XProtectRemediatorSheepSwap using ridiculous amount of memory

You have a very very old version of vmware - 8.*, the current version being 13.5, I believe.

Having those obsolete kernel extensions in Sonoma is unlikely to work well.

Also others from 10.9 Mavericks vintage....

As is often the case around here, you have a mac that has been upgraded in place for many years.

At some point, something has got to give.

I strongly recommend that you start fresh. You may be surprised at just how much better your mac performs after following those simple steps:

1) Full backup using Time Machine; if possible, a second backup 2) System Settings->General->Transfer or Reset->Erase All Content and Settings This will leave only the OS itself, and erase all system modifications as well as all accounts, so you did do the backup beforehand, right? 3) When asked, choose to migrate from "another mac, drive or Time Machine backup"; select the TM backup drive used in step 1 4) Select to migrate ONLY the user accounts (no applications, settings or other files - otherwise you'd just be back to where you started) 5) Enjoy a properly working mac. Gradually install the applications that you do need. Never install any "cleaners" or "antivirus".

CleanMyMac needs to be removed with any provided installer from MacPaw.

NetShade/KeyShade also should be removed. Not sure if you used an installer to install it, if you did, then remove with the uninstaller. If downloaded from the App Store, then dragging the app to the trash should remove the files that launch on startup.

These types of apps have caused problems and are not recommended:

• Cleaners
• Optimizers
• AntiVirus
• VPN

De-selecting "Install Security Responses and system files" in System Settings->General->Software Updates->Automatic Updates->Info icon will disable /Library/Apple/System/Library/CoreServices/XProtect.app that owns this process, apparently.

https://simplemdm.com/blog/what-is-xprotect/#:~:text=XProtect%20is%20important%20for%20keeping,Open%20System%20Settings%20%3E%20Software%20Update.

I followed dbolli's advice to disable "Install Security Responses and system files" in the Software Update settings, but XProtect continues to run itself even after rebooting. I then booted into Recovery Mode and did "csrutil disable", then rebooted, but XProtect still runs itself. Am I missing something here, or is it actually impossible to turn this service off...?

On my 8GB M1 iMac running macOS 14.3.1, I had no issues for a week or so after disabling "Install Security Responses and system files" but then XProtectRemediatorSheepSwap fired up again and swap memory went from the usual 3GB to 25GB or so. I shut down macOS and re-booted and haven't had the issue since, so the root cause seems to be either a serious memory leak or excessive memory use in XProtectRemediatorSheepSwap so we can only hope there's a fix in the upcoming macOS 14.4 update.

I'm on a Late 2015 iMac running MacOS 12.7.2, and I've been having the same issue. XProtectPluginService and/or XProtectRemediatorSheepSwap just grows and grows until I run out of memory. Bear in mind I have 32GB RAM, and about the same amount being used in swap by the time the OOM killer window pops up. iStatMenus shows >32GB memory usage by XProtectPluginService. It's clearly a bug / memory leak from a recent update - I've never had this problem before, and it's now happened twice since my last OS point-release upgrade. I don't run VMWare or any sort of cache cleaners, third party AV, VPNs or anything else that was identified as a potential problem earlier in the thread.

I'm still concerned about Tunnelblick, as it is just another open source VPN. The XProtectRemediatorSheepSwap is responsible for scanning and remove Malware and also updates it definition files from web servers. In some cases VPN's will stop this from happening. If you can remove that one as well, then start up in Safe Mode to see if the process is still running wild?

Start up your Mac in safe mode - Apple Support

After that can you post the new EtreCheck report?

Is it possible for you to unplug your external Hard Drives and verify the operation with those removed?

My short-term workaround wound up being creating a script to kill any running XProtect processes, then running that script every minute from the root crontab. After I was confident that XProtectRemediatorSheepSwap was the only real problem, I reenabled the "Install Security Responses and system files" option as well as doing "csrutil enable" from Recovery Mode, I disabled the root crontab entry, and I was going to pare back my script to only kill XProtectRemediatorSheepSwap -- but so far after turning everything back on I haven't run into the problem again. It's possible that there was an update in the interim that fixed the issue.

In case anyone is still suffering from this and wants to try the root crontab option, here's what I did:

• 1. In your user directory, create kill-xprotect.sh:

#!/bin/sh
ps -ef | grep -i xprotect | grep -v grep | awk '{print $2}' | xargs sudo kill -KILL

• 2. "chmod a+rx kill-xprotect.sh"
• 3. "sudo crontab -e", enter your password
• 4. Add the following entry, replacing "username" with your username, then save and quit:

* * * * * /Users/username/kill-xprotect.sh 

This is for the scenario where you've completely disabled the XProtect suite and it's still running XProtectRemediatorSheepSwap anyway. The adjustment I was going to make was changing the "grep -i xprotect" in the script above to "grep -i xprotectremediator" to only kill those specific processes if they were actively running while letting the other XProtect processes stand, but as I said, the issue hasn't returned since reactivating XProtect and its updates.

I'm sure someone could optimize my script further, but what I have here tided me over until the situation improved.

I've got a 4GB Mac mini running Monterey 12.7.3 and XProtectRemediatorSheepSwap is currently bogging it down with 6.2GB memory usage according to Activity Monitor.

Same problem, older macbook, Catalina. This started a few days ago. It looks like a memory leak, as the process keeps overflowing memory, then it is swapped out to "VM Compressed", and then this is repeated. The swapfile seems to keep growing.

I do agree with Luis that there are many legacy files carried over from previous installed that could be causing problems with the scanning of your files by XProtect. Another legacy file located at /Library/Extensions is the intelhaxm kernel extension. This is a old version that has been installed previously and fellow user Barney-15e has noted in another post:

Intel HAXM -- known problem child

This could also explain the kernel panics noted in the EtreCheck report. I understand a clean install is a pain, but it will solve your problem along with installing the updated versions of the software that you are currently using. For example, installing the current version of VMWare will only install the versions of the extensions it needs, while upgrading from a previous version may not remove the extensions that had previously been installed and remain there through OS updates as well.

It is difficult to track down the exact file causing the problem, but there is something stopping the normal operation of XProtect being able to scan your computer for Malware. The SheepSwap process should only run about 5 seconds once per day and for some reason something is forcing it to crash causing it to start/stop constantly. Removing known apps/files is always the first thing that we can do, but sometimes the clean install is the best approach.

Just a short-term solution.. but I find you can simply kill the XProtectRemediatorSheepSwap proces from inside Activity Monitor. Nothing disastrous happens if you do it, memory if freed, and things work again. I assume you can also kill the process with (sudo) kill, from terminal, depending if it is owned by your own user, or root.

I'm on a Catalina system, installed on an old Mac using the setup of dosdude1.com .. one of the patches it includes disables "SIP", which is the Xprotect process, if I'm correct. I' m guessing I may need to change over to the newer OpenCore setup, hoping it is a better way to deal with this XProtect stuff.