Nikilet

Possible program conflict leading to BSOD?

Recommended Posts

I run mbam and emsisoft together and have for a long time. I haven't had any serious trouble until after Dell connected remotely to my machine, many times, to fix their Dell Support Assist app. After that I had trouble with both programs, but thought I finally had things running again. Except that now I'm having some problems getting a BSOD on kind of a regular basis. I went to the Windows 10 forum, ran a tool they requested and they advise the problem is with "mwac.sys which belongs to malwarebytes MBAMWebProtection." Another answer in Windows forum stated that although these two programs should run together there could be a conflict and I should uninstall and reinstall both of them.

I have also posted on mbam forum about this and ran their tool, but haven't received anything satisfactory at this time.

Would someone please advise me exactly which Emsisoft files and folders I should give permissions for in mbam? Maybe that would help the matter. 

I am attaching the BSOD I get in case that would help. You will not on the page it states they will restart for me after they have collected error info. That restart never goes through. I come back and my computer is just sitting on the Dell logo page and then I have to force a restart and then it's ok until I get the BSOD again.

I don't know if the two are connected, but at about the same time this BSOD started, I started having trouble with my WiFi connection. I've already checked, several times, with my ISP and they state it is not on their end. Everything will work just fine and then suddenly I get on and I have no Internet. I'm just wondering if their could possibly be any connection between these two problems.

BSOD.JPG
Download Image

Share this post


Link to post
Share on other sites

Just in case it is relevant

 https://forums.malwarebytes.com/topic/261111-performance-issue-with-windows-10-2004

https://mspoweruser.com/malwarebytes-performance-issues-on-windows-10-2004/

Share this post


Link to post
Share on other sites

Whether a system restarts after a BSOD depends on a setting in (at least in W8.1 - the options might have different names in W10):

Control Panel - System - Advanced System Settings - Startup and Recovery -  Settings - System failure ...  where you can choose whether "Automatically restart" is selected.

Some people like a failed system to restart, others hate it.    In particular some kinds of problems can cause a continual loop of crash, restart, crash, restart, crash, restart ...

Also, some people (eg me) will always do some extra things (look for dumps, look for eventlog records, run chkdsk full scans...) after any BSOD and really would not want the machine to just restart.  Depending on what you normally have a machine set up to do when restarted it might be easy not to notice that BSODs had occurred.

 

Why would a WIFI problem have anything to do with your ISP?   They may have provided the WiFi router that you connect to, but that would be a hardware problem in your home with that router, not a problem in the ISP's own network.

Share this post


Link to post
Share on other sites

There is currently a known BSoD caused by Malwarebytes' Web Protection driver when Emsisoft Anti-Malware (EAM) is installed. Their QA team has been made aware of it, however there is no ETA on a fix (at least not that I have been made aware of).

For now, please try the following, and that should allow EAM and Malwarebytes to run on the same computer until this issue is resolved:

  1. Right-click on the little Emsisoft icon in the lower-right corner of the screen (to the left of the clock).
  2. Go to Protection status.
  3. Select Disable Web Protection.

Note that after doing this you will need to restart the computer. On Windows 8.1 and Windows 10 you will need to restart by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from this menu to bypass Fast Startup.

Edited by GT500
Added note about need to restart.

Share this post


Link to post
Share on other sites
14 hours ago, Nikilet said:

I disabled the web protection on MBAM.

That might work if their driver stops filtering traffic or stops running on Windows startup when web protection is turned off. You'll have to confirm that with their support though, as I don't know any technical details about their software.

 

14 hours ago, Nikilet said:

Would you suggest that instead, I should disable the web protection on Emsisoft and turn the MBAM back on?

Only if you continue to have crashes.

Share this post


Link to post
Share on other sites

This morning I woke up to a window on my screen that stated Emsisoft had to shut down because of a problem. I neglected to take a screenshot of that. It was a white window with red print and it was quite large and had a lot of text inside it. Mbam gave me a listing of what I should have allowed in their program for these to run together. Could you also give me a list of any Emsisoft files that I should allow in mbam?

Share this post


Link to post
Share on other sites

@Nikilet - you should be able to find some info in an Event Log, using the Event Viewer.  In Win 10 you can find that by typing in "Event Viewer" in the search box.

Be aware that the event viewer shows contents of normal reports of all sorts of things going on in the OS. For example it's common for bits of Windows to try something, fail (perhaps because something else is going on at the same time), and the bit that failed will be retried later and work. Failures do not mean there's something wrong.

