Troubleshooting endpoint performance issues

If a machine is experiencing any of the following issues, you'll want to gather information and reach out to Support:

• Freezing or hanging
• Slowness or performance issues
• High CPU, memory, or disk resource usage

Information about the issue can help Support with diagnosing the issue. Before reaching out to Support, complete these steps.

Check known issues

If you are running the endpoint agent on a server, make sure the recommended real-time protection layers are enabled. For more information, see Configure Nebula for Windows serve roles.

Verify rootkit scanning is disabled as it may increase the time required to complete a scan or impact system performance. For more information, see Configure Scan settings options in Nebula.

Enabling debug logging

Enable debug logging to allow the endpoint agent to capture additional details. For more information, see Enable debug logging on the Malwarebytes Endpoint Agent.

Make note of when the issue occurs. If the issue consistently occurs at a specific time, there may be a conflict with a scheduled scan or another software program. Also make note of any steps to reproduce the issue if they are known.

Layer testing

With debug logging enabled, specific components of Malwarebytes can be disabled to narrow down the cause of the issue. This is called layer testing. Follow the steps below to temporarily disable Malwarebytes and perform layer testing.

Create a test policy with all real-time protection disabled

1. On the left navigation menu, click Configure > Policies.
2. Click New to create a new policy.
3. Name the policy Troubleshooting - Protection disabled.
4. On the left, select Protection settings.
5. Disable all protection under Real-time protection.
6. If you have a subscription for Endpoint Detection and Response (EDR), select Endpoint Detection and Response on the left and disable Suspicious activity monitoring.
7. Click Save.

Create a test group

Once a test policy is created, you need to create a test group and assign the test policy.

1. On the left navigation menu, click Configure > Groups.
2. Click New to create a new group.
3. Name the group Troubleshooting.
4. Select the test policy created above.
5. Click Save.

Test with endpoints

Lastly, move the affected endpoints you want to test with to the new group.

1. On the left navigation menu, click Manage > Endpoints.
2. Select the affected endpoints from which you already gathered logs.
3. Click Actions > Move.
4. Select the Troubleshooting test group.
5. Click Save.

After making changes to a policy or group, the endpoint should receive the new policy within a few minutes. To force an immediate policy change:

1. On the left navigation menu, click Manage > Endpoints.
2. Select the affected endpoints.
3. Click Actions > Check for Protection Updates.
4. On the left navigation menu, click Tasks.
5. Wait for the new task status to show Success. 

Attempt to reproduce the issue with all protection disabled. If the issue does not occur, enable protection layers one-by-one and test after each layer is re-enabled. Test the protection layers in the following order:

1. Suspicious activity monitoring (EDR only)
2. Behavior protection
3. Malware protection
4. Web Protection
5. Exploit Protection

Once the issue returns, collect diagnostic logs and contact support. For more information, check the following links:

• Collect Malwarebytes Endpoint Agent diagnostic logs
• Contact Malwarebytes Business Support