Security Update 2018-004 Sierra - memory leak

Question

Level 1

11 points

Security Update 2018-004 Sierra - memory leak

Just installed "macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan", and xpcproxy swallowing all memory, and all CPU resources. I haven't Time machine, how i can fix it?

Can i rollback previously state os x? or maybe i can restrict size of memory for xpcproxy?

I've tried turn off all applications, network bandwidth - without anomalies.

A have about 10 min before all memory will be eaten and os x start to freeze.

MacBook Pro with Retina display, macOS High Sierra (10.13.6)

Posted on Jul 10, 2018 2:32 AM

Reply

Answer 1

Top-ranking reply

VladimirSni Author

Level 1

11 points

Jul 10, 2018 6:22 AM in response to Luis Sequeira1

I found xpcproxy -> MRT.

After just:

- reboot CMD+R

- csrutils disable

- reboot

- sudo mv /System/Library/CoreServices/MRT.app /home/user/not_used/

- reboot

- reboot CMD+R

- csrutils enable

And, now it's fixed, but i don't want to lose the opportunity to be safe(MRT disabled).

And what's strange, i can't find any information about Malware Removal Tools on http://support.apple.com/

Be hope, they will fix it in the future.

MacOS High Sierra

version 10.13.6

MacBook Pro (Retina 15-inch, Late 2013)

Memory 16GB

2,3 GHz Intel Core i7

Reply

Answer 2

Jul 10, 2018 4:16 AM in response to VladimirSni

Try clicking on the battery icon on the menu bar, and see what application is using a lot of resources. That is probably the one that is pushing xpcproxy to such high usage.

Try force-quitting xpcproxy from the Activity Monitor window.

This seems to have been reported in a few cases right after an update in the past, in different OS versions and with seemingly different applications involved, and it is not clear to me if there is a connection.

Reply

Answer 3

Jul 10, 2018 7:29 AM in response to VladimirSni

You may have stopped the problem, but in doing so you are crippling your mac system's defenses.

I understand that the previous situation was rendering your mac unusable, but please don't assume everything is well.

I suggest you run Etrecheck and post its report here. It may illuminate some third party software that may be behind the problem.

Reply

Answer 4

VladimirSni Author

Level 1

11 points

Jul 10, 2018 12:07 PM in response to Luis Sequeira1

Ok, i made it, and it did not work:

- Reset to default values all settings in Cocktail, reboot

- Rebuild some Database from Cocktail, reboot

- Uninstall Cocktail within reset to default all system settings, reboot

- Uninstall Image Software(Fotor and some), reboot

New report:

EtreCheck version: 4.3.4 (4D037)

Report generated: 2018-07-10 21:56:34

Download EtreCheck from https://etrecheck.com

Runtime: 2:45

Performance: Excellent

Problem: Other problem

Major Issues:

Anything that appears on this list needs immediate attention.

No Time Machine backup - Time Machine backup not found.

System Integrity Protection disabled - System Integrity Protection is disabled. This computer is at risk of malware infection.

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Heavy RAM usage - This machine is using a large amount of RAM.

High battery cycle count - Your battery may be losing capacity.

Apps with heavy CPU usage - There have been numerous cases of apps with heavy CPU usage.

32-bit Apps - This machine has 32-bits apps that may have problems in the future.

Hardware Information:

MacBook Pro (Retina, 15-inch, Late 2013)

MacBook Pro Model: MacBookPro11,3

1 2,3 GHz Intel Core i7 (i7-4850HQ) CPU: 4-core

16 RAM - Not upgradeable

BANK 0/DIMM0 - 8 GB DDR3 1600 ok

BANK 1/DIMM0 - 8 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 904

Video Information:

Intel Iris Pro - VRAM: 1536 MB

Color LCD

NVIDIA GeForce GT 750M - VRAM: 2048 MB

Drives:

disk0 - APPLE SSD SM0512F 500.28 GB (Solid State - TRIM: Yes)

Internal PCI 5.0 GT/s x2 Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 500.07 GB

disk1s1 - Macintosh HD (APFS) 500.07 GB (361.99 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] 500.07 GB (21 MB used)

disk1s3 - Recovery (APFS) [Recovery] 500.07 GB (519 MB used)

disk1s4 - VM (APFS) [APFS VM] 500.07 GB (20 KB used)

