hoakley October 19, 2020 Macs, Technology, Updates

Apple has pushed updates to XProtect and MRT

Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2133 dated 19 October 2020, and to its malware removal tool MRT, bringing it to version 1.68, also dated 19 October 2020.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names.

Changes found in the XProtect Yara definitions include the addition of a detection signature for MACOS.1f26189, and modifications to those for MACOS.8f20223, MACOS.1c119be, MACOS.8032420 and MACOS.e79dc35.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan, Sierra, High Sierra, Mojave, Catalina and Big Sur, available from their product page. If your Mac has not yet installed this update, you can force an update using SilentKnight, LockRattler, or at the command line.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

IMPORTANT NOTE for Sierra and El Capitan users:

There are reports below of MRT 1.68 causing severe problems. You may wish to avoid updating for the moment, by turning Software Update off for the time being. If you experience these problems after the update, try reverting /System/Library/CoreServices/MRT.app to its previous version, 1.67, from a backup. You’ll need to do that when booted from a different system, such as an external disk. Please report any problems to Apple Support so they’re aware of the situation.

88Comments

Add yours

1

Colin Sinclair on October 20, 2020 at 3:25 am

the MRT update today destroyed my computer so I had to delete MRT from my mac. I am running 10.11.3 old El Capitan. So I guess this version was just not going to work for me. It was running constantly for hours and hours at 100-200% CPU usage. I had no idea it was updated just today. Interesting.

LikeLiked by 3 people
2

Thibeaut HAYEM on October 20, 2020 at 8:04 am

Same here

LikeLiked by 1 person
3

EcleX on October 20, 2020 at 8:16 am

After updating, the trustd (107%) and mostly MRT (500%) goes over the roof in CPU usage, as MenuMeters and Activity Monitor shows. Is there a way to fix that? Thanks.

By the way, the other day was another update which you did not announce. I installed using SilentKnight and all went OK.

macOS 10.12.6 (16G2136) Sierra.

LikeLiked by 2 people
- 4
  
  EcleX on October 20, 2020 at 8:21 am
  
  Update: rebooting the Mac does not fix it. Where live such trustd and MRT in the Mac, to replace them with previous versions using Time Machine backup? Thanks.
  
  LikeLiked by 1 person
  - 5
    
    hoakley on October 20, 2020 at 8:29 am
    
    Thank you.
    MRT lives in /System/Library/CoreServices. trustd is one of the key security services, and I don’t think even on Sierra you can simply replace it. Not only that, but it isn’t changed by the MRT update, and would require a proper macOS updater to alter it. I recommend that you don’t try to fiddle with it, as you could end up with a lot of problems.
    Please – everyone who has problems with the MRT update – contact Apple Support so they know there’s a problem.
    Howard.
    
    LikeLike
- 6
  
  hoakley on October 20, 2020 at 8:26 am
  
  I’m sorry to hear that.
  You may need to reinstall Sierra and then block updates to address this problem.
  Apple gives no record of any update which has recently been released for Sierra, so I have no idea what that’s about. As you know, Sierra is long out of maintenance, so I’m puzzled as to what that could be.
  Howard.
  
  LikeLike
  - 7
    
    EcleX on October 20, 2020 at 8:30 am
    
    Thanks for the quick reply. Where live those updates in the Mac? As said, maybe it gets fixed replacing such items with the previous ones from backup.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on October 20, 2020 at 8:32 am
      
      If you have my SystHist utility, you can browse the contents of all system and security updates by date. That will tell you what has been installed in great detail.
      Howard.
      
      LikeLike
  - 9
    
    EcleX on October 20, 2020 at 8:32 am
    
    Oops! I have seen just your answer above. Sorry.
    
    LikeLiked by 1 person
  - 10
    
    EcleX on October 20, 2020 at 8:58 am
    
     STOP THE PRESS • GOOD NEWS • HERE IS THE FIX 
    
    Rebuilding PRAM did not fix it. But replacing MRT 1.68 with previous MRT 1.67 from Time Machine fixes it. Requires to boot from other disk, delete the application and replace it by drag & drop in the Finder from the Time Machine disk. Wow!!!
    
    On the other hand SystHist reported:
    
    MRTConfigData: 1.68 2020-10-20 08:10:26 +0000
    XProtectPlistConfigData: 2133 2020-10-20 08:10:26 +0000
    
    As said many times, pioneers get the arrows; settlers get the land!
    
    LikeLiked by 1 person
  - 11
    
    EcleX on October 20, 2020 at 8:59 am
    
    I meant, STOP THE PRESS.
    
    It would be convenient if the posts could be edited to correct errors, etc. Thanks.
    