[Most of the technical support scams (ie when someone phones you and claims they are from Microsoft or your ISP, and your computer has a problem) use this perfectly normal list of apparent errors to convince people that there's a problem with their system.]

These logs are really normally only of interest to programmers. Anyway, if you can find Event Viewer as suggested above, and start it, you'll probably be asked for the system's Admin password. That's because some of the logged info is in files normally only accessible by the Admin user. It's fine to give the password.

Then - if the viewer is like the one in Win 8.1, it will open with a small list on the lefthand side saying

Event Viewer (Local)
- Custom Views
- Windows Logs
- Applications and Services Logs
  Subscriptions

Click on "Windows Logs" and it should expand to show

Application
Security (maybe)
Setup
System
Forwarded Events

Click on "Application". The display's central panel should then show a long list of log entries, and the date and time they were created at. Scroll the list to find any that are as close as possible to the time you think EAM had the problem.  They /might/ have "Emsisoft" named in the "Source" column, but then again they may not. If you can't find any in the "Application" set, look also in the "System" set. Look at anything whose date & time is around the right time.

If you double-click an entry in the long list of entries it will open and show more information. Don't expect it to mean anything to you. Ideally you're looking for any of these "event logs" that mentions EAM or Emsisoft, and possibly also words like "exception". If you find any, there should be a button labelled "Copy" - in the Win 8.1 version it's at the bottom lefthand corner of the box with all the extra cryptic information. Click on "Copy" then paste the results into a reply here.

If there's lots of records that all seem EAM-related have a look to see if they all say similar things.  Examples of each type of thing will be useful.

 

Share this post


Link to post
Share on other sites
15 hours ago, Nikilet said:

Could you also give me a list of any Emsisoft files that I should allow in mbam?

At the very minimum:

  • a2guard.exe
  • a2service.exe
  • a2start.exe
  • eppwsc.exe

If you have Emsisoft Anti-Malware connected to a workspace in MyEmsisoft, then you should also exclude CommService.exe as it handles this connection.

Technically if MBAM allows excluding the entire Emsisoft Anti-Malware folder (usually C:\Program Files\Emsisoft Anti-Malware) then that would be best. Self-protection won't allow other programs to save files in that folder, so it's safe to exclude.

Share this post


Link to post
Share on other sites
15 hours ago, Nikilet said:

Mbam gave me a listing of what I should have allowed in their program for these to run together.

When you add them to the exclusions in Emsisoft Anti-Malware, be sure to add them to both the scanning and monitoring exclusions. If you don't, then Emsisoft Anti-Malware will still open hooks to excluded processes, and those hooks can be the cause of compatibility issues (whether a process is "monitored" or not is actually irrelevant unless the Behavior Blocker is actively blocking a process, and a notification would be displayed if that were the case).

Share this post


Link to post
Share on other sites
16 hours ago, Nikilet said:

This morning I woke up to a window on my screen that stated Emsisoft had to shut down because of a problem. I neglected to take a screenshot of that. It was a white window with red print and it was quite large and had a lot of text inside it. Mbam gave me a listing of what I should have allowed in their program for these to run together. Could you also give me a list of any Emsisoft files that I should allow in mbam?

Did you mean a window that looked like the following - white, black text, red icon?  (Ignore the fact that this example is for some other program.)

@GT500 - if this was an EAM failure, should there have been an Eventlog record?

A typical exception pane.jpg
Download Image

Share this post


Link to post
Share on other sites
11 hours ago, GT500 said:

At the very minimum:

  • a2guard.exe
  • a2service.exe
  • a2start.exe
  • eppwsc.exe

If you have Emsisoft Anti-Malware connected to a workspace in MyEmsisoft, then you should also exclude CommService.exe as it handles this connection.

Technically if MBAM allows excluding the entire Emsisoft Anti-Malware folder (usually C:\Program Files\Emsisoft Anti-Malware) then that would be best. Self-protection won't allow other programs to save files in that folder, so it's safe to exclude.

attached screenshot of what I have allowed in mbam. Is this sufficient or should I still add the items you list above?1887766250_mbamallows.JPG.1521bde4f393a9d2ce9763c2acc5011c.JPG
Download Image

Share this post


Link to post
Share on other sites
11 hours ago, GT500 said:

When you add them to the exclusions in Emsisoft Anti-Malware, be sure to add them to both the scanning and monitoring exclusions. If you don't, then Emsisoft Anti-Malware will still open hooks to excluded processes, and those hooks can be the cause of compatibility issues (whether a process is "monitored" or not is actually irrelevant unless the Behavior Blocker is actively blocking a process, and a notification would be displayed if that were the case).

