User profile for user: balcides
balcides Author
User level: Level 1
10 points

XProtect Remediator taking 120% RAM freezing macOS every day


This MacOS Malware scanner that runs at root takes up 47GB of 32, far exceeding hardware limits, bloating virtual memory, and slowing the computer to a crawl. It's meant to run during times of low CPU latency but since most of my work is Web Dev, I don't use much power but need the RAM. It freezes the machine daily.


What's sad is what little control we have over it and that we can predict when the cycle will be over and how the machine will run well again by calculating 6GB per minute times the difference between the current RAM use and peak which is around 47GB. In the above case, one can expect the machine to be free and running again after 2hours and 6 minutes. While work can be planned around it, the issue is ridiculous. It doesn't make sense for a Malware scanner to take up so much memory, hijacking a computer we pay for. Even sadder, despite knowing when it will be over when it runs, there's not a predictable pattern for when it starts. Ideally it should only run when the machine is asleep.


Worse, because it runs at the root level, there's no way to force quit nor is there any known option to either disable or limit this. The issue has been reported to Apple and there was an issue ID sent for this. Updating to the last OS version didn't fix the problem either (Sonoma 14.3.1).


This is both a heads up to anyone who may be having this issue that it exists, has been documented, and reported. Any workarounds besides timing it is appreciated. Hopefully the good folks at Apple engineering find a fix for this, it's truly frustrating not to have control over one's machine performance when you need it.



There's a related thread about this but not the same as this issue, only similar in terms of process involved.

https://discussions.apple.com/thread/253890200?login=true&sortBy=best


[Re-Titled by Moderator]


iMac 21.5″

Posted on Feb 14, 2024 5:19 PM

Reply
Question marked as Top-ranking reply
User profile for user: Tony_Y
Tony_Y
User level: Level 1
7 points

Posted on Mar 2, 2024 5:42 PM

This seems to be a problem caused by Apple’s automatically installed security responses.


I managed to “fix” the SheepSwap-gate by rolling back to a previous version of XProtectRemediator. 


It is located at:

/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorSheepSwap



Unfortunately, you’ll need a TimeMachine backup to roll it back to a previous version. 

(I’ve reached out to Apple senior support, and they refuse to support me tampering with their XProtect) 

If you have an earlier version of XProtect.app backup, you’ll need to disable SIP, (preferably then booting in safe mode), and replace XProtect.app with that earlier version. Then, I turned SIP back on and haven’t experienced any issues yet. 

You also need to uncheck “Installed Security Responses” from Settings - Software update since this will automatically update to the latest XProtect version without any notifications. 


I believe the problematic version is XProtectPayloads 125 (see screenshot), since then Apple released version 126, but the issue persisted, so I went back to 122 (the only version backed-up prior to 125 I have). 

The system and XProtect version logs are retrieved using SystHist  (https://eclecticlight.co/lockrattler-systhist/), and SilentKnight shows the rolled back 122 version still performs automatic scans and without blowing up RAM usage. 


I do understand this workaround sound sussy, but I cannot allow XProtect to randomly kick in and cause a days’ worth of computation work being terminated due to low memory issues. 

Adding salt to injury, I have made multiple attempts to get a resolution from Apple, but they’re either ghosting me or telling me to wipe and reinstall, which is just reckless and irresponsible. 


View in context

Similar questions

5 replies
Question marked as Top-ranking reply
User profile for user: Tony_Y
Tony_Y
User level: Level 1
7 points

Mar 2, 2024 5:42 PM in response to balcides

This seems to be a problem caused by Apple’s automatically installed security responses.


I managed to “fix” the SheepSwap-gate by rolling back to a previous version of XProtectRemediator. 


It is located at:

/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorSheepSwap



Unfortunately, you’ll need a TimeMachine backup to roll it back to a previous version. 

(I’ve reached out to Apple senior support, and they refuse to support me tampering with their XProtect) 

If you have an earlier version of XProtect.app backup, you’ll need to disable SIP, (preferably then booting in safe mode), and replace XProtect.app with that earlier version. Then, I turned SIP back on and haven’t experienced any issues yet. 

You also need to uncheck “Installed Security Responses” from Settings - Software update since this will automatically update to the latest XProtect version without any notifications. 


I believe the problematic version is XProtectPayloads 125 (see screenshot), since then Apple released version 126, but the issue persisted, so I went back to 122 (the only version backed-up prior to 125 I have). 

The system and XProtect version logs are retrieved using SystHist  (https://eclecticlight.co/lockrattler-systhist/), and SilentKnight shows the rolled back 122 version still performs automatic scans and without blowing up RAM usage. 


I do understand this workaround sound sussy, but I cannot allow XProtect to randomly kick in and cause a days’ worth of computation work being terminated due to low memory issues. 

Adding salt to injury, I have made multiple attempts to get a resolution from Apple, but they’re either ghosting me or telling me to wipe and reinstall, which is just reckless and irresponsible. 


Reply
User profile for user: superFortress
superFortress
User level: Level 1
9 points

Feb 15, 2024 3:26 AM in response to balcides

Same here. It took multiple crashes before I realized XProtectRemediatorSheepSwap was the culprit. Given that it's only been a couple days, I have to assume it's related to the update mentioned by NHughes.


Activity Monitor doesn't let us stop the process so my temporary solution is to shut off all memory intensive software and wait for XProtect to finish its work. After some time it seems to shut itself down completely and allow the computer to function as normal.


There was mention in a similar thread that it may be related to VPN (among other software such as CleanMyMac). Just as a precaution, I've shut down NordVPN but saw no noticeable change in behavior.


There is also the option of disabling XProtect altogether although this is obviously strongly discouraged, given that it's your Mac's primary defense against malware: Disabling and Enabling System Integrity Protection | Apple Developer Documentation

Reply
User profile for user: Tony_Y
Tony_Y
User level: Level 1
7 points

Feb 19, 2024 11:40 PM in response to balcides

I experienced the same issue on M1 Max (with 64GB of RAM).

I've seen xprotectremediatorsheepswap using 120GB of memory and causing 60GB of swaps.

For me, this issue seem to be caused by updating to Sonoma 14.3.1 (see screenshot of swap logs), it seems to just start hogging memory randomly everyday, sometimes while I'm using the computer other times while I'm away.

I made a feedback to apple but heard no replies yet.

A workaround is urgently needed rightnow, I cannot be force shutting my computer everyday.



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

XProtect Remediator taking 120% RAM freezing macOS every day

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up