    LikeLiked by 1 person
    - 12
      
      hoakley on October 20, 2020 at 9:01 am
      
      I have corrected that for you.
      Yes, it would be convenient. However, I have no control over that, I’m afraid. I don’t have the option which would enable that.
      Howard.
      
      LikeLike
  - 13
    
    EcleX on October 20, 2020 at 11:03 am
    
    Thanks. Since the CPU issue described above arose due to the MRT and not to the XProtect or other component update, it would be useful if SilentKnight allowed to update individual components only. That is just a suggestion for your consideration.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on October 20, 2020 at 11:07 am
      
      Thank you. You have made this suggestion before, and I have explained that this is a feature of LockRattler. If you wish to install individual named updates alone, please use that. It’s the same price – free, of course.
      Howard.
      
      LikeLike
  - 15
    
    EcleX on October 20, 2020 at 11:33 am
    
    Thanks. I suggested that because SilentKnight is much easier to use than LockRattler. Mostly for novice users. With such a feature, SilentKnight would be perfect!
    
    🙂
    
    LikeLiked by 1 person
    - 16
      
      hoakley on October 20, 2020 at 9:09 pm
      
      OK: I think I’ve worked out a way of adding this feature without making SilentKnight any more difficult to use. Version 1.11 will be available shortly, and detailed in the morning.
      Howard.
      
      LikeLike
  - 17
    
    EcleX on October 20, 2020 at 12:26 pm
    
    Additionally, I do not know if that is possible, but it would be great if SilentKnight could downgrade a particular component to a previous version, to fix issues like the described above.
    
    LikeLiked by 1 person
    - 18
      
      hoakley on October 20, 2020 at 9:02 pm
      
      Apple doesn’t distribute or make available previous versions of these software updates, and there’s no way to obtain them from Apple, I’m afraid.
      Howard.
      
      LikeLike
- 19
  
  R on October 23, 2020 at 3:22 am
  
  Confirming absolutely the same symptoms ( the trustd and mostly MRT goes over the roof in CPU usage, ) on Siera for last couple days . that drama brought me here
  
  LikeLiked by 1 person
20

Thibeaut Hayem on October 20, 2020 at 3:36 pm

Anybody who can upload the 1.67 version of MRT for El Capitan ?

That would be appreciated 🙂

LikeLike
- 21
  
  hoakley on October 20, 2020 at 9:01 pm
  
  Unfortunately, it’s not so simple.
  MRT is Apple proprietary software, and couldn’t be distributed without a licence.
  MRT isn’t distributed as an Installer, but a package for softwareupdate, which is removed as soon as it’s installed.
  In order to install an old version, it would need to be packaged into an installer, with scripts, and signed by Apple, as it changes the system.
  And you really really wouldn’t want to download and install security software from anyone other than Apple. You’d never know whether it was malicious.
  Howard.
  
  LikeLike
- 22
  
  EcleX on October 21, 2020 at 7:35 am
  
  If you have a backup, or even other Mac with older version, you could replace the newer MRT by the previous one, as I described above.
  
  LikeLiked by 1 person
  - 23
    
    Thibeaut HAYEM on October 21, 2020 at 7:47 am
    
    Unfortunately, i haven’t got any backup or older version… That’s why i was asking for a hand 😉
    my fix for now is to erase the mrt and block softwareupdated in Little snitch..
    
    thanks both of you for your answers. 🙂
    
    LikeLiked by 1 person
24

AYaskevich on October 20, 2020 at 5:16 pm

The same with Catalina 10.15.7. Constant 100% CPU usage for 8 hours.
And lots of errors in console:

20:15:46.637866+0300 kernel Sandbox: MRT(8121) System Policy: deny(1) file-read-metadata /private/var/folders/_6/r5pq_2vj393dl69grtddknb00000gn/0/com.apple.lockoutagent
20:15:46.663815+0300 kernel Sandbox: MRT(8121) System Policy: deny(1) file-read-metadata /private/var/db/CoreDuet/Knowledge/knowledgeC.db
20:15:46.663913+0300 kernel Sandbox: MRT(8121) System Policy: deny(1) file-read-metadata /private/var/db/CoreDuet/Knowledge/knowledgeC.db-wal
20:15:46.664550+0300 kernel Sandbox: MRT(8121) System Policy: deny(1) file-read-metadata /private/var/db/CoreDuet/Knowledge/knowledgeC.db-shm

LikeLiked by 1 person
- 25
  
  hoakley on October 20, 2020 at 9:05 pm
  
  Thank you. I’m sorry to see that.
  I too am running Catalina 10.15.7, and on that and the current Big Sur beta I have had no problems at all with MRT 1.68.
  I wonder why this great difference?
  Those log extracts indicate that MRT is being blocked from reading system files, which is strikingly odd.
  Howard.
  