I had not done this so am doing it right now. Thank you for all your help.

  • Upvote 1

Share this post


Link to post
Share on other sites
19 minutes ago, Nikilet said:

attached screenshot of what I have allowed in mbam. Is this sufficient or should I still add the items you list above?1887766250_mbamallows.JPG.1521bde4f393a9d2ce9763c2acc5011c.JPG
Download Image
Download Image

Your second line down ... C:\Program Files\Emsisoft Anti-Malware     ... is enough (for EAM) because that's where the various  a2-  & epp-  .exe programs (and DLLs etc) live.

You shouldn't need to exclude any C:\Program Data\...     folders, at least not the Emsisoft one, as the whole point of a ProgramDATA folder is that it is not meant to contain any executable programs, just data files that programs use.    I don't know what's in the  C:\ProgramData\Dell Inc,  or  C:\ProgramData\SupportAssist  folders though.   If they actually do contain executable programs rather than just data they may need to be in the exceptions list.

Share this post


Link to post
Share on other sites
20 hours ago, JeremyNicoll said:

@GT500 - if this was an EAM failure, should there have been an Eventlog record?

That's an application error, and Windows would have logged it.

 

10 hours ago, Nikilet said:

attached screenshot of what I have allowed in mbam. Is this sufficient or should I still add the items you list above?

That's perfectly fine.

 

9 hours ago, JeremyNicoll said:

Your second line down ... C:\Program Files\Emsisoft Anti-Malware     ... is enough (for EAM) because that's where the various  a2-  & epp-  .exe programs (and DLLs etc) live.

You shouldn't need to exclude any C:\Program Data\...     folders, at least not the Emsisoft one, as the whole point of a ProgramDATA folder is that it is not meant to contain any executable programs, just data files that programs use.    I don't know what's in the  C:\ProgramData\Dell Inc,  or  C:\ProgramData\SupportAssist  folders though.   If they actually do contain executable programs rather than just data they may need to be in the exceptions list.

C:\ProgramData\Emsisoft\Updates is where EAM saves update files it downloads before merging them into the main Emsisoft Anti-Malware folder. In most cases it isn't needed to exclude this folder, however it can prevent issues in the rare instance where another security software may falsely detect one of our updates or otherwise prevent an update file from being copied to the Emsisoft Anti-Malware folder. That being said, I'm fairly certain that there are no instances where anything will ever execute out of C:\ProgramData\Emsisoft or any of its subfolders.

Share this post


Link to post
Share on other sites
Hello!
I apologize - I suppose all this applies to real-time MBAM?
I have MBAM in my system, but only as a scanner on demand.
However - the system has a service and driver from this program. I have not configured any mutual exclusions.
I hope this is not necessary?

2020-07-02 17_33_35-2020-07-02 17_30_47-Autoruns [LAPTOP-CNP5BB61_111] - Sysinternals_ www.sysintern.png
Download Image

2020-07-02 17_34_22-2020-07-02 17_31_33-Autoruns [LAPTOP-CNP5BB61_111] - Sysinternals_ www.sysintern.png
Download Image

Share this post


Link to post
Share on other sites

@GT500 tagging you in this hi everyone, as i am consistently checking and see ere is a new Malwarebytes version 4.1.2.73 component update 1.0.972 this must be manually checked for and updated  in settings one once the inital update is complete malwarebytes will then request a full program update do so let see if this fixes our bsods?

Share this post


Link to post
Share on other sites
16 hours ago, andrewek said:
I have MBAM in my system, but only as a scanner on demand.
However - the system has a service and driver from this program. I have not configured any mutual exclusions.
I hope this is not necessary?

It's probably necessary, however you'd have to ask Malwarebytes support to be certain (I'm not familiar with their current software versions).

 

10 hours ago, MJmusicguy said:

@GT500 tagging you in this hi everyone, as i am consistently checking and see ere is a new Malwarebytes version 4.1.2.73 component update 1.0.972 this must be manually checked for and updated  in settings one once the inital update is complete malwarebytes will then request a full program update do so let see if this fixes our bsods?

I'm fairly certain it's too soon for them to have fixed the BSoD, as the day before that update was released I was told they were still investigating the cause. Unless it was a really simple fix then that's just not enough time to implement a fix, test it internally, push it out to beta for volunteers to try, gather feedback, fix any remaining issues, release a new beta, and then push it out to stable once it's deemed satisfactory.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.