Local NAS

[AdvancedSetup]

We have released a new beta build to correct the following

Fixed: Users report to lose connection (visibility) to the LAS or Network Neighborhood after upgrading to CU19
https://forums.malwarebytes.com/topic/262752-malwarebytes-42-beta/?do=findComment&comment=1416567

 

Please enable beta updates and then check for updates

NOTE: Please close all open applications before running this update installer. It is a mandatory reboot of the computer. Unsaved documents will be lost.

 

 

Edited October 26, 2020 by AdvancedSetup
updated information

[Pluto]

A very quick test suggests that this fault has been fixed. More testing to follow over the day or three.

FWIW I can report that this update (of only the component pack) did not demand a mandatory reboot, merely a restart of the Malwarebytes application under Windows 10.

[AdvancedSetup]

15 minutes ago, Pluto said:

A very quick test suggests that this fault has been fixed. More testing to follow over the day or three.

FWIW I can report that this update (of only the component pack) did not demand a mandatory reboot, merely a restart of the Malwarebytes application under Windows 10.

Thank you for the feedback. I would suggest you still go ahead and restart the computer

 

[Pluto]

Sorry, I have to advise that following two or three complete restarts that this problem is not fixed on either my Windows 10 or Windows 7 machines.

Back to the drawing board, folks.

[AdvancedSetup]

Hello @Pluto

Can we please get some new updated logs from you so that we can review. So far this update seems to be working for everyone else so we'd like to see if there is something obvious on your system.

Upload Malwarebytes Support Tool logs offline

Thanks

 

[Pluto]

OK – this time I shall send logs from my Windows 7 system which will probably be a thousand times simpler to interpret.

Coming up…

[ratumikaele]

Beta has resolved problem on both my Windows 10 machines.

No restart required but continues to work after restart 😀

Thanks

[Pluto]

On 10/27/2020 at 1:38 AM, Pluto said:

Coming up…

As requested…

 

Edited October 28, 2020 by AdvancedSetup
log removed per request

[AdvancedSetup]

Thank you @Pluto

Can you please try saving your current firewall settings. Then make a new System Restore Point and disable the following software application and reset the firewall to defaults temporarily

HKLM\...\Run: [Malwarebytes Windows Firewall Control] => C:\Program Files\Malwarebytes\Windows Firewall Control\wfc.exe [644784 2020-08-22] (Malwarebytes Inc -> Malwarebytes)

You might also want to review and consider removing restrictions unless you specifically set them.

GroupPolicy\User: Restriction ? <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-4294570440-570648401-489032097-1002\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

 

Update your Google Chrome and remove these 2016 updaters

Task: {63EFE5D2-3395-481A-BC19-080FEE749404} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2016-11-16] (Google Inc -> Google Inc.)
Task: {EABD7320-DA9F-4C8A-8DF7-B396E886883A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2016-11-16] (Google Inc -> Google Inc.)

 

One of the logs Additions.txt did not complete for some reason.

Please try restoring the firewall. Then restart the computer and let me know if that works or not

Late for me so I'll check back on you again tomorrow

Thanks

 

[Pluto]

This is all appreciated but the amount of time I have available to explore this issue is very limited so, please, let's not loose sight of the fact that prior to component pack 1070 this all worked!

So what changed in this department with 1070? I really do not have the time to strip this machine back to basics to work this one out. Whatever happened to the old mantra to permit everything that originates within the local network? I trust (as others are saying that this update fixed the issue for them) this isn't a schoolboy error of not realising that my LAN is, a little unusually, on 192.168.2 .× ? I ask this because the issue remains with both my Windows 7 & Windows 10 machines. The two machines have little common history so it's rather odd that both should appear to suffer from the same malaise.

The commonalities between the two machines are i) the network itself and ii) both developed the current issue with the arrival of component pack 1070 iii) both are cured by disabling Web Protection.

I trust you follow my argument here.

NB I have removed all the Google stuff from the Win7 machine. No change.

[ratumikaele]

Hi Pluto,

I doubt this is much consolation but my internal LAN addresses are also 192.168.2.xxx, so no schoolboy error on your part...

Windows Build is 10.0.19041

 

 

[Pluto]

That's one more variable eliminated!

I doubt that the Windows build is all that relevant, seeing as the issue extends across Win10 & Win7

[AdvancedSetup]

We have reversed the change and so far for the majority of users the updated beta has fixed the issue. Why it has not for you @Pluto is what we're attempting to try and track down.

For now then if you don't have time to help us help you track it down further then please disable the Web Protection module. You can use Malwarebytes Browser Guard and/or uBlock Origin content blocker to help shore up the Web Protection module until an update that works for you is available.

Thank you

 

[Pluto]

So logically, the approach should be to examine the distinctions between component packs 1061 and 1070 as the former was absolutely fine.

If this were my mission I would have me run the diagnostic with each component pack in turn, changing nothing else in between. That strategy would probably reveal the issue.

[AdvancedSetup]

As said the change was already reversed. If its not working for you and you won't allow me to help you diagnose why it's not working I don't know how else to assist you @Pluto

Please try using our MBST tool and uninstall all Malwarebytes software and reboot. Do not reinstall when prompted by the program and then see if normal operation has returned for you as it has for everyone else and let us know.

Thank you

 

[Pluto]

OK, a quick bash in the morning (it's 1.30am here). Exactly what you would like me to do with the support tool? Happy to try uninstall/reinstall MB etc. but not messing around with stuff that considerably pre-dates this issue which might compromise the stability of the systems.

[AdvancedSetup]

Just uninstall all Malwarebytes software with the tool and reboot. For now, temporarily do not reinstall Malwarebytes.