  LikeLike
26

Samuel Herschbein on October 20, 2020 at 8:27 pm

MRT 1.68 is crashing on my two main Mojave Macs (2009 Mac Pro and 2012 iMac 21.5″).

LikeLiked by 1 person
- 27
  
  hoakley on October 20, 2020 at 9:11 pm
  
  I’m sorry to hear that. I do have some suggestions here. Otherwise, please contact Apple Support so that they know about this problem.
  Howard.
  
  LikeLike
  - 28
    
    Samuel Herschbein on October 21, 2020 at 7:23 pm
    
    Howard: since it only crashes once or twice per restart I’ll live with it until the next MRT update. The cure is worse than the symptom.
    
    I did leave feedback on Apple’s site, and I always submit crash reports on the off chance they’ll help.
    
    LikeLiked by 1 person
- 29
  
  Samuel Herschbein on October 21, 2020 at 7:16 pm
  
  Add two more Mojave Macs to the crashing list (Mid-2013 MacBook Air 13″ and Early-2013 MacBook Pro Retina 15″). I wonder if it’s some third-party software I use on all my Macs. There’s a lot…
  
  LikeLiked by 1 person
30

Kurt J. Meyer on October 21, 2020 at 9:31 am

I noticed high CPU load for MRT 1.68 (and trustd) on my 2019 MBP running Catalina 10.15.7, too, with the MRT process crashing every 2 minutes. I successfully reverted to MRT 1.67 following your advice. — Will Apple push the same version 1.68 again or will it push a new version 1.69 next?

LikeLiked by 1 person
- 31
  
  hoakley on October 21, 2020 at 11:29 am
  
  I’m sorry, I have no idea.
  Howard.
  
  LikeLike
32

AYaskevich on October 21, 2020 at 12:52 pm

There is discussion opened, concerning this issue:

https://discussions.apple.com/thread/251941776

LikeLiked by 2 people
- 33
  
  hoakley on October 21, 2020 at 5:40 pm
  
  Thank you.
  Howard.
  
  LikeLike
34

Peter石 on October 21, 2020 at 4:40 pm

I got same issue. MRT just keep up and down and my CPU like crazy.

Since I got no Time Machine backup to downgrade MRT 1.68 to 1.67, I tried rename MRT.app to MRT.app.bak

And it works! My CPU now is calm.

path:
/Library/Apple/System/Library/CoreServices/MRT.app

You may need to disable SIP so you can rename MRT.app.

This is not a final solution. Hope Apple could fix it ASAP.

LikeLiked by 3 people
35

Kurt J. Meyer on October 21, 2020 at 5:02 pm

Reverting to version 1.67 did not help very long: One day later, Apple has updated my MRT.app to version 1.6.8 again. High CPU impact and crashes are back.

LikeLiked by 1 person
- 36
  
  hoakley on October 21, 2020 at 5:39 pm
  
  Yes, I’m afraid that if you replace MRT with the previous version you have to disable updates, or it will soon get upgraded again, and again.
  Howard.
  
  LikeLike
  - 37
    
    candylovergirl on October 21, 2020 at 6:55 pm
    
    How do I disable updates in HS, Mojave and Catalina?
    
    Thank you very much in advance
    
    LikeLiked by 1 person
    - 38
      
      hoakley on October 21, 2020 at 7:00 pm
      
      Open the Software Update pane, ensure the box on the front of it is unticked, click on Advanced…, untick the boxes there and click on the OK button.
      Put a sticky note on your Mac(s) to remind you that’s what you’ve done, so that you will remember to turn them back on once the problem has been sorted out. You might there like to record what your settings were before changing then, so you can back to those later.
      Howard.
      
      LikeLike
39

Steven on October 22, 2020 at 6:26 pm

I’ve encountered the same constant CPU consumption issue after MRT update 1.68 on macOS Catalina. So it’s not limited to prior versions of macOS. After checking the system log I found there was some bug causing MRT to constantly crash and restart. Strangely it doesn’t cause the issue if I create a new admin user.

Already reported to Apple bug report but no response yet. I am going to downgrade 1.67 from TM backup as suggested by a prior post.

