Apple Event: May 7th at 7 am PT
What is the process "YaraScanService" and why does it hog all my RAM?
What does it do? And can I safely get rid of it?
I'm running High Sierra 10.13.6 on a Mac Pro (mid-2010) with 17GB Ram.
Mac Pro, macOS High Sierra (10.13.2), 2.8 GHz Quad-Core Intel Xeon
And, to answer in advance to the inevitable next advice that will sooner or later come here from one or another, NO we don't want to make any "clean install" by erasing everything on our Macs at each and every OS update. NEVER. We like to keep our personal thingies exactly where they are, and we are relying on Apple for removing, ITSELF, when it updates its OS, its own ill pigs from our stables.
LOL, well, that's pretty much how I feel about it, Almojgar although I am downloading a fresh install of Sierra to another drive and presumably I'll use Migration Assistant to get my work back up to speed. But how do I keep Yaro out? I have paying work to do and this sort of stuff seriously interferes. I suppose it wouldn't be so bad if I was a more advanced user. Generally, when something intractable shows up I just switch to a clone but both of them have the yaro virus Yes, I'll call it a virus.
BTW I removed Sophos I'll update on that when I reboot after the hours-long DL of Sierra.
I'm not sure that being a 'advanced' user helps much. Most of the advanced users I encounter here are so resigned by decades of servitude at rowing in macOS' galleys that they accept all the new slaps of their Master without moving one of their (bruised) ears.
New slaps like this one, for instance, or much better yet, yet another memory hog that is linked, it, to Apple Photo, the 'photoanalysisd' process. That thing spends all its time at accomplishing before your appalled eyes, at the price of around 120 to 200% of your CPU charge, this so marvelous "new feature" in macOS (hold your breath...): "Searching for Faces and objects in your photos" (= among your 97384+ photos...) (and consequently eats all your RAM for breakfast...)
This OS make us all live since decades in the House of the Mad Hatter, all this is totally nutcase, and more tragic yet, this is not professional.
I have the certainty that almost everybody here has bought his/her Macintosh ONLY, precisely, for working with. Not for counting sheeps on his/her family photos and the number of flower vase in his/her kitchen. That deep, dramatic, and persistant misunderstanding of the (real) 'expected behaviour' of the vast majority of Mac users is an absolute shame.
Additionally, I still don't know how they expect to make live in parallel 'YaraScanService' and 'photoanalysisd' on our systems but it promises to be dantesque.
As for removing it / solving this problem, I really don't know. If it is REALLY included deliberately by Apple in MRT.app, in Mojave and most recent updates of High Sierra (and if it is not some nasty virus that has taken its masquerade costume) we are doomed to see it reappear at every update...
Yup, but I'm still running the late and great Aperture and dread the Photos app.
We still don't know if this Yara thing is an actual Mac OS part or something else.
I suppose I could go to my oldest clone running 10.13.5 but there will be a lot of things that will have to be migrated.
Yep, the less one can tell, is that one doesn't simplify us work, nowadays... 😕
I use the magnificent Aperture, me too (the no more "supported" Aperture) (sigh...) (they really want our pelt, eh?)
That's why we haven't been plagued ALSO by Photo' ugly processes (contrary to a vast majority of users here and there...)
"except" that nasty thingy on your system, the last stable version of macOS 10.13.6 (17G65) seems to me decently stable... seen from here, at least...
So I just installed High Sierra on a reformatted drive, didn't transfer any apps or other stuff and there it is yarascam. From this, I have to conclude that Yara is indeed part of the Mac OS even if it feels like malware.
BTW, Almojgar, I'm still whining about glossy screens.
quote: "glossy screens" We really should create a club 😁
Yep, I suspected a tad that it will be still there (it is in next OS Mojave, definitely...). Yet another little companion for 'photoanalysisd'... 200% of RAM (each) 😕
Is the ugly thing still using tons of resources (in this state of your install) or has-it been a tad tamed?