Then make sure that all works properly for you again

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-using-the-Malwarebytes-Support-Tool

 

[Pluto]

Uninstalled as asked via MBST. Interestingly, the tool did not offer to re-install. All well when MB not present, NAS detected correctly within a few seconds of clicking "Network".

Reinstalled MB manually, allowed latest updates, no change from status quo ante. Web Protection inhibits detection of NAS device.

Incidentally, something that might be deluding some folks here into thinking it's working, when it's not… in my case, when NAS is detected (having disabled Web Protection) that detection remains valid for a few minutes after Web Protection is resumed, even when pressing "refresh"! So those who believe that this issue is fixed, it might be useful to see if your NAS is still accessible after, say, 10 minutes of Web Protection remaining active.

[AdvancedSetup]

Please provide MBST logs

Upload Malwarebytes Support Tool logs offline

[Pluto]

Another logging run as requested, from my Windows 10 machine.

Please delete this attachment (and others I have uploaded) after you have retrieved them. Thanks.

 

Edited October 28, 2020 by AdvancedSetup
log removed per request

[Pluto]

Possible clue in getting to the bottom of this – enabling SMBv1 (now highly deprecated) seems to enable discovery of NAS device. Subsequent disabling thereof restores inability to detect NAS unless web protection is disabled.

Please forgive my indulgence, but why does your web protection module have any effect on the goings-on within the local network? Would it really be so much of a vulnerability to simply ignore any traffic that originates and terminates within the LAN border? Your own information flash says that web protection blocks online scams, phishing sites and sites with ransomware. So why is it having any effect whatsoever on the discovery of a simple local NAS device?

[Max-H]

5 minutes ago, Pluto said:

So why is it having any effect whatsoever on the discovery of a simple local NAS device?

Good question.🤔

[Dave77]

 

6 hours ago, Pluto said:

So why is it having any effect whatsoever on the discovery of a simple local NAS device?

Might be worth looking into:

I have found that since the last update, my NAS that is discovered by WSD is showing consistently in Windows Network.  My second (older) NAS and Raspberry Pi's that are discovered by NetBIOS initially show up, but disappear after a certain time.  Disabling  Web Protection immediately allows NetBIOS discovery computers to be seen. 

[Pluto]

I wouldn't disagree with any of that although it's hard to prove specifically. Certainly your comment…

4 minutes ago, Dave77 said:

…initially show up, but disappear after a certain time.

seems in the ballpark (in my case). So it appears that MB web protection is inhibiting some aspect of the LAN communication, which appears rather odd for a protection module designed to ward off “online scams, phishing sites and sites with ransomware”.

[AdvancedSetup]

Because NAS uses the Server Message Block (SMB) Protocol to access and allow file sharing which NAS devices use.

Here is a list of vendors still using SMB1 and if your product is on this list and you disable SMB1 then you will not be able to see or access the device.

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb1-product-clearinghouse/ba-p/426008

We do not modify or change SMB. If you uninstall all of our software and are not changing SMB you should not see any difference on the SMB / CIFS level.
We accidentally introduced a block for Web Services for Devices (WSD) which is technology from Microsoft that provides a standard method for discovering and using network-connected devices.
The latest version of our software has removed that accidental block.

 

More details from Microsoft on why SMB1 is not something you should be using Stop using SMB1

 

Running the following from an elevated admin command prompt on Windows 7 should show the information for SMB

sc.exe qc mrxsmb10 

sc.exe qc mrxsmb20

 

SERVICE_NAME: mrxsmb10
        TYPE               : 2  FILE_SYSTEM_DRIVER
        START_TYPE         : 4   DISABLED
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\DRIVERS\mrxsmb10.sys
        LOAD_ORDER_GROUP   : Network
        TAG                : 6
        DISPLAY_NAME       : SMB 1.x MiniRedirector
        DEPENDENCIES       : mrxsmb
        SERVICE_START_NAME :


SERVICE_NAME: mrxsmb20
        TYPE               : 2  FILE_SYSTEM_DRIVER
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\DRIVERS\mrxsmb20.sys
        LOAD_ORDER_GROUP   : Network
        TAG                : 7
        DISPLAY_NAME       : SMB 2.0 MiniRedirector
        DEPENDENCIES       : mrxsmb
        SERVICE_START_NAME :

 

More information on the subject of SMB

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows
https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

 

SMB is Dead, Long Live SMB!
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-is-dead-long-live-smb/ba-p/1185401

Fix for the Windows 7 SMB network bug caused by Update KB4480970/KB4480960
https://borncity.com/win/2019/01/12/fix-for-the-windows-7-smb-network-bug-caused-by-update-kb4480970-kb4480960/

Description of the update for Windows 7 SP1 and Windows Server 2008 R2: January 11, 2019
https://support.microsoft.com/en-us/help/4487345/update-for-windows-7-sp1-and-windows-server-2008-r2

Patch Lady – That SMB issue isn’t SMB
https://www.askwoody.com/2019/patch-lady-that-smb-issue-isnt-smb/

 

For your Windows 7 computer @Pluto

Windows 7 SP1 and Windows Server 2008 R2 SP1 update history
https://support.microsoft.com/en-us/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history

The left column of this page lists all the updates that have been released for this version of Windows. We recommend that you install all the updates for Windows that are available for your device. Installing the most recent update means that you also get all the previous updates, including important security fixes.

October 13, 2020—KB4580387 (Security-only update)
Read the How to get this update and the Prerequisite before installing this update

https://support.microsoft.com/en-us/help/4580387/windows-7-update