The crash report has this information

Application Specific Information:
*** Terminating app due to uncaught exception ‘NSRangeException’, reason: ‘*** -[NSRegularExpression enumerateMatchesInString:options:range:usingBlock:]: Range or index out of bounds’
terminating with uncaught exception of type NSException
abort() called

LikeLiked by 1 person
- 40
  
  Steven on October 22, 2020 at 7:43 pm
  
  Just finished restoring MRT to 1.67, but somehow the replaced MRT.app received an extended attribute of “com.apple.quarantine”, which I have no idea how to remove…
  
  For macOS Catalina, the procedure I took is:
  0. Copy MRT.app (1.67) from backup to user’s desktop folder
  1. Reboot system into recovery mode (CMD+R at reboot)
  2. Open Terminal
  3. Disable SIP `csrutil disable`
  4. Mount system `diskutil apfs unlock “Macintosh HD”`
  5. Change to MRT dir `cd /Volumes/Macintosh\ HD/Library/Apple/System/Library/CoreServices/`
  6. Move the MRT.app (1.68) to desktop `mv ./MRT.app /Volumes/Macintosh\ HD\ -\ Data\{path to your user folder}/Desktop/MRT.app.bk`
  7. Move the older version to the proper directory `mv /Volumes/Macintosh\ HD\ -\ Data\{path to your user folder}/Desktop/MRT.app ./`
  8. Enable SIP `csrutil enable`
  9. Reboot
  
  The replaced MRT does activate upon system startup (Activity Monitor), though as mentioned above, it received an attribute of “com.apple.quarantine”. If anyone knows how to remove this attribute please let me know (I already tried running xattr in recovery mode, which reports error).
  
  Steven
  
  LikeLiked by 1 person
  - 41
    
    hoakley on October 22, 2020 at 9:51 pm
    
    Thank you. Well done, although I can’t suggest how to remove the quarantine flag. I’m not sure that it should make any difference, though.
    Howard.
    
    LikeLike
- 42
  
  hoakley on October 22, 2020 at 9:50 pm
  
  Thank you. We’re still waiting for Apple…
  Howard.
  
  LikeLike
43

MRT sucks the life out of my machine on October 23, 2020 at 1:45 pm

MRT destroyed my perfectly running machine MacBook Pro 2010 with Sierra installed. I had auto-autoupdate turned on. Since last few days, the MRT process is in high gear, my CPU at 100% and it doesn’t let it go. My fans on the machines are squeaking running 24/7 blasting 90 degree Celsius hot air from the vents. This update is going to completely destroy my machine.

LikeLiked by 1 person
44

MRT sucks the life out of my machine on October 23, 2020 at 1:48 pm

Forgot to add – I had to install APP TAMER app to disable MRT. It’s probably a bad idea but I don’t have any other solution now. It’s paid however. I looked at App Police app but that doesn’t see system processes.

LikeLiked by 1 person
45

Hyram Hackenbecker on October 23, 2020 at 2:45 pm

There appears to be another issue associated with MRT 1.68 – somehow, a large number of the HP printer definitions in Apple’s own HP Printer bundle have been flagged as malware and disabled. Selecting Generic PostScript lets affected users print again to the affected HP printers but with some loss of functionality.

LikeLiked by 1 person
- 46
  
  hoakley on October 23, 2020 at 3:20 pm
  
  Thank you.
  That’s very surprising. Which version of macOS is this, please?
  Howard.
  
  LikeLike
  - 47
    
    matt on October 23, 2020 at 3:39 pm
    
    I am seeing this as well. I have a ton of old HP printers, mainly 2430’s, and I am unable to print to them after this latest XProtect update. This is on macOS 10.15.7. Switching to the generic postscript driver does work but as Hyram points out, you lose printer features.
    
    LikeLiked by 1 person
    - 48
      
      hoakley on October 23, 2020 at 3:52 pm
      
      Thank you.
      What exactly has happened to those printer support files: have they been deleted, or what?
      Please report this to Apple Support, so that Apple knows what MRT appears to be doing.
      Howard.
      
      LikeLike
49

Matt on October 23, 2020 at 4:04 pm

It does not delete the files. I am displayed an error message when I try to print that “HP Device Monitoring.framework” will damage your computer. This file was downloaded on an unknown date. Then I am given the option to click OK or Show in Finder. I will submit it to Apple.

LikeLiked by 1 person
- 50
  
  hoakley on October 23, 2020 at 5:55 pm
  
  Thank you.
  I’ve just published an article addressing this: it’s a certificate revocation, not MRT or XProtect. There’s nothing you can do about it, apart from using supporting software which has a valid certificate.
  If I get any more information, I’ll update that article.
  Howard.
  
  LikeLike
51

-=-= on October 23, 2020 at 6:27 pm

I’ve been following the comments here, as this is one of the few places on the Internet where MRT 1.68 problems are being discussed. Much thanks to hoakley and others who have contributed to several solutions that have worked for me. In building this guide, I’ve borrowed liberally from others posts. Thank you all.

