What is “YaraScanService” that shows up in macOS Mojave Beta (10.14) and macOS High Sierra (10.13.6)?

macos cpu memory

MRT/YaraScan is a MacOS provided antivirus-copyright tool. The reason for its obscene memory usage is basically why OSX doesn't have a formal 'antivirus'.

More simply, YaraScan is one part of the 'volatility suite' here; https://www.volatilityfoundation.org/about

Please realise that a virus and illegally pirated material both are only detected by a 'signature' set of code paths and both often reliant on bugs, exploits and weak patching, so it's only to be expected that the strongest modern antivirus was grown from a copyright infringement detection tool.

YaraScan runs once after Mojave update, and then deletes itself. It has also been seen to persist on certain MacOS systems within MRT. The reason it uses so much memory is because unless otherwise programmed (as in it's an opt-out), a process that has to scan an large amount of files for an unknown sized file that might be encrypted into said searched files will use a large amount of inactive memory to save all decrypted scanned files for a limited amount of time incase they are needed again. Why? Because empty RAM is wasted RAM, I mean you still have to give it watts so why delete the stuff on it when something else doesn't want to be there? It takes 100x longer to get it back.

More importantly, if you Filevault or APFS, ALL of that data is encrypted and must be decrypted to be read. Many apps actually need launching and then scanning when they are loaded as many files can come together to form a threat in memory space as a single 'concurrent file'. Viruses can be partially stored in a dylib for a completely unrelated app.

The amount of time is actively decided by Grand Central Dispatch in your Mac and as soon as you attempt to use a program that needs that logical RAM it will try to clear it. Note that Virtual Memory in this case should be large, as all that decrypted stuff is better stored there until you're literally out of space than deleted on a secondary pass shortly after creation repeatedly.

This is new behavior in the age of SSDs to maximize drive life over responsiveness. Current GCD behavior suggests that the slowdowns are from a fast CPU creating decrypted data faster than it can be written to disk and other requests to RAM having to wait for SSD/HDD to finish.


It's running on 10.13.6 (17G65) also.

1054  66.3  2.1 62395936 359328   ??  Us   11:48AM  10:39.14 /System/Library/CoreServices/MRT.app/Contents/XPCServices/YaraScanService.xpc/Contents/MacOS/YaraScanService

Looks likely https://github.com/virustotal/yara

https://apple.stackexchange.com/questions/296339/mrt-process-using-large-unbounded-amount-of-memory


It does not really consumes your RAM. It likely uses memory mapped I/O when reading those files, but that only means that file content is mapped to virtual memory space, it doesn't actually mean that physical memory is used. For actual usage you need to look at "Real memory size in Activity Monitor.


Having lived with 10.13.6 (as far as I could take my hw) and the nightmare of yarascanservice (using Automator to script a 'forced quit' of the service shortly after every start up), I also ran in to major issues being unable to install Security Updates (corrupting the OS - widely experienced, thanks Apple). I therefore had to avoid any aspect of auto-updating taking place, and may have over-tinkered with System Preferences.

System Preferences / App Store - among the various options that I had defeated, a badly worded option is:

'Install system data files and security updates'

I came across an article on tidbits explaining what function this option served, recommending to enable it (https://tidbits.com/2016/03/30/make-sure-youre-getting-os-x-security-data/).

It appears that this enables updates to MRT (which drives yarascanservice). Despite the clumsy naming used, this does not cause major security updates to the main OS to occur - simply low level updates (similar to updating definitions in a virus application).

I had this option disabled.

Enabling it, and forcing the system to run these updates, I confirmed that new data had been downloaded (see link above for directions).

Ever since (4 days ago), I haven't seen yarascanservice running.

This may be coincidence, but I'm curious to determine if this has resolved a similar issue for others?

Related

Anyway to use SSMS to connect to MySql?
How can I make git commit files in a symlinked folder
Can IE9 Beta be installed side-by-side with IE8?
What is standard A4 paper size in pixels for a given resolution?
How to install the win32com python library
How to interpret and fix a Input/output error in Linux?
Can a new battery go bad if unused
What does the SysRq key do?
How can I undo or rollback an "apt-get upgrade" command on Ubuntu?
Why are there short and long alternatives for command line options?
ZSH Completion colors and OS X
Show http:// again in chrome