Jump to content


Photo

Why is mbamservice.exe running?


  • Please log in to reply
16 replies to this topic

#1 terrypin

terrypin

    New Member

  • Members
  • Pip
  • 18 posts

Posted 06 January 2011 - 04:30 AM

I'm using Malwarebytes' Anti-Malware Pro 1.50.1.1100. At present it supplements my resident anti-virus app, Avira AntiVir (Free), although I may change that soon. So right now I just use it occasionally for extra scans, and therefore I have 'Enable protection module' unchecked.

Yet I still see mbamservice.exe running in XP Pro Task Manager. And its 'I/O Reads' is by far the highest of all processes. (By a factor of nearly 20!)

Can someone explain this please?

I've manually terminated this process as it was slowing my PC, but I don'tr see why I should have to do that.


--
Terry, East Grinstead, UK

#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,183 posts
  • Gender:Male
  • Location:US

Posted 06 January 2011 - 05:57 AM

Please start by doing the following and make sure you setup file and folder exclusions within your Anti-Virus. If this does not correct the issue please let us know.

Please do the following to see if it resolves the issue:

Windows XP:
  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.
Windows Vista and Windows 7:
  • Click on the Start Posted Image button and select Control Panel
  • Click on Programs and Features
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#3 terrypin

terrypin

    New Member

  • Members
  • Pip
  • 18 posts

Posted 06 January 2011 - 06:54 AM

Please start by doing the following and make sure you setup file and folder exclusions within your Anti-Virus. If this does not correct the issue please let us know.

Please do the following to see if it resolves the issue:
etc, etc


Thanks, but that looks like a copper-plate answer rather than reflecting any consideration of my particular problem!

Did you also see my reply in the thread 'mbamservice.exe excessive disk load, Slows PC'?

MBAM was updated only recently. I strongly suspect that this latest version is buggy. Did you investigate that possibility?

--
Terry, East Grinstead, UK

#4 daledoc1

daledoc1

    Forum Deity

  • Spam Hunters
  • PipPipPipPipPipPip
  • 11,933 posts
  • Gender:Not Telling

Posted 06 January 2011 - 07:24 AM

Hello, terrypin:

Please follow AdvancedSetup's recommendations as it is the first step in basic program troubleshooting, and it resolves many issues.

In addition to what he suggested, also please add the Avira program folder to the "ignore list" in MBAM (see attached screen grab).

If these steps don't resolve your issue, then the experts will be happy to assist you with additional steps to get it working properly.

Thank you,

daledoc1

Just a home user & forum volunteer
DT1: Win7/Ult/64 SP1; Intel Core i7-3770 @3.4 GHz; 16 GB RAM; NVidia GeForce GT620; IE9; Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner
DT2: Win7 Ult/64 SP1; Intel Core i7-860 @2.8 GHz; 8 GB RAM; ATI Radeon HD 5770; IE 9, Fx; TB; Cable HSI; MBAM PRO 1.75.0.1300; KIS2014; SAS Free; CCleaner.
LT: Win7 Pro/64 SP1; Intel Core i7-3632 cached @3.2 GHz; 16 GB RAM; NVidia GeForce GT640M; IE 10; Fx; TB; WLAN; MBAM PRO 1.75.0.1300; Sophos ES 10.3; SAS Free; CCleaner.


#5 terrypin

terrypin

    New Member

  • Members
  • Pip
  • 18 posts

Posted 06 January 2011 - 12:18 PM

Hello, terrypin:

Please follow AdvancedSetup's recommendations as it is the first step in basic program troubleshooting, and it resolves many issues.

In addition to what he suggested, also please add the Avira program folder to the "ignore list" in MBAM (see attached screen grab).

If these steps don't resolve your issue, then the experts will be happy to assist you with additional steps to get it working properly.

Thank you,

daledoc1


OK, I did all that. Took me a long time with 3 reboots. As I expected, it's made no difference.

Now will you consider the points I made before please? To repeat:

1. Why is mabamservice.exe still running when I've disabled protection as I described?

2. And generating such an enormous number of Read I/O entries which slow the system down? Neither of which happened before.

3. Doesn't it strike you as more than a coincidence that two users are reporting an almost identical problem with the same version within a day or two of each other?