My OS: El Capitan 10.11.6
My machine: MacPro5,1

Three approaches have been successful for me in stopping the rampant CPU use by MRT.app. One requires installing another utility (App Tamer), and the other two require some command line wizardry. I’ll summarize each one below.

===

First Approach: APP TAMER

1. Download App Tamer from the St. Clair Software site:

http://www.stclairsoft.com/AppTamer/

2. Install and in App Tamer’s interface find MRT and check the box to “Stop this app completely.”

If this works for you, nothing else is needed. When Apple fixes the problem, you can simply uncheck the box and the new version of MRT can do it’s job.

===

Second Approach: Replace MRT.app 1.68 with a previous version

1. Obtain an older version of MRT.app from Time Machine or another backup. (I used 1.67).

2. Restart while holding down Command-R to boot into macOS Recovery.

3. Start Terminal from the Utilities menu.

4. Disable SIP from the command line:

csrutil disable

5. Exit Terminal and open Disk Utility. Find your boot drive in the list and unlock and mount it if necessary.

6. Exit Disk Utility and return to the terminal.

6. Delete the old copy of MRT.app:

rm -fR /Volumes/YourBootDrive/System/Library/CoreServices/MRT.app

7. Copy old version of MRT.app to the system:

cp /path/to/old/version/MRT.app /Volumes/YourBootDrive/System/Library/CoreServices/MRT.app

8. Restart

9. VERY IMPORTANT: without this step the OS will reinstall MRT with the current version within hours. Immediately after restarting to your normal desktop, if you use El Capitan open System Preferences > App Store and uncheck “Install system data files and security updates.” In other Mac OS versions you may need to do this in the Software Update pane. (Put a sticky on your screen to remind you to re-enable this when Apple has resolved the problem.)

===

Third Approach: Disable MRT.app by removing executable permissions

1. Restart while holding down Command-R to boot into macOS Recovery.

2. Start Terminal from the Utilities menu.

3. Disable SIP from the command line:

csrutil disable

4. Exit Terminal and open Disk Utility. Find your boot drive in the list and unlock and mount it if necessary.

5. Exit Disk Utility and return to the terminal.

6. Remove executable permissions from MRT.app:

chmod -R -x /Volumes/YourBootDrive/System/Library/CoreServices/MRT.app

7. Restart

8. VERY IMPORTANT: without this step the OS will reinstall MRT with the current version within hours. Immediately after restarting to your normal desktop, if you use El Capitan open System Preferences > App Store and uncheck “Install system data files and security updates.” In other Mac OS versions you may need to do this in the Software Update pane. (Put a sticky on your screen to remind you to re-enable this when Apple has resolved the problem.)

===

Finally, if you are having issues with MRT.app 1.68, released in Mid October, 2020, please report the issue to Apple. Please go to https://feedbackassistant.apple.com and report the issue, if you are a developer, or https://www.apple.com/feedback/macos.html if you are not a developer.

The more reports they get about MRT using massive amounts of CPU the quicker it will get fixed.

Thank you.

LikeLiked by 2 people
- 52
  
  hoakley on October 23, 2020 at 6:58 pm
  
  Thank you: that’s very helpful. There is another way, if you happened to make a snapshot before updating MRT, and that’s to roll back to that snapshot. As snapshots aren’t made automatically before updates, except in High Sierra and Mojave I think, and have never been made before such ‘small’ security updates, you’re unlikely to have one available, unless you’re using software like Time Machine or CCC which makes them as part of backing up. When available, though, it’s very quick and neat.
  Howard.
  
  LikeLike
- 53
  
  Peeter on October 25, 2020 at 9:33 am
  
  The path to MRT.app in Catalina if you want to follow this advice is:
  /Volumes/[Your bootvolume]/System/Library/Apple/System/Library/Coreservices/MRT.app
  
  LikeLiked by 1 person
  - 54
    
    hoakley on October 25, 2020 at 9:44 am
    
    Are you sure about that? I’m not sure that /System/Library/Apple/ exists, whereas /Library/Apple/ does.
    Howard.
    
    LikeLike
55

-=-= on October 23, 2020 at 7:06 pm

The snapshot idea is a great solution. For those who have that available it’s a clean and easy fix.

I might add it’s important to turn off system data file and security updates after rolling back to a pre-Oct 19, 2020 snapshot.

Otherwise you’ll have to do it again ; )

LikeLiked by 1 person
56

Jean-Pierre on October 24, 2020 at 12:06 am

High Sierra 10.13.6, I don’t see any MRT process in Activity Monitor !
Only RTProtect by MalwareBytes

LikeLiked by 1 person
57

David Empson on October 24, 2020 at 3:45 am

Hi Howard. Thanks for tracking this issue.

