Process Lasso and Malwarebytes Anti-malware 2.X

Started by Victek, May 21, 2014, 10:24:02 PM

Previous topic - Next topic

Victek

Hello,
Malwarebytes recently released a new version 2 and someone on the Wilders Security forum noticed that Process Lasso has numerous log entries documenting process restraints on mbam.exe.  I am seeing this also, however I also see the occasional entry where mbam.exe has been terminated and the average CPU usage over a period of time is extremely low.  I am not noticing that mbam.exe is having any noticeable impact on system performance and I'm curious what these Process Lasso log entries mean.  The thread at Wilders where this is being talked about is here:

https://www.wilderssecurity.com/threads/malwarebytes-anti-malware-2-released.361805/page-23#post-2373665

Note message #569

If you are interested in testing Malwarebytes Antimalware v2 it can be downloaded here:

http://www.malwarebytes.org/mwb-download/

Note that it is necessary to enable the 30 day trial option in order to run the real-time protection.

I believe the notion that mbam.exe is "heavy" on the system based on the Process Lasso log entries is a misinterpretation, but I look forward to your thoughts.

edkiefer

What happens when you set mbam.exe to exclude list in PL settings .

You can't go by avg CPU%, the usage could spike high for ms then go idle , you would need or see it better with process explorer .
Bitsum QA Engineer

Victek

Thanks for the reply.  I haven't added mbam.exe to Process Lasso's exclude list for the moment because I want to figure out what the problem is and give feedback to Malwarebytes if something in MBAM needs to be addressed.  When I look at mbam.exe in Process Explorer I see CPU usage consistently less than .1%  Is there something else I should look for?

edkiefer

you got it right on process explorer, I would setup a graph for mbam.exe  and monitor any spikes .
double click on mbam.exe and select performance graph ,widen the window .

Since it is new version it might be some issue with PL that needs to be looked at .
Bitsum QA Engineer

BenYeeHua

Yup, and this may be working by the design. because processing small jobs together is more power save than processing them 1 by 1, when they are created.

A high update rate(maybe 0.5s) of Process Explorer should be enough, if you want more accurate monitoring, then you need WPT(Windows Performance Toolkit) :)

edkiefer

I never checked mbam.exe before , I only have older version 1.7 but I ran scan and monitored CPU%, I got on my 3570k 24.9% which will trigger PL as default is 23%, it got lowered to below normal and shows in log .

Now don't now how new version is with real time protection .
Bitsum QA Engineer

Victek

Quote from: BenYeeHua on May 22, 2014, 10:19:02 AM
Yup, and this may be working by the design. because processing small jobs together is more power save than processing them 1 by 1, when they are created.

A high update rate(maybe 0.5s) of Process Explorer should be enough, if you want more accurate monitoring, then you need WPT(Windows Performance Toolkit) :)

I set the update interval in Process Explorer to .5 seconds, opened a performance graph for mbam.exe and watched it for a while.  CPU usage never rises above .2% - there are no spikes.

It would be helpful if the interaction between Process Lasso and MBAM could be better understood.  There are some people in Wilders using PL's log entries to bash MBAM and in any case it would be better if PL did not restrain mbam.exe if there's no real need for it.  Thanks for any help with this.

edkiefer

Yes, sounds like it shouldn't get lowered , how is the real time protection scanning process run, is it only by one process ( mbam.exe) or is there a scheduled  task service that runs it ?

reason I ask is most times if run by scheduled  service at startup it is below normal by default .
Bitsum QA Engineer

Victek

#8
Quote from: edkiefer on May 23, 2014, 01:13:40 PM
Yes, sounds like it shouldn't get lowered , how is the real time protection scanning process run, is it only by one process ( mbam.exe) or is there a scheduled  task service that runs it ?

reason I ask is most times if run by scheduled  service at startup it is below normal by default .

Yes, mbam.exe is started by mbamservice.exe in "services".  Process Lasso shows mbam.exe as "normal" in the Priority Class section.