--
Terry Pinnell, East Grinstead, UK

#6 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 06 January 2011 - 12:33 PM

Even with the protection module disabled, the service will remain active. That's because it operates in kernel mode, and killing any process that runs in kernel mode has a high probability of causing system instability. If you don't use the protection module at all then your best option would be to do the following:

  • Open Malwarebytes' Anti-Malware and click on the Protection tab
  • Uncheck the box next to Start protection module with Windows.
  • Reboot your computer
From now on, the protection module will not be running. You will still see mbamservice.exe is running, but it will be using much less memory and will not be displaying any CPU spikes, that's because protection isn't loading any more and it's only running for the sake of executing scheduled updates and scans.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 terrypin

terrypin

    New Member

  • Members
  • Pip
  • 18 posts

Posted 06 January 2011 - 02:18 PM

Even with the protection module disabled, the service will remain active. That's because it operates in kernel mode, and killing any process that runs in kernel mode has a high probability of causing system instability. If you don't use the protection module at all then your best option would be to do the following:

  • Open Malwarebytes' Anti-Malware and click on the Protection tab
  • Uncheck the box next to Start protection module with Windows.
  • Reboot your computer
From now on, the protection module will not be running. You will still see mbamservice.exe is running, but it will be using much less memory and will not be displaying any CPU spikes, that's because protection isn't loading any more and it's only running for the sake of executing scheduled updates and scans.


OK, thanks. (It would have been good to know about that after my original post, before these unnecessary steps.)

But anyway that's exactly what I did previously, unchecked Start protection module with Windows, yet the extremely heavy usage continued after reboot. Has anyone in Support actually tested this to see if they can reproduce the issue?

I've now fresly unchecked that option,and I'll now reboot yet again (I think that's #5) to make absoutely sure, and report back.

Meanwhile, no one has yet addressed my question about the apparent coincidence of two similar problems.

BTW, is resident protection the only feature in Pro that's not in my previous free version?


--
Terry, East Grinstead, UK

#8 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 06 January 2011 - 02:40 PM

OK, thanks. (It would have been good to know about that after my original post, before these unnecessary steps.)

But anyway that's exactly what I did previously, unchecked Start protection module with Windows, yet the extremely heavy usage continued after reboot. Has anyone in Support actually tested this to see if they can reproduce the issue?

I've reproduced it with the protection module active, I've not done so with it disabled from boot.

Meanwhile, no one has yet addressed my question about the apparent coincidence of two similar problems.

I've been watching support as well as the forums and since release of this version, you're the only two users I've heard of who have reported this. I know the high I/O Read Bytes issue exists, but I've never seen any performance problems because of it (and I run it on all supported Windows versions on a 5400RPM HDD, so if the slowdown was always noticable, I'd notice it as my I/O throughput on a hard drive of that speed isn't that good to begin with).

BTW, is resident protection the only feature in Pro that's not in my previous free version?

No, you also get scheduled updates and scans as well as the malicious website blocking mechanism (which is another part of the protection module). If you don't use the scheduler then you may also do the following, as it will eliminate this problem completely:
  • Click on START and select Run
  • In the Run box type services.msc and press Enter or click on OK
  • Scroll down the list of services until you find MBAMService and double-click on it
  • Click the drop down menu next to Startup type: and select Disabled
  • Click on Apply and then click OK

Disable a starup entry with Autoruns:
  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Double-click Autoruns.exe to run it.
  • Once it says Ready at the bottom of the program window, click on the Logon tab and click the checkbox on the left side of Malwarebytes' Anti-Malware so that it is unchecked
  • Once that is complete, restart your computer.

Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 06 January 2011 - 03:17 PM

I just did some testing:
  • I installed the PRO version of Malwarebytes' Anti-Malware on Windows XP and enabled the protection module
  • I unchecked Start protection module with Windows.
  • I rebooted the system
  • I opened Process Explorer (this tool can be found here)
  • I added the the following columns:

    • I/O Reads
    • I/O Read Bytes This is the one that I found to be very high with the protection module active
    • I/O Writes
    • I/O Write Bytes
  • I executed several processes, browsed a few webpages and opened several folders
  • The I/O Read Bytes for mbamservice.exe remained at 416,504 The same as it has been at since booting the system
  • The I/O Reads remained at 106
  • The I/O Writes remained at 2
  • The I/O Write Bytes remained at 12

Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#10 terrypin

terrypin

    New Member

  • Members
  • Pip
  • 18 posts

Posted 06 January 2011 - 03:43 PM

I've reproduced it with the protection module active, I've not done so with it disabled from boot.