It appears that Apple has pulled MRT 1.68 from distribution and replaced it with 1.67. I checked several of my Macs and VMs running macOS: all those not used recently which had older MRT versions got updated to 1.67 today rather than the expected 1.68 (SilentKnight forced update in one case, automatic update by Apple in others). They were running a mixture of Sierra, High Sierra, Mojave and Catalina.

This probably won’t help those whose Macs already have MRT 1.68, but at least means nobody else will be updated to that version. I hope this means that Apple is working on a solution and will release a new MRT version soon.

Four actively used Macs (running High Sierra, Mojave and Catalina) had already updated to MRT 1.68 but I’m not aware of performance problems for them.

One Mac running El Capitan doesn’t seem to want to update MRT from 1.56 and I don’t know offhand of a method to force a check (since softwareupdate doesn’t support the –background-criticial option in El Capitan).

LikeLiked by 2 people
- 58
  
  hoakley on October 24, 2020 at 5:33 am
  
  Thank you.
  SilentKnight and LockRattler both use the call to force update on El Capitan: if you want to try it yourself, it’s
  sudo softwareupdate -ia
  Howard.
  
  LikeLiked by 1 person
  - 59
    
    David Empson on October 24, 2020 at 6:10 am
    
    Hi Howard. My Mac Mini running El Capitan got there eventually but it took more than an hour, with install.log showing softwareupdated making several attempts to fetch updates. In the end, that computer has also updated from MRT 1.56 to 1.67, as did another VM running El Capitan. That makes the pattern consistent: El Capitan and later are all updating to MRT 1.67 now, not 1.68.
    
    LikeLiked by 2 people
60

steffenc on October 24, 2020 at 3:53 pm

Thanks for this, Howard! I was racking my brains and lost quite a few hours attempting to debug this issue. Now I’m running MRT 1.67 on my High Sierra and all is back to normal.

LikeLiked by 1 person
61

Ray on October 25, 2020 at 5:49 am

So when does Apple plans to fix this fucking bug? I hava two mac one is mojave and one is catalina, both fucked by MRT 1.68 and trustd

LikeLiked by 1 person
- 62
  
  Kurt J. Meyer on October 25, 2020 at 8:43 am
  
  Apple seems to have pulled version 1.68. But it won’t remove the installed MRT version from your Mac. So, if you can find the old version in your backup, follow the advice given in this thread to go back to MRT 1.67.
  
  By the way: It does not seem to be the best advice to use snapshots to go back to this version. First you would have to know which snapshot is the one that contains version 1.67, and second I am afraid you will lose your saved work since this snapshot’s date.
  
  The procedure to revert your MRT to version 1.67 installed is much simpler than some lengthy Terminal advice:
  1. Once you have found MRT 1.67 in your backup, save it somewhere else where you will not delete it by accident.
  2. Start your Mac from a Clone or in Target Mode.
  3. Locate MRT 1.68 and replace it with a copy of your saved MRT 1.6.7. You have to confirm this step with your Admin password.
  Restart your Mac normally.
  
  Another method: Install the macOS 10.15.7 Combo Update on your Mac. IIRC it comes with MRT 1.62; the automatic update should it bring to version 1.67 then.
  
  LikeLiked by 1 person
  - 63
    
    hoakley on October 25, 2020 at 8:57 am
    
    Thank you.
    No, as others have discovered (and as would be expected), installing MRT 1.67 over 1.68 doesn’t downgrade it – you have to remove 1.68 first. But now that Apple has pulled 1.68 and left 1.67 available, that should fix the problem for those who don’t have a copy of 1.67 in a backup.
    Snapshots are the simplest way to address this, but you needed to act quickly, not least because most snapshots are deleted fairly soon – TM, for instance, only keeps them for 24 hours. It’s simple to discover when MRT 1.68 was installed, so you pick the snapshot made before that. Yes, you then have to restore any changes made to your working documents etc. after that, using your backups, but that’s usually far simpler than the alternatives. So you needn’t lose anything if you roll back quickly – and that’s one of the major benefits of snapshots.
    In your second instruction above, you assume that the user either has a bootable clone, presumably meaning one made by CCC or the like, or you have another Mac which can mount its startup disk in Target Mode. What if you have neither, as the great majority of Mac users won’t? You’re then stuck with having to download and install the Combo Updater for your current version of macOS, or resorting to Recovery mode.
    Whatever you use, this wasn’t simple before Apple pulled MRT 1.68, and even now is far from being simple, because of the limitations that Apple imposes on these silent updates.
    Howard.
    
