MalwareBytes and PowerToys incompatibility

[JaimePowerToys]

Hi,

PowerToys is an open source project by Microsoft with a set of utilities for extending windows functionalities.

Many users have been reporting recent hang ups and crashes for some of the utilities, and it seems the common denominator is that the users have Malwarebytes installed: https://github.com/microsoft/PowerToys/issues/28988

The users have been able to work around the issue by whitelisting the PowerToys install folder or shutting down Malwarebytes.

I've tried installing Malwarebytes on a Windows 10 VM I had and verified that PowerToys only works correctly if I turn off "Malware Protection" in the Malwarebytes settings.

There's no report to upload here, since nothing is detected. Malwarebytes just seems to not allow some PowerToys utilities to start. The "Malwarebytes Service" spikes to use a full CPU while this is happening.

To reproduce this issue, have Malwarebytes running and try to open up PowerToys settings (double-click the tray icon or right-click the tray icon and select Settings). PowerToys can be installed through: https://github.com/microsoft/PowerToys/releases/tag/v0.74.1

Do you have any insight into what is causing this behavior? The binaries are signed by Microsoft.

Thanks,
Jaime

[miekiemoes]

Hi,

Thanks for reporting. I'll report this to the PM/Development team to look into this.

I however can't reproduce this though. Are any of the people who reported this willing to perform additional tests? This is to see what component is causing this (if caused by a component)?

Under Settings > Security > Scan options, please toggle off "Scan within archives", "Use artificial intelligence to detect threats" and "Use expert system algorithms to identify malicious files" + more below, toggle off: "Exploit Protection".

Then see if the problem still exists. If so, then it means it's not related with our scanning engine. If the problem goes away by doing so, toggle above back on, one by one, with a test in between, this to figure out what exact component there is causing it.

This will help a lot to narrow down the cause/know where to look.

Of course, the protection settings need to be enabled again afterward. So, for now while we are investigating, as you suggested already, please have them add the folder to the exclusions/allow list.

Thanks!

 

Edited October 6, 2023 by miekiemoes

[Blackbat]

Hi Mieke,

I've followed this issue over from Power Toys on Github and have changed the settings as you asked above. The problem still occurs with the settings disabled. I then closed Malwarebytes entirely and at that point the Powertoys interface appeared on screen.

Justin

[JaimePowerToys]

Thanks for looking into this. I've tried the following:
 

Under Settings > Security > Scan options, please toggle off "Scan within archives", "Use artificial intelligence to detect threats" and "Use expert system algorithms to identify malicious files" + more below, toggle off: "Exploit Protection".
I've turned all those off, but PowerToys Settings still won't open, while the "Malwarebytes Service" process is still spiking CPU in Task Manager.

Regarding the issue itself, while the original report in the PowerToys repo is mentioning Firefox, it seems the best way to repro this is trying to open the PowerToys Settings application. (double-click the tray icon or right-click the tray icon and select Settings)

Thanks,
Jaime

 

[Blackbat]

I should add, this is with Windows 11 22H2 22621.2361 and Malwarebytes 4.6.2.281.

[miekiemoes]

Thanks a lot for the feedback. Can you update to the latest version of Malwarebytes? 4.6.4.286 ? (Under About, click the "Check for updates")

[JaimePowerToys]

Ah yes, this might to be related to the latest update on Windows 11 (Windows 11 22H2 22621.2361) as well, as reported by one of the users:
https://github.com/microsoft/PowerToys/issues/28988#issuecomment-1746771184 
Who did many experiments and ended up identifying Malwarebytes as the catalyst: https://github.com/microsoft/PowerToys/issues/28988#issuecomment-1748680182

[JaimePowerToys]

3 minutes ago, miekiemoes said:

Thanks a lot for the feedback. Can you update to the latest version of Malwarebytes? 4.6.4.286 ? (Under About, click the "Check for updates")

I am on 4.6.4.286

[Blackbat]

Just now, JaimePowerToys said:

I am on 4.6.4.286

I have just updated to 4.6.4.286 and the same issue persists.

[miekiemoes]

Thanks for the additional testing and info. 

Can someone also collect some diagnostic logs? See here where to download, how to use: https://support.malwarebytes.com/hc/en-us/articles/360039025553-Gather-diagnostic-logs-for-Malwarebytes-for-Windows (only the option to gather logs). This will create the Mbst-grab-results.zip on your desktop. 

It would be great if you can share these results with us. 

[Blackbat]

I've collected the logs now (11MB worth) - where can I send them please?

[Ried]

Thank you Blackbat. Can you upload them here please? https://malwarebytes.box.com/s/xncf3yfbpwezb4jsoyybj5lc1hn7r468 and let me know when they've been uploaded?

 

[Blackbat]

10 minutes ago, Ried said:

Thank you Blackbat. Can you upload them here please? https://malwarebytes.box.com/s/xncf3yfbpwezb4jsoyybj5lc1hn7r468 and let me know when they've been uploaded?