Mounted Volumes:

disk1s1 - Macintosh HD 500.07 GB (137.37 GB free)

APFS

Mount point: /

Encrypted

disk1s4 - VM [APFS VM] 500.07 GB (137.37 GB free)

APFS

Mount point: /private/var/vm

Network:

Interface Bluetooth-Modem: Bluetooth DUN

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

One IPv4 address

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

System Software:

macOS High Sierra 10.13.6 (17G65)

Time since boot: Less than an hour

System Load: 12.77 (1 min ago) 5.88 (5 min ago) 2.37 (15 min ago)

Security:

System Status

Gatekeeper Mac App Store and identified developers

System Integrity Protection disabled

32-bit Applications:

2 32-bit apps

System Launch Agents:

[Not Loaded] 9 Apple tasks

[Loaded] 175 Apple tasks

[Running] 109 Apple tasks

[Other] One Apple task

System Launch Daemons:

[Not Loaded] 37 Apple tasks

[Loaded] 185 Apple tasks

[Running] 115 Apple tasks

Launch Agents:

[Running] com.bjango.istatmenus.agent.plist (Bjango Pty Ltd - installed 2018-03-01)

[Running] com.bjango.istatmenus.status.plist (Bjango Pty Ltd - installed 2018-03-01)

Launch Daemons:

[Loaded] com.bjango.istatmenus.installerhelper.plist (Bjango Pty Ltd - installed 2018-01-21)

[Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2018-07-04)

[Loaded] com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2018-03-27)

[Running] com.bjango.istatmenus.daemon.plist (Bjango Pty Ltd - installed 2018-03-01)

User Login Items:

iTunesHelper Application (Apple - installed 2018-07-10)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Parallels Toolbox Application (Parallels International GmbH - installed 2018-06-07)

(/Users/***/.Trash/Parallels Toolbox.app)

Viber Application (? - installed 2018-07-03)

(/Applications/Viber.app)

Internet Plug-ins:

FlashPlayer-10.6: 29.0.0.140 (installed 2018-04-29)

QuickTime Plugin: 7.7.3 (installed 2018-07-10)

Flash Player: 29.0.0.140 (installed 2018-04-29)

Safari Extensions:

OpenIE.safariextz - Parallels - http://www.parallels.com (installed 2018-02-27)

3rd Party Preference Panes:

Flash Player (installed 2018-03-27)

FUSE (installed 2017-09-21)

Time Machine:

Time Machine Not Configured!

Top Processes by CPU:

Process (count) Source % of CPU Location

YaraScanService Apple 76

WindowServer Apple 7

sandboxd Apple 3

MRT Apple 2

kernel_task Apple 2

Top Processes by Memory:

Process (count) Source RAM usage Location

YaraScanService Apple 7.31 GB

kernel_task Apple 1.13 GB

mdworker (15) Apple 281 MB

Viber ? 245 MB /Applications/Viber.app

WhatsApp Helper (2) Mac App Store 243 MB

Top Processes by Network Use:

Process Source Input Output Location

Mail Apple 66 KB 8 KB

apsd Apple 10 KB 18 KB

mDNSResponder Apple 14 KB 10 KB

Viber ? 15 KB 6 KB /Applications/Viber.app

WhatsApp Mac App Store 10 KB 5 KB

Top Processes by Energy Use:

Process (count) Source Energy (0-100) Location

coreservicesd Apple 28

ForkLift Mac App Store 4

YaraScanService Apple 3

WindowServer Apple 1

mds Apple 1

Virtual Memory Information:

Available RAM 3.77 GB

Free RAM 498 MB

Used RAM 12.23 GB

Cached files 3.28 GB

Swap Used 0 B

Software Installs (past 30 days):

Name Version Install Date

Numbers 5.0 2018-06-15

WhatsApp 0.2.9739 2018-06-19

Fotor Photo Editor 3.5.1 2018-06-24

Telegram 4.1 2018-06-30

iTunes 12.8 2018-07-10

Diagnostics Information (past 7 days):

2018-07-10 20:13:12 ForkLift.app CPU

/Applications/ForkLift.app

2018-07-10 12:24:25 MRT.app CPU

/System/Library/CoreServices/MRT.app

End of report

Reply

Answer 5

Sep 19, 2018 2:59 PM in response to fsck_it

I'm having the same issue. YaraScanService is part of Apple's MRT service. It eats up all of my disk space and makes applications unresponsive. It's not Cocktail that's doing this, it's a bug with Apple's OS.