    LikeLike
64

Peeter on October 25, 2020 at 9:36 am

Thanks for all your hard work on these issues. I assume that Silent Knight will be updated soon to reflect that 1.6.8 is no longer available – would it be possible to add a warning if you already have 1.6.8 installed and maybe a link, for instance to comment 51 here, about how to remove it?

LikeLiked by 1 person
- 65
  
  hoakley on October 25, 2020 at 9:41 am
  
  Thank you.
  No, the database used by SilentKnight will continue to reflect the situation for the great majority of Mac users who have now updated to 1.68 without problems. If you had problems and downgraded, then I don’t think that you need any reminder in SilentKnight!
  If I were to change the database to make 1.67 the standard version, then all those whose Macs updated without problems would complain that it’s wrong.
  Once Apple pushes 1.69, all should settle down again.
  Howard.
  
  LikeLike
  - 66
    
    Peeter on October 25, 2020 at 9:44 am
    
    Yes, I see your point. Let’s hope that Apple get a move on with 1.69 then.
    
    LikeLiked by 1 person
67

Emmett Gray on October 26, 2020 at 8:03 pm

I saw a tip on the Apple discussion forum that you can block MRT 1.68 temporarily by renaming MRT.app to MRT.bak.app (or anything). This works! It no longer relaunches and activity is back to normal. I have SIP disabled so to do this I didn’t have to do anything other than authenticate, but others might have to disable SIP.

LikeLiked by 1 person
- 68
  
  hoakley on October 26, 2020 at 8:34 pm
  
  Thank you.
  As far as I know, you would still need to disable SIP to rename it, and I’m not sure what would happen with 1.69 becomes available. But yes, it will stop it from being run, leaving your Mac with no software to remove malware.
  Howard.
  
  LikeLike
69

Emmett Gray on October 28, 2020 at 4:02 am

I just looked in my CoreServices folder and discovered that Apple has pushed MRT 1.67 in there. Aha! So I’ll probably get the 1.69 update when it comes out as well.

LikeLiked by 2 people
- 70
  
  JohnnyFave on October 28, 2020 at 11:08 pm
  
  What version of OS are you running? I’m running 10.13.6 High Sierra and there hasn’t been an update (still running 1.68). This is so incredibly frustrating to have the CPU maxing, knowing it’s all due to an Apple update, and no end in sight. 😦 😦 😦
  
  LikeLiked by 2 people
71

Craig on October 29, 2020 at 11:10 am

Ive recently run into this issue last two days, MRT is running at 230% of my CPU usage, rendering my mac totally unusable. I have no time machine or roll back options. I’m using El Capitan 10.11.6 on an early 2009 imac, 8GB ram. I have been editing videos for the last 10 years on this machine, and now all of a sudden its rendered useless. I cant seem to find where exactly to report thiss, or what i’m actually meant to do other than stop working and wait for apple to do an update that may never come for me?

LikeLiked by 1 person
- 72
  
  hoakley on October 29, 2020 at 11:20 am
  
  I’m sorry to hear that. Essentially, what you want to do is stop /System/Library/CoreServices/MRT.app from running, and from being updated to 1.68 again.
  The neatest way to do that is to rename it to MRT.app.bak. The snag is that SIP might stand in your way. If it does, restart in Recovery mode and open Terminal, then enter the command
  csrutil disable
  and restart in normal mode. Then try changing MRT.app to MRT.app.bak. If that works, restart in Recovery mode turn SIP back on with
  csrutil enable
  restart and it should be much better. I wish you success.
  Howard.
  
  LikeLiked by 1 person
  - 73
    
    craig on October 29, 2020 at 12:03 pm
    
    will that screw me over if apple eventually fix the issue?
    
    LikeLiked by 1 person
    - 74
      
      hoakley on October 29, 2020 at 12:26 pm
      
      How?
      You have 3 alternatives:
      – rename the app as suggested;
      – replace or remove the app, which also require SIP manipulation;
      – leave it there and watch CPU continue to run high until Apple pushes an update.
      Howard.
      
      LikeLike
75

alex on October 29, 2020 at 1:06 pm

My solution:
1. download a software named app tamer, limit MRT cpu
2. pray for apple’s update

LikeLiked by 1 person
- 76
  
  hoakley on October 29, 2020 at 2:29 pm
  
  Thank you. Yes, several users have done that. If I understand it correctly, it doesn’t kill or replace MRT, merely leaves it running at very low priority.
  Howard.
  
  LikeLike
- 77
  
  Jason Lovera on October 29, 2020 at 3:06 pm
  
  Thank you for this suggestion. My CPU has finally gotten back to normal.
  
