I installed and tried TotalAV several months ago. I quickly decided it
was not something I wanted, requested and received a refund. However,
after deleting this app and its support files, I found a system
extension file that I cannot delete. The file is named:
"net.protected.macos.TotalAV.ESAVExtension.systemextension". I've
attempted to contact TotalAV for help, but they do not respond. How can
I delete this file?
MacBook Air 13″, macOS 13.2
I finally found a way to do this. Here's what I did:
Hope this helps.
I finally found a way to do this. Here's what I did:
Hope this helps.
.
How did you uninstall TotalAV? Did you follow these instructions?
https://help.totalav.com/en/tech/av/setup/-/av-setup-how-to-uninstall-av
It has a built-in uninstall menu option. If you just deleted the App then this script wasn't run. You may need to re-install TotalAV then uninstall with the menu option within TotalAV. That should remove the system extension along with everything else. You may not need to register the software just re-install and uninstall it using the proper method.
Did you use it's built in uninstall or did you just delete manually?
If you didn't use their uninstaller, I'd re-install it. Then use it's uninstaller.
https://help.totalav.com/en/tech/av/setup/-/av-setup-how-to-uninstall-av
Further, instead of uninstalling again, you could install FAF and search for that file: "net.protected.macos.TotalAV.ESAVExtension.systemextension".
Once located, you can delete it.
https://apps.tempel.org/FindAnyFile/index.php
Chances are that it resides in one of these locations:
/Library/LaunchDaemons
/Library/LaunchAgents
And/Or....
/Library/StartupItems
~/Library/LaunchAgents
Find Any File can help in removing leftover components of apps that have been deleted. Do the following:
#1 - boot into Safe Mode according to Start up your Mac in safe mode - Apple Support.
NOTE: Safe Mode boot can take up to 10 minutes as it's doing the following;
• Verifies your startup disk and attempts to repair directory issues, if needed
• Loads only required kernel extensions (prevents 3rd party kernel/extensions from loading)
• Prevents Startup Items and Login Items from opening automatically
• Disables user-installed fonts
• Deletes font caches, kernel cache, and other system cache files
#2 - download and run the shareware app Find Any File to search for any files with the application's or the developer's name in the file name. For TotalAV software you'd do the following search(es):
1 - Name contains totalav
Any files that are found can be dragged from the search results window to the Desktop or Trash bin in the Dock for deletion.
FAF can search areas that Spotlight can't like invisible folders, system folders and packages.
#3 - reboot normally.
The developer did not implement their system extension according to Apple standards. Therefore it did not uninstall like it should have.
The nuclear option: Backup your data and reload your operating system from scratch. Re-install your Apps minus the TotalAV and restore you data.
Alternative:
Google 'Derflounder remove system extension", read the whole blog post then read the comments.
Attempting to manually delete this sys extension file does not work. What I have done that did work is reboot in Recovery mode and turn SIP off temporarily, restart and delete the file. The 2 sys extensions are now gone for good.
I'm afraid you are stuck.
These system extensions have to be correctly removed. The only 100% reliable way to remove them is by dragging their containing app to the trash. Any other method, including using the developer's own uninstaller or uninstallation procedures, carries a risk of leaving the system extension orphaned. In the past, it was standard procedure to recommend a developer's official uninstaller or uninstallation procedures. But with the advent of these new System Extensions, that simply isn't reliable any more. Too many developers have faulty uninstallers. Some developers don't provide uninstallers at all. Running any kind of "app zapper" or "clean up" tool, which are widely recommended on the internet, is a 100% guarantee of failure.
Once in that orphan state, the system extension is protected by the operating system's own System Integrity Protection and cannot be removed by any normal method. The systemextensionctl is not deprecated, but that procedure involved disabling System Integrity Protection and the forum rules do not allow discussion of potentially dangerous procedures like that.
I do not know which app was the container for your particular system extension. It may have been an app in a hidden folder. If that is the case, then you may still be able to delete it. I don't know. I also don't know what procedure you used to remove the apps you did find. Everything these days is always a big mystery, isn't it?
At this point, given what little any of us know about what exactly you installed, how you uninstalled it, or what exactly you uninstalled, there is only one 100% guaranteed solution. You need to erase your hard drive and reinstall the operating system. When you restore from your Time Machine backup, you have to make sure to restore only user files and user accounts. You must NOT restore any apps, software, system settings, or "other files". Otherwise, that will put you right back where you started. Once you are back up and running, you can be more careful about installing 3rd party apps. The scamware software industry is totally out of control right now, and about to get much, much worse due to "government regulation".
I realize this is a pretty extreme step. Unfortunately, it is the only option I can offer you in this venue.
Edit: It took me longer to type all of that than it took the OP to find the "other" solution.
The extension is located here:
/Library/SystemExtensions
That's the root Library folder as seen at the top of the drive next to Applications, System and Users.
Put the extension in the trash. You'll likely have to enter your admin password to complete the action. Empty the trash and restart. You may have to possibly restart before the OS will let you empty the trash.
Older versions of VirtualBox used to do that. For a long time, it put a kernel extension in the System folder. When Apple started locking that folder down in Catalina, there was an API that allowed you to still put items there, even though the System folder was supposed to be off limits.
Well, VirtualBox could install the kernel extension, but their own uninstaller then couldn't remove it. And neither could you since it was in the System folder. Fortunately with Catalina, you could boot to another volume with Catalina on it, and then delete the extension on the non-startup drive.
I use "Find Any File" to find stuff like this. I can see where the file is stored. I cannot delete it -- I don't have permission to delete a system extension file.
MZ-San, you are spot on... I finally did resolve the issue by using that method. Actually, once you disable SIP, you can simply drag the sys extention file to the trash.
Kurt Lang wrote:
I wonder if they extensions could also have been deleted from a Safe Mode startup, where they wouldn't be active. Not that the solution the OP found didn't work, it just may have been easier in Safe Mode.
Nope. System Integrity Protection is still enabled in Safe Mode.
I just re-installed TotalAV and then ran its Un-install utility. It not only did NOT delete the system extension, it added another similar system extension that I cannot delete. Anyone got a better suggestion?
Officially, you need to use the App to uninstall the system extension. There is an option in the systemextensionctl command to uninstall an extension but it won't work as the functionality is depreciated due to Apple Security settings.
How to delete a TotalAV system extension?