Reply

Answer 6

VladimirSni Author

Level 1

11 points

Jul 10, 2018 1:06 PM in response to VladimirSni

By the way after 15 min it's gone - free memory, closed process.

But after rebooting everything start again.

Reply

Answer 7

Sep 20, 2018 10:00 AM in response to Luis Sequeira1

Oh, my downloads folder is huge. Excited to try this, thanks!

Reply

Answer 8

Sep 21, 2018 9:16 PM in response to Luis Sequeira1

Thank you so much! Excellent fix. My downloadfolder was 4,5 gig. Crippled my imac within 5 minutes after every reboot.

Emtied the folder and now all is well.

Reply

Answer 9

Oct 27, 2018 10:54 AM in response to Luis Sequeira1

Thank you! I never would have thought to do this. SO helpful.

Reply

Answer 10

VladimirSni Author

Level 1

11 points

Jul 10, 2018 8:07 AM in response to Luis Sequeira1

Ok, here:

EtreCheck version: 4.3.4 (4D037)

Report generated: 2018-07-10 17:46:05

Download EtreCheck from https://etrecheck.com

Runtime: 3:01

Performance: Good

Problem: Other problem

Description:

MRT gobbling all memory

Major Issues:

Anything that appears on this list needs immediate attention.

No Time Machine backup - Time Machine backup not found.

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Heavy RAM usage - This machine is using a large amount of RAM.

High battery cycle count - Your battery may be losing capacity.

Unsigned files - There are unsigned software file installed. They appear to be legitimate but should be reviewed.

32-bit Apps - This machine has 32-bits apps that may have problems in the future.

Hardware Information:

MacBook Pro (Retina, 15-inch, Late 2013)

MacBook Pro Model: MacBookPro11,3

1 2,3 GHz Intel Core i7 (i7-4850HQ) CPU: 4-core

16 RAM - Not upgradeable

BANK 0/DIMM0 - 8 GB DDR3 1600 ok

BANK 1/DIMM0 - 8 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 904

Video Information:

Intel Iris Pro - VRAM: 1536 MB

NVIDIA GeForce GT 750M - VRAM: 2048 MB

Color LCD

Drives:

disk0 - APPLE SSD SM0512F 500.28 GB (Solid State - TRIM: Yes)

Internal PCI 5.0 GT/s x2 Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 500.07 GB

disk1s1 - Macintosh HD (APFS) 500.07 GB (361.60 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] 500.07 GB (21 MB used)

disk1s3 - Recovery (APFS) [Recovery] 500.07 GB (519 MB used)

disk1s4 - VM (APFS) [APFS VM] 500.07 GB (1.07 GB used)

Mounted Volumes:

disk1s1 - Macintosh HD 500.07 GB (136.70 GB free)

APFS

Mount point: /

Encrypted

disk1s4 - VM [APFS VM] 500.07 GB (136.70 GB free)

APFS

Mount point: /private/var/vm

Network:

Interface Bluetooth-Modem: Bluetooth DUN

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

One IPv4 address

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

System Software:

macOS High Sierra 10.13.6 (17G65)

Time since boot: About an hour

System Load: 1.70 (1 min ago) 1.54 (5 min ago) 1.43 (15 min ago)

Security:

System Status

Gatekeeper Mac App Store and identified developers

System Integrity Protection Enabled

Unsigned Files:

Launchd: /Library/LaunchAgents/com.maintain.LogOut.plist

Executable: /usr/bin/osascript -e delay 3 -e try -e do shell script "killall Cocktail" -e end try -e ignoring application responses -e try -e tell application "System Events" to log out -e end try -e end ignoring

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchAgents/com.maintain.Sleep.plist

Executable: /usr/bin/osascript -e delay 3 -e try -e do shell script "killall Cocktail" -e end try -e ignoring application responses -e try -e tell application "System Events" to sleep -e end try -e end ignoring