  LikeLiked by 1 person
  - 78
    
    hoakley on October 29, 2020 at 6:02 pm
    
    Wonderful!
    Howard.
    
    LikeLike
79

Mic on October 29, 2020 at 2:15 pm

Is there any idea why lockrattler and silentknight both still show MRT 1.67 on High-Sierra and Mojave while both programs say MRT-update is from October 24 2020 (German version) and no new updates where found? On Catalina however MRT is shown as 1.68

LikeLiked by 1 person
- 80
  
  hoakley on October 29, 2020 at 2:27 pm
  
  Yes. This is explained in the SilentKnight Reference and LockRattler’s Help book.
  The versions displayed in the upper boxes are obtained by checking the versions of the installed items, as present on your startup volume(s). That should, at least in ordinary circumstances, reflect the version which is running at the moment.
  The versions listed as Latest updates installed below are the datestamps and versions of the last which were recorded in your Mac’s Install History. So if a macOS update has installed one of the data files, as that doesn’t have a separate installer, that update won’t be shown there or in LockRattler’s equivalent dates. Ordinarily, that version installed should be the same as that shown in the version boxes, but here there’s a mess as a result of MRT 1.68.
  So the place which shows the active version of MRT is in the upper boxes, not in the list of latest updates installed.
  What appears to have happened with your Macs is that the Catalina system installed the original 1.68 update, which remains active. For some reason, the older systems don’t appear to have installed 1.68 (or it has been removed), and instead have installed the re-run of 1.67, which is fine.
  Hopefully Apple will soon be pushing 1.69 which will update them all.
  Howard.
  
  LikeLike
81

Phil on October 30, 2020 at 3:13 am

I just found your site today. A thousand thanks to everyone that shared solutions. It hit me on the 19th (I’m on 10.11.6) and I had googled “mac mrt keeps crashing” but your post was not out yet (or at least not referenced yet by the powers that be).

I had deleted the application but did not know about the switch in System Preferences, so today it re-downloaded itself (version 1.68) and it went into the same crash and respawn cycle…
The last backup I had was from January (yes, shame on me for that) , MRT version 1.52, so I’ve replaced it with that version…

LikeLiked by 1 person
82

Palmas on October 30, 2020 at 6:25 pm

The MRT 1.69.3 update arrived today. The processor has calmed down. High Sierra

LikeLiked by 1 person
83

-=-= on October 30, 2020 at 11:11 pm

I can also confirm I received MRT 1.69.3 today, Oct 30, 2020, 1405 PDT.

My OS: El Capitan 10.11.6
My machine: MacPro5,1

I have seen no excessive CPU usage since the update was installed by Apple. Seems to be working well!

Thanks to all here who helped out with this bug!

LikeLiked by 1 person
84

stephen grayman (@stepggray) on November 5, 2020 at 9:56 am

My situation with MRT.app is similar. BIG difference is activity monitor shows HUGE memory use NOT cpu use. The effect is the same with machine slowing to barely a crawl.

Unfortunately when I checked MRT.app, it was version 1.69.3. So the update did NOT work for me. I do have a copy of 1.67. If I get that reinstalled, will it automatically update back to 1.69.3?

I’ve quit the MRT.app for now. Other ideas/suggestions before I go back to 1.67?

Thanks.

stephen

MacBook Pro (13″ Early 2011)
High Sierra 10.13.6

ps-just recently found this site while researching MRT and hoping to get some time to explore futher. Thinking about installing SSD, new battery and more RAM into my old MBpro and hope to post for thoughts about upgrading from others soon.

LikeLiked by 1 person
- 85
  
  hoakley on November 5, 2020 at 9:58 am
  
  Restart in Safe mode. Give it a few minutes to complete, then restart in normal mode.
  You may need to let MRT run for a while before giving up on it.
  Howard.
  
  LikeLike
86

stephen on November 6, 2020 at 9:43 am

Thanks; I’ll give that a try and hope.

LikeLiked by 1 person
87

stephen grayman (@stepggray) on November 9, 2020 at 9:39 am

Bingo!

Restarted in safe mode and left alone for 30 minutes. Next restart MRT sucked up RAM for about 10 minutes, 5 minutes next restart, 2 third and now restarts and RAM use is normal.

I am curious; why I experienced extreme memory and NOT the CPU use others report; any thoughts?

Thank you once again!

LikeLiked by 1 person
- 88
  
  hoakley on November 9, 2020 at 2:01 pm
  
  Well done.
  This is normal after an MRT update. It’s because the update triggers a complete scan, which is hefty on memory, but should be done in the background.
  Howard.
  
  LikeLike