Thanks for sticking with me on this.

OK, progress! This time, directly after the latest reboot, mbamservice.exe was behaving quietly, as you predicted.

However, my XP Pro PC became almost unusable at that stage. I'll describe it in case it offers any clues. Every operation I attempted (r-clicking a tray icon, opening the Run box, minimising a window, bringing up the Start menu. - everything) was glacially slow. Remarkably consistent too. I reckon about 22 seconds from initiating any operations to its completion.

As I don't presently use Scheduling, and as I'm now very wary about it, I disabled mbamservices.exe in Services. (So I suppose I'll have to write off my 20 upgrade to Pro as a 'learning experience', as I reckon I'm now using the functionality of the free version!)

I didn't want to hit the Reset or Power button, but eventually (after all the ops I'd tried to start had run their tedious course) I was able to restart, and I'm now composing this after that reboot. (More reboots in one day than I normally do in a month!). Operations now seem OK at first sight.

I've been watching support as well as the forums and since release of this version, you're the only two users I've heard of who have reported this. I know the high I/O Read Bytes issue exists, but I've never seen any performance problems because of it (and I run it on all supported Windows versions on a 5400RPM HDD, so if the slowdown was always noticable, I'd notice it as my I/O throughput on a hard drive of that speed isn't that good to begin with).


Are you using XP? Pro? SP2? I'm just looking for a pattern.

No, you also get scheduled updates and scans as well as the malicious website blocking mechanism (which is another part of the protection module). If you don't use the scheduler then you may also do the following, as it will eliminate this problem completely:

  • Click on START and select Run
  • In the Run box type services.msc and press Enter or click on OK
  • Scroll down the list of services until you find MBAMService and double-click on it
  • Click the drop down menu next to Startup type: and select Disabled
  • Click on Apply and then click OK

Disable a starup entry with Autoruns:
  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Double-click Autoruns.exe to run it.
  • Once it says Ready at the bottom of the program window, click on the Logon tab and click the checkbox on the left side of Malwarebytes' Anti-Malware so that it is unchecked
  • Once that is complete, restart your computer.


I have AutoRuns. Its Logon tab is showing Malwarebytes' Anti-Malware (mbamgui.exe) enabled. And a Ctl+f from the Everything tab results in 3 moreenties, all enabled:
2 entries for MBAMShlExt (mbamext.dll)
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers

and an entry for MBAMProtector (mbam.sys)

I have now unchecked the Logon entry. But left the other three. Is that OK?

I won't reboot yet again, as it would be good to get some work done! :blink:



--
Terry, East Grinstead, UK

#11 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 06 January 2011 - 03:54 PM

The behaviors you describe makes it sound like there's something else going on. Perhaps something else is at the heart of this, such as a driver conflict or some other process you're running from boot (Anvir comes to mind offhand since it hooks every process running).

Are you using XP? Pro? SP2? I'm just looking for a pattern.

No, I'm using SP3.

I have now unchecked the Logon entry. But left the other three. Is that OK?

Yes, 2 of them are for the context menu entry (Scan with Malwarebytes' Anti-Malware when you right-click on a file or folder) and the other is the driver used by the protection module, but when the PM is inactive it isn't doing anything, though you might try unchecking it to see if that resolves the issues with your system's stability, though I've never seen the symptoms you're describing in testing, and we do test on XP SP2 (Home, Pro and Pro x64).

Just for info, my XP is still up and running and the I/O columns for mbamservice.exe still haven't budged at all.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 terrypin

terrypin

    New Member

  • Members
  • Pip
  • 18 posts

Posted 06 January 2011 - 05:44 PM

The behaviors you describe makes it sound like there's something else going on. Perhaps something else is at the heart of this, such as a driver conflict or some other process you're running from boot (Anvir comes to mind offhand since it hooks every process running).

No, I'm using SP3.

