Contribute
Register

YaraScanService

Status
Not open for further replies.
Joined
Nov 30, 2013
Messages
10
Motherboard
GA-Z97X-UD3H
CPU
i7-4790K
Graphics
GTX 980 Ti
Mac
  1. Mac mini
Classic Mac
  1. Power Mac
Mobile Phone
  1. Android
After installing the 10.13.6 update I noticed a process "YaraScanService" eating up lots of CPU and memory. I don't find much about it on the web, it seems to be some malware scanner. It is located in /System/Library/CoreServices/MRT.app/Contents/XPCServices. Does anybody know more about this process?
 
Joined
Jan 30, 2011
Messages
11
Motherboard
GA-Z370XP SLI
CPU
i7 8700
Graphics
RX 580 4GB
Mac
  1. iMac
  2. Mac Pro
This seems a common problem (although I am not affected personally).
The process is legit and linked to Apple's Malware Removal Tool.
 

jaymonkey

Moderator
Joined
Aug 27, 2011
Messages
3,996
Motherboard
GB Z490 Vision G
CPU
i9 10850K OC @ 5.2 GHz
Graphics
Vega 64 LC + HD 630
Mac
  1. MacBook Air
  2. MacBook Pro
  3. Mac Pro
Mobile Phone
  1. iOS
After installing the 10.13.6 update I noticed a process "YaraScanService" eating up lots of CPU and memory.....

@tenebra,

Its a new anti-malware service installed with MacOS 10.13.6 & 10.14.X, its the Apple equivalent of Microsoft's Malicious Software Removal Tool (MRT) ... Pretty sneaky of Apple to install something like this without asking for the users permission.

The YaraScanService consumes a lot of CPU and memory resources while its scanning, it is meant to run once and then delete itself, however on my laptop hack it ran on every reboot. Since I always install Sophos Anti-Virus on all my Mac & Hackingtosh systems which also detects malware I have no need for it and (like MS MRT) it is a massive resource hog.

If it fails to remove itself automatically and you see that its running all the time or after every reboot you can disable it permanently with the following method :-
  1. Kill the YaraScanService using Activity Monitor
  2. Open terminal and type the following commands:
    Code:
    sudo launchctl unload /System/Library/LaunchDaemons/com.apple.MRTd.plist
    sudo rm -R /System/Library/CoreServices/MRT.app
  3. Reboot
  4. Check that YaraScanService is no longer running, if it is try the above again in safe mode

Note: After a MacOS update the Apple MRT service will be automatically re-installed and re-enabled so you will need perform the above procedure again if it continues to run after every reboot.

Hope this helps.
Cheers
Jay
 
Last edited:
Joined
Jun 4, 2020
Messages
1
Motherboard
N/A
CPU
N/A
Graphics
N/A
Mac
  1. MacBook Pro
Mobile Phone
  1. iOS
Having lived with 10.13.6 (as far as I could take my hw) and the nightmare of yarascanservice (using Automator to script a 'forced quit' of the service shortly after start up), I also ran in to major issues being unable to install Security Updates (corrupting the OS - widely experienced, thanks Apple). I therefore had to avoid any aspect of auto-updating taking place, and may have over tinkered with System Preferences.

System Preferences / App Store - among the various options that I had defeated, a badly worded option is:
Install system data files and security updates

I came across an article on tidbits explaining what function this option served, recommending to enable it (https://tidbits.com/2016/03/30/make-sure-youre-getting-os-x-security-data/).

It appears that this enables updates to MRT (which drives yarascanservice). Despite the clumsy naming used, this does not cause major security updates to the main OS to occur - simply low level updates (similar to updating definitions in a virus application).

I had this option disabled.

Enabling it, and forcing the system to run these updates, I confirmed that new data had been downloaded (see link above).

Ever since when (4 days ago), I haven't seen yarascanservice running.

This may be coincidence, but I'm curious to determine if this has resolved a similar issue for others?
 
Status
Not open for further replies.
Top