What is the process "YaraScanService" and why does it hog all my RAM?
What does it do? And can I safely get rid of it?
I'm running High Sierra 10.13.6 on a Mac Pro (mid-2010) with 17GB Ram.
Mac Pro, macOS High Sierra (10.13.2), 2.8 GHz Quad-Core Intel Xeon
Hi Sweejak,
In the past, have you tested on you Mac (even trashed since) other antivirus than Sophos?
Is your settings in Sophos different than mine? (** scan inside archives **, ** files on network ** notably?)
You didn't tell us the version and date of creation/modif. of your MRT.app, could you? Is it older, that could indicate an old virus/antivirus install at this location, or newer than mine, that could indicate a pre-Mojave Apple bug.
Regards.
My antivirus software is Sophos version 9.6.8.
Whatever Yarascan is it takes up all my RAM. Was this thing installed with the 10.13.6 High Sierra update I downloaded a few days ago?
Yara can be found here:
/System/Library/CoreServices/MRT.app/
No, I have same 10.13.6 (17G65) (and same antivirus Sophos, incidentally 🙂) and I have no YaraScanService in my processes.
I have /System/Library/CoreServices/MRT.app version 1.35 (very recent, 14 june)
No problem. I don't understand...
Whatever Yarascan is it takes up all my RAM.
Except for crashing your Mac, that is the only thing AV software ever does.
Yara can be found here:
/System/Library/CoreServices/MRT.app/
Where did you find it in MRT? Mine has no reference to Yarascan. Perhaps it is machine specific.
Any advice on how to get rid of it?
Sorry, no.
There have been several threads here on it. Maybe they offer something.
As I previously stated, it may have some hardware dependencies that make it happen, though I don't think I've ever heard of Apple modifying app bundles on a machine by machine basis.
I'm on a 2010 MacBook Pro, so mine doesn't support anything remotely new.
Well, I guess I'm stuck with killing the process until I can find how to get rid of it. It's on both of my clones except one that is a month old. Sophos is generally turned off unless I'm doing a manual scan.
Not really a solution, but... Maybe you can... Use this app http://www.etrecheck.com/ (widely used in this forum) to check your system and clean some suspect files usually found in /Library/LaunchAgents/ or /Library/LaunchDaemons/
Clean as advised. Restart and see how it evolves.
If nothing better, you can at least give further informations to people more experienced than me (who probably are about to wake up) 😉
Regards.
Indeed. No need another thread.
quote: "Some people have an XPCService installed and some do not."
Yup, but YaraScanService, the main problem here, seems to be (only?) present in /System/Library/CoreServices/MRT.app' XPCServices folder. The ones who haven't a XPCServices folder at this location haven't YaraScanService wallowed in their memory (to my knowledge) (we need others to comment about that).
I assume (until somebody proves me the contrary by pictures showing it elsewhere) that YaraScanService exists only at this location. Therefore, only the systems having XPCServices/YaraScanServices.xpc in their MRT.app can see YaraScanService process eating all their memory. Which may cause problem (or not, actually, but such huge consumption is abnormal in any case).
quote from the Net: "XPC is a technology for cross-process communication. It basically defines a way 2 running processes can talk to each other."
It seems to me obvious, like you, that a process that needs to "talk" with macOS' integrated Malware Removal Tool could only be or an antivirus, or a virus...
Sophos is essentially turned off and has been for a long time. I only use it for manual scans. I did a scan of the Sys Library last night and it found nothing. The disk I was using I erased but IIRC the creation date of July 7th seems to be what I remember.
Remove Sophos per vendor instructions, reboot, and test again.
YARA is an open-source rules-scanning tool. This is probably something odd or wrong within Sophos.
Anti-malware tools are complex and pragmatically very difficult to differentiate from malware in the ways that the tools hook into the host operating system.
Various anti-malware packages have had long and storied histories of causing instabilities and flaky behaviors and crashes and the occasional-fails-to-boot problems, of introducing security vulnerabilities, and unfortunately also of of not sometimes even solving the intended problems.
Hi,
Yep, the only problem (and not the lesser) is that I have the same macOS version than Sweejak, the same Sophos, and NO YaraScanServices.xpc in my MRT.app. We are two in this thread who have NO YaraScanServices, one with Sophos and the other (as I believe understood) with no antivirus....
I would well advise me too to uninstall Sophos (or any antivirus) as we could consider macOS safe enough IF only I had the lesser clue about how this supposed "Malware Remove Tool" from Apple is supposed to WARN us about said malwares that it is (supposed to) discover...
Mojave beta's MRT.app seems to cause serious problem, it too, seen all what I read on the Internet...
Frankly, all these successive layers of clumpy and clingy processes added by Apple the ones above the others supposedly to "improve our security" begin to @#$$ me off just a tad...
Regards.
quote: "Anti-malware tools are complex and pragmatically very difficult to differentiate from malware in the ways that the tools hook into the host operating system."
Yep, mostly because they are considered themselves as "malwares" by the scans of their competitors.... 😁
I totally agree with you about the fact that antiviruses cause much more problems than they resolve (I mean more precisely than they resolve BEFORE all your Mac has been previously entirely plagued...)
There are some misunderstandings going on in this thread, so let me try to clarify a few points:
1) Unless the user disables SIP, no software is allowed to install inside /System, and in particular inside/System/Library
2) This yaraservice thing is part of the system and not due to some third party antivirus
3) Having it, or xpc, does NOT mean it hogs the cpu.
FWIW, I have never installed any antivirus, I have yaraservice (though, as is clear from my previous post, I never even knew what it was until this thread), and it is not hogging my cpu.
quote: "FWIW, I have never installed any antivirus, I have yaraservice (though, as is clear from my previous post, I never even knew what it was until this thread), and it is not hogging my cpu."
You're lucky, with YaraScanServices a considerable amount of people on the Net are reporting 120 to 200% of CPU usage. Most of them who are complaining about YaraScanServices have installed Mojave beta.
Update: I have set Sophos to the most complex scan preferences and I'm presently scanning. All what I see from Sophos in my Activity Monitor exceeds rarely the 0.2% of CPU and 20MB of RAM. NO YaraScanServices (of course, I'd say) (so it is obviously, indeed, not linked to this antivirus).
quote: "This yaraservice thing is part of the system"
NOT mine: 10.13.6 (17G65)
NOT the one of Barney-15E
We are waiting for others to report.
quote "Having it [...] does NOT mean it hogs the cpu."
Obviously it hogs the CPU of many people around here...
https://www.reddup.co/r/MacOS/comments/8uo0qu/is_yarascanservice_eating_up_anyon e_elses_ramcpu
Probably you have a machine with 64GB of RAM and a system perfectly clean, therefore the interactions between this new "part of the system" and ALL other possible processes that the 99% of The People usually have on their Mac since decades may have escaped to your attention.
What is "YaraScanService" and why does it hog all my RAM?
