Interaction problems between F-Secure and Malwarebytes, with solutions
I will share some recent experiences I had with W-7 64-bit PCs running Microsoft Security Essentials and MBAM Pro, F-Secure Anti-Virus and MBAM Pro, and F-Secure Internet Security and MBAM Pro. All systems were configured with the following optional MBAM Advanced Settings selected:
- Enable self-protection module
- Enable self-protection early start
- hourly update
A system with MSE/MBAM booted. I manually updated MBAM. Then I manually updated MSE before MBAM finished. As many of you know, MBAM displays a message "Not Responding" while it is updating. They have a great malware removal system, but the worst update process. In this case, MSE complained, something about that it could not reach the Internet. Task Manager showed a CPU in the 20-30% range. After a reboot, everything was fine.
Systems running AV/MBAM worked fine with the aforementioned settings. However, all of these PCs were recently upgraded to IS.
A system with IS/MBAM booted. I started IE11, but the webpage only half-finished displaying. Action Center told me I had no anti-virus at all. I double-clicked the F-Secure icon, but nothing happened. I opened Control Panel and tried to uninstall IS from "Uninstall or change a program," thinking that the last F-Secure update was poisoned (vendors do this from time to time), but nothing happened (literally, nothing happened after I clicked on Uninstall). I rebooted and this time the system was normal.
Also, something which annoyed me on IS/MBAM PCs is that the cursor would change to the circular cursor every hour or so, signifying that the system is being maxed-out in some respect.
My opinion is that MBAM monopolizes network resources and this confuses the additional processes IS has over AV. I think it is a bad sign that MSE, a Microsoft product which normally operates without a hiccup, has problems with MBAM (too bad MSE has such terrible protection).
I changed all MBAM settings as follows to try to ensure that anti-virus and MBAM are not starting and/or updating at the same time:
- deselect "Enable self-protection module"
- deselect "Enable self-protection early start"
- select "Delay Protection at startup for 60 seconds
I changed the MBAM update schedule to only run once per day around noon. I changed the threat scan schedule to run once per day (including an update) near the end of the day. This insures that MBAM receives three updates per day -- startup, noon, and end of day -- but this does not present a problem because IS provides a real-time shield (the MSE PC is only a lab system).
I have not seen the circular cursor since I made the changes.
I will update this thread if anything new arises.
P.S. Yes, I am aware that F-Secure does not recommend running any other anti-malware packages. I think I have proved that point. And I will never again manually run an antivirus update or scan while MBAM is updating.
Comments
-
Thanks for that interesting comparison. Just one question, how do you make it three updates to MBAM with the daily update and scan settings? I have been running MBAM 2 on two machines, one Win7 and one Win8.1, and I've never managed to get it to update on startup, so curious to know how you did it.
-
And Simon wins the prize!
You are correct. I was in the middle of lots of sysadmin tasks yesterday and I forgot about that. So my scheme only results in two updates per day. That's still not a problem because F-Secure's IS shield is the main protection. I have readjusted my update time to occur earlier in the day.
-
-
Things just went from strange to weird.
I finally looked at Event Viewer and perused the System events, only to discover a whole bunch of "mbamchameleon" events where MBAM was having trouble with F-Secure, hard drives, and a few other things. Another PC with the same configuration did not have those errors. I uninstalled MBAM and reinstalled it. The errors seem to have gone away. I have no idea what to make of this. I'm tempted to disable the real-time shield for MBAM on all of my systems.
So far, the moral of my MBAM stories has been: if anything is strange, uninstall and reinstall MBAM.
-
Well, a clean reinstall can often solve strange problems
Regarding the mbamchameleon "errors". This is caused by MBAM's self-protection module. I get lots of them too, but none is actually reported as error in event viewer(Windows Logs\System), they're all reported as "Information" which I interpret as non-critical. If you get too many of these you might consider disabling the self-protection.
If you suspect a clash between MBAM and F-Secure there's always the ability to set up a mutual exclusion to have MBAM ignore F-Secure and v.v. It's probably easiest to exclude their respective folder in the Program Files folder.
I don't have any problems. Self-protection is ON but not the "early start". Update checks every 30 minutes. If you set it to more often that shouldn't be a problem as most of these checks won't find any new updates to download, so it probably only takes milliseconds to do the check.
-
NikK, what was so strange is that I had just built two new W-7 64-bit PCs and installed Internet Security and MBAM. But one had mbamchameleon messages (you are correct, they are information, not errors), but the other did not. And when I uninstalled / reinstalled MBAM, those message went away.
I was confused at first by mbamchameleon messages because MBAM Chameleon is a trick to fool malware that MBAM is actually something else.
I think the early start is a problem with Internet Security, but not with Anti-Virus (or MSE). That makes some sense because both IS and MBAM Pro have Internet screening, but MSE and AV do not.
-
I agree that's strange.
I took a closer look at my chameleon log entries. It seems many of them are logged because chameleon couldn't verify digital signatures on both F-Secure and other programs. I don't need that functionality and I can live without the MBAM self-protection module. No more System log bombing from mbamchameleon
Also interesting from the help file about self-protection:
"Checking this box introduces a delay as the self-protection module is enabled. While not a negative, the delay may be considered undesirable by some users"
I'd say there's a reason why neither self-protection nor early start is enabled by default, so maybe MBAM runs smoothest without them.
