What is "YaraScanService" and why does it hog all my RAM?

Thank you so much for your comment about the downloads folder. I had contacted apple support. They tried to disable the app but couldn't. I took your comment and created a new folder with a different name and moved all files from the download folder to it. Restarted and no more YaraScanService. My downloads folder had downloads from years and many GB. Apparently the update started scanning all files instead of just new files. It would only affect users with large accumulations of files.

What worked for me was emptying my Downloads folder. Apparently, yarascan checks Downloads Folder after every restart. If the Downloads folder is full, yarascan will take time and resources to scan that folder. The amount of time yarascan runs is directly related to number of files in Downloads Folder. I had a bunch of archive files, installers, audio and video files in my Downloads folder, and yarascan ran about 8-10 minutes with each new restart. On a laptop running on battery, it generally used up 10% of battery before it finished scan. I completely emptied Downloads folder, and no more yarascan on startup. Emptying Download Folder will not remove yarascan from system. If I move files back into Downloads Folder and restart, yarascan will run on next restart. For, me (verified on 2 different machines), yarascan is directly related to files in Downloads Folder.

You don't remove it. Just move files out of your Downloads folder.

This yaraservice will scan your Downloads folder every time; if you, like many people, keep thousands of files in there, basically anything and everything you ever downloaded, it will take ages. File them away somewhere else, and the problem disappears.

Remove Sophos per vendor instructions, reboot, and test again.

YARA is an open-source rules-scanning tool. This is probably something odd or wrong within Sophos.

Anti-malware tools are complex and pragmatically very difficult to differentiate from malware in the ways that the tools hook into the host operating system.

Various anti-malware packages have had long and storied histories of causing instabilities and flaky behaviors and crashes and the occasional-fails-to-boot problems, of introducing security vulnerabilities, and unfortunately also of of not sometimes even solving the intended problems.

Not really a solution, but... Maybe you can... Use this app http://www.etrecheck.com/ (widely used in this forum) to check your system and clean some suspect files usually found in /Library/LaunchAgents/ or /Library/LaunchDaemons/

Clean as advised. Restart and see how it evolves.

If nothing better, you can at least give further informations to people more experienced than me (who probably are about to wake up) 😉

Regards.

I posted in another thread my experiences with YaraScanServices. I noticed it running with high CPU usage on my new computer that I just updated to 10.13.6, but not for very long. I was looking for other things that might be slowing down my computer, so I was checking the Console/System Reports. I found a diagnostic report about YaraScanServices and it was located in the system Core Services (Path: /System/Library/CoreServices/MRT.app/Contents/XPCServices/YaraScanService.xpc/C ontents/MacOS/YaraScanService), so it has to be a new part of the MacOS 10.13.6. The diagnostic report also included information that the system was monitoring the YaraScanServices process to make sure it was not using too much CPU time:

======

Event: cpu usage

Action taken: none

CPU: 90 seconds cpu time over 157 seconds (57% cpu average), exceeding limit of 50% cpu over 180 seconds

CPU limit: 90s

Limit duration: 180s

CPU used: 90s

Duration: 156.63s

Steps: 162

======

This indicates to me that the system will automatically kill it if it uses more than 90 seconds of CPU time in three minutes of clock time. The report does not mention memory usage. It might use a lot of memory also, but it seems like the system will kill it after some minutes.

quote: "FWIW, I have never installed any antivirus, I have yaraservice (though, as is clear from my previous post, I never even knew what it was until this thread), and it is not hogging my cpu."

You're lucky, with YaraScanServices a considerable amount of people on the Net are reporting 120 to 200% of CPU usage. Most of them who are complaining about YaraScanServices have installed Mojave beta.

Update: I have set Sophos to the most complex scan preferences and I'm presently scanning. All what I see from Sophos in my Activity Monitor exceeds rarely the 0.2% of CPU and 20MB of RAM. NO YaraScanServices (of course, I'd say) (so it is obviously, indeed, not linked to this antivirus).

Hi Sweejak,

In the past, have you tested on you Mac (even trashed since) other antivirus than Sophos?

Is your settings in Sophos different than mine? (** scan inside archives **, ** files on network ** notably?)

You didn't tell us the version and date of creation/modif. of your MRT.app, could you? Is it older, that could indicate an old virus/antivirus install at this location, or newer than mine, that could indicate a pre-Mojave Apple bug.

Regards.

That thing will be integrated in Mojave, it is already on some High Sierra configs, therefore maybe it would be better to begin to concern right now. The problem is general, not only on beta. And not only with this YaraScanService. These processes use between 120 to 200% of your RAM, therefore the pigsty goes wallow to virtual memory and it's your disk that is impacted, 40GB, 90GB missing for the rest of your work just to help the system to cope with f@k#ing useless things like YaraScanService, CalNCService (Google), photoanalysisd (Apple Photo) and I don't know how many more not yet identified. Some here were stuck even with 32GB of RAM and ONLY YaraScanService. Imagine that somebody with 8GB have the three on his Mac. It's not exceptional tasks, it's not rare applications, it's the background tasks of your system!!. MacOS cannot work like this, it's pure delirious. You see what I mean?

OK. I downloaded the 10.13.6 Combo Update and this YaraScanService is in the package. However, I could not get it installed. I'm not sure how installer packages decide which packages to install and which to skip. Clearly, the YaraScanService has been skipped on every install I have.

It may be something where the YaraScanService only gets installed if you haven't updated your machine in some time. Inside the sub package BOM file, the date on MRT.app is June 7th. But the date on my existing 10.13.5 system is June 13th. It could be something where a previous update installed logic to block a particular piece of malware. But if you didn't get that update, you could have that malware installed. Therefore, the system installs the scanner to go look for it.

This is all speculation on my part. I have dived deep into Apple security update logic and only came out more confused than I started.

Clearly, the scanner shouldn't be using this much RAM and CPU. I encourage anyone who has encountered it to file a bug report at https://bugreport.apple.com

Hi,

Yara is an open source component of a lot of antivirus software. What is your antivirus?

Regards.

No, I have same 10.13.6 (17G65) (and same antivirus Sophos, incidentally 🙂) and I have no YaraScanService in my processes.

I have /System/Library/CoreServices/MRT.app version 1.35 (very recent, 14 june)

No problem. I don't understand...

Whatever Yarascan is it takes up all my RAM.

Except for crashing your Mac, that is the only thing AV software ever does.

Yara can be found here:

/System/Library/CoreServices/MRT.app/

Where did you find it in MRT? Mine has no reference to Yarascan. Perhaps it is machine specific.

Any advice on how to get rid of it?

Sorry, no.

There have been several threads here on it. Maybe they offer something.

As I previously stated, it may have some hardware dependencies that make it happen, though I don't think I've ever heard of Apple modifying app bundles on a machine by machine basis.

I'm on a 2010 MacBook Pro, so mine doesn't support anything remotely new.