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchAgents/com.maintain.Restart.plist

Executable: /usr/bin/osascript -e delay 3 -e try -e do shell script "killall Cocktail" -e end try -e ignoring application responses -e try -e tell application "System Events" to restart -e end try -e end ignoring

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.maintain.CocktailScheduler.plist

Executable: /usr/bin/osascript -e try -e set schedulerOwner to do shell script "defaults read /Library/'Application Support'/Cocktail/Scheduler.plist SchedulerOwner" -e do shell script "users" -e if the result contains schedulerOwner then -e do shell script "/bin/sh /Library/'Application Support'/Cocktail/Scheduler.sh" -e end if -e end try

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchAgents/com.maintain.ShutDown.plist

Executable: /usr/bin/osascript -e delay 3 -e try -e do shell script "killall Cocktail" -e end try -e ignoring application responses -e try -e tell application "System Events" to shut down -e end try -e end ignoring

Details: Exact match found in the whitelist - probably OK

32-bit Applications:

2 32-bit apps

System Launch Agents:

[Not Loaded] 7 Apple tasks

[Loaded] 169 Apple tasks

[Running] 116 Apple tasks

[Other] 2 Apple tasks

System Launch Daemons:

[Not Loaded] 37 Apple tasks

[Loaded] 182 Apple tasks

[Running] 116 Apple tasks

[Other] One Apple task

Launch Agents:

[Running] com.maintain.SystemEvents.plist (Apple - installed 2018-05-30)

[Not Loaded] com.maintain.ShutDown.plist (? 9b7e817c - installed 2018-03-28)

[Not Loaded] com.maintain.Restart.plist (? 5421a7fd - installed 2018-03-28)

[Not Loaded] com.maintain.LogOut.plist (? 1d95663e - installed 2018-03-28)

[Not Loaded] com.maintain.PurgeInactiveMemory.plist (Apple - installed 2018-07-04)

[Running] com.bjango.istatmenus.agent.plist (Bjango Pty Ltd - installed 2018-03-01)

[Running] com.bjango.istatmenus.status.plist (Bjango Pty Ltd - installed 2018-03-01)

[Not Loaded] com.maintain.Sleep.plist (? 94f768ba - installed 2018-03-28)

Launch Daemons:

[Not Loaded] com.maintain.CocktailScheduler.plist (? 300b8a41 - installed 2018-03-28)

[Loaded] com.bjango.istatmenus.installerhelper.plist (Bjango Pty Ltd - installed 2018-01-21)

[Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2018-07-04)

[Loaded] com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2018-03-27)

[Not Loaded] com.maintain.HideSpotlightMenuBarIcon.plist (Apple - installed 2018-01-21)

[Running] com.bjango.istatmenus.daemon.plist (Bjango Pty Ltd - installed 2018-03-01)

User Login Items:

iTunesHelper Application (Apple - installed 2018-07-10)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Parallels Toolbox Application (Parallels International GmbH - installed 2018-06-07)

(/Users/***/.Trash/Parallels Toolbox.app)

Viber Application (? - installed 2018-07-03)

(/Applications/Viber.app)

Internet Plug-ins:

FlashPlayer-10.6: 29.0.0.140 (installed 2018-04-29)

QuickTime Plugin: 7.7.3 (installed 2018-07-10)

Flash Player: 29.0.0.140 (installed 2018-04-29)

Safari Extensions:

OpenIE.safariextz - Parallels - http://www.parallels.com (installed 2018-02-27)

3rd Party Preference Panes:

Flash Player (installed 2018-03-27)

FUSE (installed 2017-09-21)

Time Machine:

Time Machine Not Configured!