Yes, 2 of them are for the context menu entry (Scan with Malwarebytes' Anti-Malware when you right-click on a file or folder) and the other is the driver used by the protection module, but when the PM is inactive it isn't doing anything, though you might try unchecking it to see if that resolves the issues with your system's stability, though I've never seen the symptoms you're describing in testing, and we do test on XP SP2 (Home, Pro and Pro x64).

Just for info, my XP is still up and running and the I/O columns for mbamservice.exe still haven't budged at all.


Thanks. I'll get back onto this in the morning and keep you informed of any developments.

--
Terry, UK

#13 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 07 January 2011 - 05:35 AM

Hello again Terry :blink:

I just wanted to let you know that I brought this case and my own findings to the attention of one of the developers and he discovered that there is an issue with efficiency in the protection module causing this.

The efficiency of the protection module should be dramatically improved in version 1.51 when it is released :blink:.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 terrypin

terrypin

    New Member

  • Members
  • Pip
  • 18 posts

Posted 07 January 2011 - 10:13 AM

Hello again Terry :blink:

I just wanted to let you know that I brought this case and my own findings to the attention of one of the developers and he discovered that there is an issue with efficiency in the protection module causing this.

The efficiency of the protection module should be dramatically improved in version 1.51 when it is released :blink:.


Excellent, thanks Samuel, much appreciate your thoughtful help. :huh:


I look forward to that new release.

--
Terry, East Grinstead, UK

#15 Pani

Pani

    New Member

  • Members
  • Pip
  • 2 posts

Posted 25 January 2011 - 08:02 PM

I just did some testing:

  • I installed the PRO version of Malwarebytes' Anti-Malware on Windows XP and enabled the protection module
  • I unchecked Start protection module with Windows.
  • I rebooted the system
  • I opened Process Explorer (this tool can be found here)
  • I added the the following columns:

    • I/O Reads
    • I/O Read Bytes This is the one that I found to be very high with the protection module active
    • I/O Writes
    • I/O Write Bytes
  • I executed several processes, browsed a few webpages and opened several folders
  • The I/O Read Bytes for mbamservice.exe remained at 416,504 The same as it has been at since booting the system
  • The I/O Reads remained at 106
  • The I/O Writes remained at 2
  • The I/O Write Bytes remained at 12


Hi, I too have a problem with mbamservice.exe keeping my hard disk running all the time and slowing down my 18-month old laptop running XP sp3. The problem started just in the last week. I am running mbam pro (1.50.1.1100). I too did the same testing described by Samuel and here are my results:

I/O Read Bytes 87.9 GB!
I/O Reads 236.x
I/O Write Bytes 1.5 MB
I/O Writes 432

These numbers are radically different from those described by Samuel on Jan 6th. So what's going on? Now, that makes at least three users with a problem! I had been very happy with mbam till now but now I am reevaluating whether I should uninstall it and wait for version 1.51 to be released. BTW, my main antivirus program is Norton Security Suite Version: 4.3.0.5.

Thanks for any advice.
Pani

#16 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 25 January 2011 - 08:33 PM

To Pani and anyone else with this issue, please re-read what Samuel said above:

Please pay particular attention to what I've bolded below:

Hello again Terry :D

I just wanted to let you know that I brought this case and my own findings to the attention of one of the developers and he discovered that there is an issue with efficiency in the protection module causing this.

The efficiency of the protection module should be dramatically improved in version 1.51 when it is released
:D.



We appreciate your patience as we correct this issue and hope that you will wait until version 1.51 is released to ensure that the issue was fixed. :D
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 Pani

Pani

    New Member

  • Members
  • Pip
  • 2 posts

Posted 11 April 2011 - 11:48 PM

To Pani and anyone else with this issue, please re-read what Samuel said above:

Please pay particular attention to what I've bolded below:



We appreciate your patience as we correct this issue and hope that you will wait until version 1.51 is released to ensure that the issue was fixed. :D



OK now, it is almost three months later. So, when is mbam pro 1.51 going to come? I left my mbam running an it is really eating up the resources and making my laptop slow as molasses. The numbers are staggering:

I/O read bytes: 359,000,000 and counting
I/O write bytes: 6664
Disk reads: 16,000 and counting
Disk read bytes: 964,000,000 and counting

Should I uninstall the current version and simply wait for the version update?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users