 

I'm using the link above and trying to drag and drop the zip file into the window but it doesn't seem to want to upload it.

[Ried]

Can you try using the File Upload and browser to the mbst-grab to upload it? 

[Blackbat]

Lisa - I need to create an account (which I've done) but I think I can't upload to your folder. I'll message you with a download link.

[JaimePowerToys]

Hi, I've just got a file here from a fresh VM, so you get less noise. Here's what I did:
- Bootstart a new Windows 10 VM.
- Make sure I got it updated by getting to the search updates screen and rebooting plenty.
- Install Malwarebyte personal, accept trial, do the initial scan until it finishes.
- Install PowerToys. The OOBE screen doesn't appear after install (because it's part of PowerToys.Settings.exe). Try to open Settings, also impossible. Verify Malwarebytes Service is occupying a full CPU in Task manager.
- Restart the computer.
- PowerToys runs at startup, so I've tried to open Settings again, doesn't appear.
- Exit PowerToys, which also exits the PowerToys.Settings.exe process (trying to free some resources so that scan for the Malwarebytes diagnostic tool finishes).
- Run the diagnostic tool to generate the report.

Hope this helps.

Thanks,

Jaime

mbst-grab-results-Jaime.zip

[Ried]

Thank you very much Jamie, we really appreciate your time.  They are working to identify this and I believe they are close to having this figured out.  

 

[shadowwar]

@JaimePowerToys We found the root cause. Basically it was a def that had some wildcards that targeted version info for other malware with a abnormally LONG version field. We are in the process of publishing to fix this so should be fixed in about 1 hour or so with a new database update. 

 

I would recommend you look at the version info of this file and severely shorten it. Its kind of non standard to do this.  CommunityToolkit.WinUI.UI.dll

     This library provides various common UI helpers. It is a part of the Windows Community Toolkit.

      AdvancedCollectionView: It's a collection view implementation that support filtering, sorting and incremental loading. It's meant to be used in a viewmodel.

      CacheBase: Provides methods and tools to cache files in a folder.

      Converters: Commonly used converters that allow the data to be modified as it passes through the binding engine.

      Extensions:
      - ApplicationViewExtensions: Provides attached properties for interacting with the ApplicationView on a window (app view).
      - AttachedDropShadow: Provides a composition based shadow effect which supports masking.
      - FrameworkElementExtensions: Provides attached dependency properties for the FrameworkElement.
      - ListViewExtensions: Provides attached dependency properties for the ListViewBase
      - LogicalTree: Defines a collection of extensions methods for UI.
      - MatrixExtensions: Provides a set of extensions to the Matrix struct.
      - MatrixHelperEx: Static helper methods for Matrix.
      - Mouse: Helper class for easily changing the mouseover cursor type.
      - NullableBool: Custom MarkupExtension which can provide nullable bool values.
      - RotateTransformExtensions: Extension methods for RotateTransform.
      - ScaleTransformExtensions: Extension methods for ScaleTransform.
      - ScrollViewerExtensions: Provides attached dependency properties for the ListViewBase
      - SkewTransformExtensions: Extension methods for SkewTransform.
      - SurfaceDialTextbox: Helper class that provides attached properties to enable any TextBox with the Surface Dial.
      - TextBoxMask: TextBox mask property allows a user to more easily enter fixed width text in TextBox control.
      - TextBoxRegex: TextBoxRegex allows text validation using a regular expression.
      - TitleBarExtensions: Provides attached dependency properties for interacting with the ApplicationViewTitleBar on a window (app view).
      - TranslateTransformExtensions: Extension methods for TranslateTransform.
      - VisualExtensions: Extension methods and attached properties for Visual objects
      - VisualTree: Defines a collection of extensions methods for UI.

      Helpers:
      - BindableValueHolder: Holds the value. Can be used to change several objects' properties at a time.
      - DependencyPropertyWatcher: Used to Track Changes of a Dependency Property
      - ThemeListener: Class which listens for changes to Application Theme or High Contrast Modes and Signals an Event when they occur.

      Triggers: Various Visual State Triggers to help trigger VisualStates in a wide variety of scenarios.
      

 

CommunityToolkit.WinUI.UI.dll

 

 

[JaimePowerToys]

Thanks for helping fix this @shadowwar!
I've opened an issue in the Community Toolkit repo as well: https://github.com/CommunityToolkit/Windows/issues/253

[Blackbat]

I've received an update with package version 1.0.75989 (not sure if this is the update referred to by @shadowwar above), but the problem still persists.

[shadowwar]

IT should be this one that was just released:

 

1.0.75991

 

[JaimePowerToys]

6 minutes ago, shadowwar said:

IT should be this one that was just released:

 

1.0.75991

 

This update fixed it for me! Thanks a lot @shadowwar

[Blackbat]

Fixed for me too, now @shadowwar. Many thanks for the speedy resolution!

[shadowwar]

Thanks for the confirmation!