Top Processes by CPU:

Process (count) Source % of CPU Location

WindowServer Apple 9

com.apple.WebKit.WebContent (11) Apple 7

coreaudiod Apple 7

kernel_task Apple 3

prl_vm_app Parallels International GmbH 2

Top Processes by Memory:

Process (count) Source RAM usage Location

prl_vm_app Parallels International GmbH 2.95 GB

kernel_task Apple 1.38 GB

com.apple.WebKit.WebContent (11) Apple 1.19 GB

Finder Apple 702 MB

WhatsApp Helper (2) Mac App Store 387 MB

Top Processes by Network Use:

Process Source Input Output Location

Mail Apple 144 KB 40 KB

mDNSResponder Apple 112 KB 37 KB

Viber ? 32 KB 50 KB /Applications/Viber.app

WhatsApp Mac App Store 30 KB 11 KB

apsd Apple 15 KB 21 KB

Top Processes by Energy Use:

Process (count) Source Energy (0-100) Location

coreaudiod Apple 8

WindowServer Apple 5

com.apple.WebKit.WebContent (11) Apple 3

prl_vm_app Parallels International GmbH 2

iStat Menus Status Bjango Pty Ltd 0

Virtual Memory Information:

Available RAM 4.43 GB

Free RAM 807 MB

Used RAM 11.57 GB

Cached files 3.64 GB

Swap Used 0 B

Software Installs (past 30 days):

Name Version Install Date

Numbers 5.0 2018-06-15

WhatsApp 0.2.9739 2018-06-19

Fotor Photo Editor 3.5.1 2018-06-24

Telegram 4.1 2018-06-30

iTunes 12.8 2018-07-10

Diagnostics Information (past 7 days):

2018-07-10 12:24:25 MRT.app CPU

/System/Library/CoreServices/MRT.app

End of report

This report generated after disable MRT.

I know all these mentioned apps.

All apps installed from official sites or Appstore.

All these apps i use many years, except "Fotor Photo Editor".

SWAP disabled manual.

"Cocktail" - trusted application too.

Thanks for help!

Reply

Answer 11

Jul 10, 2018 8:35 AM in response to VladimirSni

It may be trusted, but I would try uninstalling Cocktail.

One particularly bothersome name showed up "purgeinactivememory" - that is something that used to help in some cases in the old days (that is, until Mountain Lion), when the system apparently was holding down to memory it was not supposed to. Ever since Mavericks (10.9), the way the OS handles memory makes it a big no-no to try and purge memory. It is running counter the normal OS use. At the very least it is hurting performance, instead of helping; at worst, it may cause memory errors.

Reply

Answer 12

fsck_it

Level 1

13 points

Aug 11, 2018 7:38 AM in response to VladimirSni

Yeah..I'm not sure why this wasn't mentioned earlier but did you notice anything off about those Launch Agents? They're all from that software no clue what it is doesn't matter but the plists are clearly labeled "com.maintain"....but they are all listed as ? or "Apple" as the origin on the content. They're obviously not authentic Apple items which would start with com.apple. It sure seems like that app was shall we say crafted, although its important to consider this probably wasn't the initial entry point of your issues.

Since you've already interacted with this software uh report, I might as well mention a few things:

What are the 32 bit processes? In Activity Monitor you can add a 32-bit column to see them (in the CPU tab View > Columns > Kind)
In top energy using processes - YaraScanService - Are you familiar with Yara at all? Not saying this program (assuming its authentic) is bad in any way. The questions is why is it using so much energy?
"Flash player" is never worth it
You've setup or used a software-based network that accesses the internet from your cell phone and then shares its internet connection with other devices over bluetooth? And also a second similar dedicated local network for sharing data between devices within bluetooth range of each other?
Uh what unsigned files are failing code signing?
Let's say the apps you uninstalled were the issue..and it's related to xpcproxy nonsense...it might be too late since the app might be more like a housewarming present.

See the item about libxpc. About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Ca… It's important to note that the specific patch being mentioned for 10.13.5 was released before CVE-2018-4237 which is related to several other similar items. The documentation implies that (as always is the case) there will be additional patches required.

You're having issues with suspicious programs/activity so you trust anonymous internet users who say "download this and don't ask why it's not in the app store" and with your SIP disabled. Well at least you're adventurous! It might be helpful going forward to evaluate who you trust and for what reasons.

Reply

Answer 13

Sep 20, 2018 3:04 AM in response to Jordan_314

This yara thing scans your Downloads folder every time. There is no problem if this folder does not have a lot of files. Unfortunately, a lot people never clean this folder up, leaving it with stuff they downloaded and do not care about.

Move stuff off of your Downloads folder and the problem will go away.

Yarascan service may run for a few milliseconds and disappear without you even noticing it did its thing.

Reply

Security Update 2018-004 Sierra - memory leak

Similar questions