarebytes for Linux on the horizons...

I wish I had a nickle for every time I used my old T15 screwdriver and a Mac case spreading tool in the good old days where the malware was maybe a bunch of nVIR B on their hard drives and diskettes.

Apple's folk are really trying to harden their adopted Linux based OS for today's and tomorrow's brilliant threats.  We users are just going to have to share in the defense burden.

Cheers and be safe.

[GuruGuy]

Don't really care about the DTBS version, it's the DEFINITION UPDATES that I want to know about.  

I'll wait till @treed jumps in here after the weekend (I assume) and maybe he can offer some insight on that log screen I posted and the definition updates, along with the hourly checks.  

[Massimiliano]

@exile360 , @GuruGuy

I received the definition update 4.0.493 on 07/31/2020.
Today, however, I turned on the Mac at 11:30AM (Italian time) and the check was done (regularly displayed in the menu) and it was redone at 12:00PM (always displayed) without downloading anything therefore I can say that, at least to me, they work correctly as in the past. It rarely happens that it skips an hourly deadline.

@GuruGuy DTBS version cited by @1PW are the definition version updates

I only have a few problems (very rarely) when I wake up the Mac: in these cases it can happen that an app (not always the same) bounces instead of being started. (It happened with Safari, Messages, Others but never with Malwarebytes).
Unfortunately I think it is due to Catalina 10.15.6 (it had never happened since 2013 when the Mac was purchased) and unfortunately if Apple does not fix it with the additional updates I will have to keep the problem because it is the latest version compatible with my Mac.

[GuruGuy]

I have never had bouncing ball issues on any of my Macs, until the latest version of MB.  Turning off Ad Block has resolved that.  Not an issue for me anymore, I'll leave it off.

 So the DTBS cited IS the definition updates.  So that hasn't been updated since the end of July...wow!  I mean really, what is the point of checking for hourly updates if it doesn't even update that often.  I realize Macs aren't the same as windows and definitions don't need to be updated 2-3 times a day, but we're talking two weeks here.  But that's beside the point really, since I'm not even seeing the hourly update stamp changing.  Doesn't appear that matters anyway.  Nothing there since the end of July

 

[Massimiliano]

Frequent checking is actually useful.

It is true that they are rarely updated but in two cases it has happened to me (I have been using MWB for macOS since the first beta released in July 2017) twice in which there were three updates in one day (probably for variants of the same malware).

I read a while ago that one new malware per month on the Mac platform means a busy month.

[GuruGuy]

Thanks for the info.  Appreciate your thoughts.

[treed]

What would really help would be if you could send me data collected with our support tool:

https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac

Please send that directly, and not attached publicly to this topic.

[GuruGuy]

Not really a fan of those types of tools, regardless of the fact that it isn't sold, etc.  What exactly is hoovered up and sent back is problematic and as far as I know, undisclosed.  Understand that's how y'all operate, but I don't.  I can answer any questions otherwise.  Thanks.