How do I remove Yarascan from osx

YaraScanService is Apple's malware scanner. You do NOT want to try to remove it. It can slow down your mac temporarily as it is scanning all your files for malware. Just let it run it's course, it can take a while. This scanning can happen anytime after a system update, or when malware profiles are updated. It is a part of MRT, which you also do not want to remove or tamper with.

Hi!

I'm writing to you from Italy and I'm sorry if my English isn't perfect.

I have the same problem and i tried to follow your little guide but at the point n. 1 :

shut down your mac. boot it in safe mode by pressing and holding down control + alt + R.

the sequence of buttons is different to put MacBook in "Safe Mode" (I have to press "Shift" for a lot of seconds) and at the point n. 2:

open terminal and disable security by $: csrutil disable; reboot

Terminal tells me that i have to do it with the MacBook set in "Recovery Mode" not in "Safe Mode".

Recovery Mode and Safe Mode are different, in Recovery Mode Terminal appears like this:

that's different from the classic windows of Terminal.

I stopped my attempt here.

So, what can i do? Can you help me? Please, I'm desperate.

Thanks,

Federico from Italy

hi after a 3 hours research with moderate success, I've found something which solved it:

1. shut down your mac. boot it in safe mode by pressing and holding down control + alt + R.
2. open terminal and disable security by $: csrutil disable; reboot
3. when it boots normally: open terminal and type $: sudo launchctl unload /System/Library/LaunchDaemons/com.apple.MRTd.plist
4. then $: sudo rm -R /System/Library/CoreServices/MRT.app
5. You will be good to go.

Good luck

I had significant lag after upgrading from OS Yosemite to OS High Sierra this week, and as I sought the source, I noticed YaraScanService was working overtime in my Activity Monitor.

That is what led me to this post.

What I read in the original post caused me concern initially, as I'm sure it will for others, but what I failed to do at that point in time was to step back and ask myself why this was the only post regarding YaraScan in all of Apple discussions.

It seems a fair, and important, question to consider.

Also, I should have taken note that one of the recommended "fix" posts suggests using the "control" key to boot up in Safe mode, which is not how you boot up in safe mode. Apple uses the "command" key to boot up in safe mode, not "control." While this may be dismissed as a semantical matter by some, for those using keyboards that include a proper Apple "command" key, the difference is rather important. The result of holding "control-alt-R" at startup on a proper Apple keyboard accomplishes nothing but a standard startup.

Regardless of whether the YaraScanService activity was causing my computer to lag, I wanted the lag gone. So, I decided to go ahead and erase my drive and do a clean install of High Sierra in Recovery mode. Once the install was complete, I restored all my content using Time Machine (all the same applications and docs as before, nothing left out). At first, my Activity Monitor showed a lot of "mdworker" and "mds" scanning going on, but that was just Spotlight doing it's thing. If YaraScanService was busy at the same time, I didn't notice it in the Activity Monitor, and I haven't noticed it since. I left the system to do it's thing overnight, and today I still haven't noticed any YaraScanService activity.

The lag I meant to eliminate, however, returned despite the clean install.

And … I have since discovered the true source of that ridiculous lag — The Magic Mouse.

In fact, it was the two-finger swipes I was using to switch between full-screen apps that caused all that trouble after upgrading to High Sierra. Someone else will have to explain why. Perhaps this 2011 mouse isn't compatible. All I know is that every time I swiped with two fingers on the mouse, the whole computer got bogged down in a lag that lasted 20 seconds or more. The mouse would move the cursor, but that's all. Clicking accomplished nothing. After 20 seconds or more, the screen would finally swipe to the next desktop. After that, although the lag diminished, it remained, and it would worsen if I did the two-finger swipe again.

The fix was easy — I disabled the mouse's swipe setting in System Preferences (System Preferences>Mouse>More Gestures).

The result: No more lag in OS High Sierra.

As for the YaraScanServices issue, from what I've read elsewhere, I'm inclined to agree with michelbinkhorst.

It seems a bad idea to start messing around with MRT based on one post. Granted it's recent, but this is the one and only post that comes up when you search Apple discussions for "yarascan." So, it's only responsible to ask, if malicious malware is currently exploiting Apple's use of YaraScanService, why haven't more Apple users posted about it?

I don't intend to insult or dismiss or negate anyone's point of view on this. It may well be that there's something to worry about with regard to the "YaraScanService" activity I and others have noticed. But it seems only prudent to first obtain official verification from Apple about that problem before mucking around with MRT in the OS.

I'm still not convinced that YaraScan is part of macOS. When I noticed the YaraScan activity on my iMac I checked my Macbook which has the same macOS and my Mac mini server (same macOS). They don't have the YaraScan service or app. The MRT.app package content just don't show any YaraScanService.

Thank you very much cyberhusky69 for all the great information on this topic. I learned a lot reading cyberhusky69's posts and very much appreciate the help.

After reviewing my own computer's contents, and after reviewing the procedure I followed to reinstall High Sierra on my iMac desktop, I now share cyberhusky69's doubts about YaraScanService being a part of MacOS.

As I stated in a prior post, I noticed YaraScanService in my activity monitor after my first attempt to upgrade from Yosemite to High Sierra. Following that upgrade effort, I started experiencing serious lag/slowdown on my desktop, which is the only reason I bothered to look at my activity monitor.

How did YaraScanService get there and why was it suddenly active? My guess is that it was part of one, or both, of the two different Mac virus-scan software programs that I stupidly installed at some point during the past seven years, and later forgot about. Although these two virus-scan programs were turned off, they remained installed on the HD, waiting for something to turn them on. Apparently that something was my first attempt to upgrade from Yosemite to High Sierra. Something about that unclean install of the new OS triggered one or both of those idle virus-scanning programs, I guess, which probably is what let YaraScanService out of its cage to eat up my RAM.

I tried a number of recommended fixes before finally deciding to reboot in Recovery Mode and erase the hard disk. I did a quick, single wipe of the HD, then reinstalled OS High Sierra, then restored all content using Time Machine.

It's important to emphasize that I omitted NOTHING from this restore, which in hindsight seems kind of dumb considering those two virus-scan programs I forgot about. However, I've since looked at everything (visible and invisible files) on the HD and neither virus-scan program exists on the HD despite my full restore from Time Machine.

What the?

I assume that, because I wiped everything prior to the reinstall of High Sierra, something in High Sierra was then able to block the two virus-scanning programs from being restored by Time Machine. That's merely a guess, but the only possibility I can imagine.

I'll leave it to someone more knowledgeable than myself to explain whether that's realistic.

All I know for sure is that the virus-scanning programs, and YaroScanService, are gone from my iMac 27" desktop computer.

What worked for me was emptying my Downloads folder. Apparently, yarascan checks downloads folder after every restart. If the Downloads folder is full, yarascan will take time and resources to scan that folder. The amount of time yarascan runs is directly related to number of files in Downloads Folder. I had a bunch of archive files, installers, audio and video files in my Downloads folder, and yarascan ran about 8-10 minutes with each new restart. On a laptop running on battery, it generally used up 10% of battery before it finished scan. I completely emptied Downloads folder, and no more yarascan on startup. Emptying Download Folder will not remove yarascan from system. If I move files back into Downloads Folder and restart, yarascan will run on next restart. For, me (verified on 2 different machines), yarascan is directly related to files in Downloads Folder.

yes... and everything still runs fine... bit I noticed,youre on mavericks and I'm on high Sierra....

Do your commands remove the entire MRT folder of just target the Yaroscan?

The post should have read boot into the Recovery Partition, not the Safe Mode. Does it work if you boot into the Recovery Partition?