I posted in another thread my experiences with YaraScanServices. I noticed it running with high CPU usage on my new computer that I just updated to 10.13.6, but not for very long. I was looking for other things that might be slowing down my computer, so I was checking the Console/System Reports. I found a diagnostic report about YaraScanServices and it was located in the system Core Services (Path: /System/Library/CoreServices/MRT.app/Contents/XPCServices/YaraScanService.xpc/C ontents/MacOS/YaraScanService), so it has to be a new part of the MacOS 10.13.6. The diagnostic report also included information that the system was monitoring the YaraScanServices process to make sure it was not using too much CPU time:
======
Event: cpu usage
Action taken: none
CPU: 90 seconds cpu time over 157 seconds (57% cpu average), exceeding limit of 50% cpu over 180 seconds
CPU limit: 90s
Limit duration: 180s
CPU used: 90s
Duration: 156.63s
Steps: 162
======
This indicates to me that the system will automatically kill it if it uses more than 90 seconds of CPU time in three minutes of clock time. The report does not mention memory usage. It might use a lot of memory also, but it seems like the system will kill it after some minutes.
As I was reading your post yarascan quit itself and it's not even visible on Activity Monitor. Well, what to say? If it just goes away I'd call that a "feature", but slowing your computer down to where one can hardly type is a bug.
If that thing does really the job which it is supposed to do (scan your disk for malwares) such peak of activity "could" be normal, especially if your disk is large.
As long as it doesn't block totally your system during this (cough) "background task", of course.
Anyway, all what we ask it for the moment — in its state of development — is to stop to monopolise all the resources "forever" (at least much longer than this, as described in the numerous complaints here and there).
Seems to me that, even if it is not yet a news to write home about, at least it's rather encouraging... I mean: at least now macOS knows how to stop it...
Almojgar, doesn't Spotlight work innocuously in the background? I was watching what yara was doing after the restart and it seemed to be paying particular attention to my downloads folder where I had a fair amount of zip files and backups from my Wordpress blog. It looked like it was doing what the optimists were suggesting it was doing. Anyway, I think I'm done with this issue and can get back to work. See you next time, you know there will be one!
I can't comment on any beta issues. I have not seen any massive reports of it anywhere but this thread. There is a similar thread in the Developer forums but it says pretty much the same as this thread. Some people say it is running on Sierra and High Sierra, and some people say it is on Mojave. Being a beta, it should be "reported" anywhere outside of any dedicated forums like the Developer forums.
That thing will be integrated in Mojave, it is already on some High Sierra configs, therefore maybe it would be better to begin to concern right now. The problem is general, not only on beta. And not only with this YaraScanService. These processes use between 120 to 200% of your RAM, therefore the pigsty goes wallow to virtual memory and it's your disk that is impacted, 40GB, 90GB missing for the rest of your work just to help the system to cope with f@k#ing useless things like YaraScanService, CalNCService (Google), photoanalysisd (Apple Photo) and I don't know how many more not yet identified. Some here were stuck even with 32GB of RAM and ONLY YaraScanService. Imagine that somebody with 8GB have the three on his Mac. It's not exceptional tasks, it's not rare applications, it's the background tasks of your system!!. MacOS cannot work like this, it's pure delirious. You see what I mean?
etresoft wrote:
Being a beta, it should be "reported" anywhere outside of any dedicated forums like the Developer forums.
Correction. Being a beta, it shouldn't be reported anywhere outside of authorized, Apple provided channels.
I can assure you that if I did encounter anything like that in my Developer beta of Mojave, I would file a bug report. I can't say anything more than that because this forum is not one of those authorized channels.
For now, my best guess is that it is an A/B test. Judging by what people report, it sounds like it fails that test. If you do have this software installed in your copy of Mojave, I suggest you erase the hard drive and reinstall.
OK. I downloaded the 10.13.6 Combo Update and this YaraScanService is in the package. However, I could not get it installed. I'm not sure how installer packages decide which packages to install and which to skip. Clearly, the YaraScanService has been skipped on every install I have.
It may be something where the YaraScanService only gets installed if you haven't updated your machine in some time. Inside the sub package BOM file, the date on MRT.app is June 7th. But the date on my existing 10.13.5 system is June 13th. It could be something where a previous update installed logic to block a particular piece of malware. But if you didn't get that update, you could have that malware installed. Therefore, the system installs the scanner to go look for it.
This is all speculation on my part. I have dived deep into Apple security update logic and only came out more confused than I started.
Clearly, the scanner shouldn't be using this much RAM and CPU. I encourage anyone who has encountered it to file a bug report at https://bugreport.apple.com
What is "YaraScanService" and why does it hog all my RAM?
