How to disable or remove the YaraScanService (MRT.app)?
Recently on MacOS 10.13.6 I have noticed high CPU usage and identified the process YaraScanService as consuming close to 90% CPU.
The Activity Monitor lists it under:
/System/Library/CoreServices/MRT.app/Contents/XPCServices/YaraScanService.xpc/Contents/MacOS/YaraScanService
as part of the MRT.app.
According to this thread and another one it appears to be some kind of Apple's built-in antivirus that is doing its scanning yet there doesn't seem to be a way to disable or remove it apart from killing it from the Activity Monitor or with pkill.
Any pointers on how to control it or stop/disable it?
I would assume that if you have dozens of gigabytes of zip, tar, bzip, rar, jar archives then yarascan will unpack them all to memory or disc in order to scan them, and there is absolutely no way to whitelist or exclude them.
The MRT.app is timestamped on 10-Aug-2018 along with a bunch of other folders (apparently the date when I accepted an Apple update). Most files inside the folder are timestamped 4-Jul-2018 and 8-Jul-2018, supposedly when the app was released by Apple.
As mentioned in this article YaraScanService is part of the MRT.app (Malware Removal Tool). If you are sure your system is not infected with malware and you don't want Apple to do automatic malware protection for you without asking your consent, then you can disable and/or remove the MRT service using these commands:
sudo launchctl stop com.apple.mrt
sudo launchctl remove com.apple.mrt
The corresponding .plist files are apparently located at:
/System/Library/LaunchDaemons/com.apple.MRTd.plist
/System/Library/LaunchAgents/com.apple.MRTa.plist
If the above method does not work for you (apparently the daemon can re-enable itself), then a more radical approach would be to disable SIP with csrutil disable from recovery mode, and remove executable permissions on the MRT and YaraScanService files with:
chmod -R -x+X /System/Library/CoreServices/MRT.app
Once you have changed the permissions it is recommended to re-enable SIP again with csrutil enable (from recovery mode).
Answer originally posted by user1901982 in Super User - What is “YaraScanService” that shows up in macOS Mojave Beta (10.14) and macOS High Sierra (10.13.6)?
Copied here for convenience, as community wiki.
MRT/YaraScan is a MacOS prodvided antivirus-copyright tool. The reason for it's obscene memory usage is basically why OSX doesn't have a formal 'antivirus'.
More simply, YaraScan is one part of the 'volatility suite' here; https://www.volatilityfoundation.org/about
Do realise that a virus and illegally pirated material both are only detected by a 'signature' set of code paths and both often reliant on bugs, exploits and weak patching, so it's only to be expected that the strongest modern antivirus was grown from a copyright infringement detection tool.
YaraScan runs once after Mojave update, and then deletes itself. The reason it uses so much memory is because unless otherwise programmed (as in it's an opt-out), a process that has to scan an incredible amount of file's contents for an unknown sized file that might be encrypted into said searched files will use a large amount of inactive memory to store all scanned files for a limited amount of time incase they are needed again. Why? Because empty RAM is wasted RAM, I mean you still have to give it watts so why delete the stuff on it when something else doesn't want to be there? It takes 100x longer to get it back.
More importantly, if you Filevault or APFS, some of that data is encrypted and must be decrypted to be read. Many apps actually need launching and then scanning when they are loaded as many files can come together to form a threat in memory space as a single 'concurrent file'. Standard antivirus could not detect this until the application was already running, and at that stage it could have already damaged your system.
The amount of time is actively decided by Grand Central Dispatch in your mac and as soon as you attempt to use a program that needs that RAM it will clear it.