yarascanservice using 100gb of memory..

I saw a YaraScanService processing using lots of CPU on my new MacBook after I updated to 10.13.6. When I look in Console/System Reports, I found a diagnostic report about it:

======

Date/Time: 2018-07-13 16:17:34.364829 -0700

OS Version: Mac OS X 10.13.6 (Build 17G65)

Architecture: x86_64

Report Version: 19

Command: YaraScanService

Path: /System/Library/CoreServices/MRT.app/Contents/XPCServices/YaraScanService.xpc/C ontents/MacOS/YaraScanService

Version: 1.0 (1)

Build Version: 1

Project Name: MRTBinaries

Source Version: 43000000000000

Parent: launchd [1]

Responsible: MRT [1397]

PID: 1482

Event: cpu usage

Action taken: none

CPU: 90 seconds cpu time over 157 seconds (57% cpu average), exceeding limit of 50% cpu over 180 seconds

CPU limit: 90s

Limit duration: 180s

CPU used: 90s

===========

It seems clear that it is now a part of CoreServices and they added a check to limit its CPU usage to 90 seconds of CPU in 180 seconds.

Your mileage may vary.

Duration: 156.63s

Steps: 162

It appears you have the antivirus, VirusTotal, installed. For additional information on this read https://www.reddit.com/r/MacOS/comments/8uo0qu/is_yarascanservice_eating_up_anyo ne_elses_ramcpu/

I sugest you uninstall it.

I’m also seeing this. Googling suggests it’s part of the Malware Removal Tool (MRT), which I presume was newly installed with 10.13.6. From what I read, if you kill the process, it’ll restart in an hour. I’m not doing anything on the iMac right now, so I’m inclined to let it run for a while and see if it releases all the resources it’s hogging during the scan (up to 60GB as I type).

This is definitely something that needs to be addressed. It should cruise along in the background, as unobtrusively as possible.

*Update*: it either quit (or crashed? who knows?) after running about an hour. Hopefully, it won’t need to get quite so hoggish on its next run.

I have exactly the same problem following upgrade to release version of 10.13.6 yesterday. Like you I have no antivirus installed. I quit the service with 80Gb of memory being consumed. Waiting to see if it restarts. I was also altered to the fact by CleanMyMac 3.

I don't have yarascan on my mac, so it is not part of 10.13.6.

I had never heard of it, but a quick google search is easy to do.

Here is the yara page on github: https://virustotal.github.io/yara/

Its description makes it clear that if it is on your mac it is for certain as a part of some antivirus package or similar.

ericf2000 wrote:

I saw a YaraScanService processing using lots of CPU on my new MacBook after I updated to 10.13.6. When I look in Console/System Reports, I found a diagnostic report about it:

======

Date/Time: 2018-07-13 16:17:34.364829 -0700

OS Version: Mac OS X 10.13.6 (Build 17G65)

Architecture: x86_64

Report Version: 19

Command: YaraScanService

Path: /System/Library/CoreServices/MRT.app/Contents/XPCServices/YaraScanService.xpc/C ontents/MacOS/YaraScanService

Version: 1.0 (1)

Build Version: 1

Thank you for pointing this out. I stand corrected.

It seems clear that it is now a part of CoreServices

Except, I don't have it on either of my Macs.

You would have to disable SIP to install something into an App bundle inside the System folder, so I would likely agree it must be part of the OS. The question then arrises as to why some of us do not have it.

It seems clear that it is now a part of CoreServices

Well, maybe to you it does, but I have see no evidence that this is true.

Perhaps you have installed something like "Clean My Mac," and are not considering it as an anti-virus software.

Lanny wrote:

It seems clear that it is now a part of CoreServices

Well, maybe to you it does, but I have see no evidence that this is true.

Perhaps you have installed something like "Clean My Mac," and are not considering it as an anti-virus software.

A further data point. I never installed the infamous "cleanmymac" or any antivirus on my mac (in fact I've advocated against these tens, perhaps hundreds, of times on these forums).

I DO have this yaraservice on my mac running 10.13.6.

I just booted off a clone I made before updating from 10.13.4.

It is NOT there.

Since I updated directly from 10.13.4 to 10.13.6 (using the Combo update), I cannot say if this is new in 10.13.6 or if it appeared in 10.13.5, but I can say it is new, and is part of the system (I also never disabled SIP, for that matter).

Have you used Malwarebytes lately, they are on the list of Yarascan users.

This link concerns PCs, but the complaint seems similar: https://malwaretips.com/threads/malwarebytes-3-0-uses-a-lot-of-cpu-ram-and-slows -down-my-computers-how-about-you.67196/

OK. I downloaded the 10.13.6 Combo Update and this YaraScanService is in the package. However, I could not get it installed. I'm not sure how installer packages decide which packages to install and which to skip. Clearly, the YaraScanService has been skipped on every install I have.

It may be something where the YaraScanService only gets installed if you haven't updated your machine in some time. Inside the sub package BOM file, the date on MRT.app is June 7th. But the date on my existing 10.13.5 system is June 13th. It could be something where a previous update installed logic to block a particular piece of malware. But if you didn't get that update, you could have that malware installed. Therefore, the system installs the scanner to go look for it.

This is all speculation on my part. I have dived deep into Apple security update logic and only came out more confused than I started.

Clearly, the scanner shouldn't be using this much RAM and CPU. I encourage anyone who has encountered it to file a bug report at https://bugreport.apple.com

I don't know if this helps but I'm wondering if it depends on your generation of Apple computer.

It was running on my MacBook Pro 15" (mid-2010) which is currently on macOS High Sierra 10.13.6

As I watched it in the Activity Monitor, under Info, on the Open Files and Ports tab I saw it going through .mov, .jpg, and other image and video files. I killed it immediately because I didn't know what it was and my computer is too old to handle that much memory usage from one background process.

EDIT: Check this StackExchange post: memory - What is “YaraScanService” that shows up in macOS Mojave Beta (10.14) and macOS High Sierra (10.13.6)? - Super U…

Apparently YaraScan runs once after update and deletes itself.

See here for more info too: macos - MRT Process using large unbounded amount of memory - Ask Different

What worked for me was emptying my Downloads folder. Apparently, yarascan checks the Downloads Folder after each restart. If the Downloads folder is full, yarascan will take time and resources to scan that folder. The amount of time yarascan runs is directly related to number of files in Downloads Folder. I had a bunch of archive files, installers, audio and video files in my Downloads folder, and yarascan ran about 8-10 minutes with each new restart. On a laptop running on battery, it generally used up 10% of battery before it finished scan. I completely emptied Downloads folder, and no more yarascan on startup. Emptying Download Folder will not remove yarascan from system. If I move files back into Downloads Folder and restart, yarascan will run on next restart. For, me (verified on 2 different machines), yarascan is directly related to files in Downloads Folder.