The Malware Removal Tool, MRT, is one of the front-line security features in macOS. While its companion XProtect tries to detect malware, the purpose of MRT is to attempt to remove malicious software which can be removed cleanly and safely. Apple provides next to no information beyond that: the Apple Platform Security guide states that: “Apple also issues updates to MRT to remove malware from any impacted systems that are configured to receive automatic security updates. MRT removes malware upon receiving updated information and it continues to check for infections on restart and login.”
Although called an app, MRT.app isn’t an app at all, and can’t be run as an app through the Finder. Instead, its binary is actually used as a command tool, which is run in two circumstances: after your Mac starts up, and when MRT.app has just been updated. MRT runs in two different modes, controlled by the -a and -d options, which run it in agent or daemon mode, respectively.
The dummy app is located in /Library/Apple/System/Library/CoreServices/, among the unprotected Data volume additions to /System/Library/CoreServices/ on the System volume in Catalina; in Mojave and earlier, that’s simply /System/Library/CoreServices/. It’s written in Swift, and is normally run by two
launchd property lists:
- the LaunchAgent at /Library/Apple/System/Library/LaunchAgents/com.apple.MRTa.plist runs MRT at load as an agent, with the -a option;
- the LaunchDaemon at /Library/Apple/System/Library/LaunchDaemons/com.apple.MRTd.plist runs MRT at load as a daemon, with the -d option.
(In Mojave and earlier, those paths start /System/Library/LaunchAgents/ and /System/Library/LaunchDaemons/)
Running in daemon mode, MRT performs thousands of signature checks against Apple’s Certificate Revocation List (CRL), many of which generate errors. It also presumably checks items against its own list of what it can remove. Running in agent mode, it is far quieter, and only likely to generate some sandbox errors in the log. It then appears to run against a different set of rules which could, for example, remove malicious or unwanted files and directories. This suggests that daemon mode assembles a list of actions which are then performed in agent mode. When run after startup, MRT runs first in daemon then in agent mode, both completing in the first couple of minutes after boot.
Originally, MRT doesn’t seem to have run automatically following updating, and Apple recommended that users restarted their Macs when MRT had been updated, although that wasn’t widely promulgated. For at least the last year, whenever it has been updated, MRT is run in both agent and daemon modes, normally twice in each, so there now shouldn’t be any need to restart.
Unfortunately, since 2018, Apple has obfuscated the names of malware which MRT can remove. Prior to that, it was possible to search the string content of its executable and discover the names of malware which it claimed to be able to ‘remediate’. I have listed those which MRT version 1.35 addressed, and as far as I can see that list is good for the current version 1.68, with the addition of all the malware concealed by Apple’s obfuscation.
Beyond its very brief description, Apple has long remained silent on what MRT does. It has broken that silence only once, in early July last year, 2019. MRT was then called into play to remove part of an app which wasn’t malware, but left users with a serious vulnerability: Zoom.
One of the biggest problems posed by that old version of the Zoom client was that it installed, in a hidden folder, a web server which was left behind, still active, when you uninstalled its app. This web server was capable of reinstalling the Zoom client, and was found to have its own vulnerability as well. However Zoom responded to the other issues in its client software, it was vital that all copies of this web server were removed, particularly on Macs whose users may have forgotten that they had ever installed Zoom’s client. This wasn’t something that Zoom was able to handle alone: they needed Apple, just as Apple needed to remove Zoom’s web server before it could be exploited.
The solution lay in gently repurposing Apple’s MRT to detect and destroy Zoom’s web server in its hidden folder, much in the way that it does for malware. The delivery vehicle had therefore to be an urgent ‘silent’ security update containing the new version of MRT, which Apple had ready to push out on 10 July 2019.
Then everything got rather strange. Instead of Apple breaking its self-imposed silence on security updates and explaining this direct to users, it passed the message on to Zack Whittaker at TechCrunch, then re-tweeted TechCrunch’s tweet linking to that news story. Not only that, but the story was coy over detail: it didn’t mention MRT, merely that the “silent update” had been released, and that all users would receive it automatically. Neither did it explain that users needed to do anything other than wait for the update to be installed.
As you may have noticed, the latest update to MRT, version 1.68, has caused serious problems on many Macs. I doubt very much that Apple will release any information or help for users, but silently fix this in the next release. Let’s hope that’s not too far away.
Appendix: Known malware which MRT is intended to remove
These lists are based on what MRT 1.35 was known to be able to remove, before obfuscation of malware names in 2018 made this impossible to determine.
MRT 1.35 removes the following well-known malware:
- Bundlore A, B, C, D and E
- CpuMeaner A
- Dok A, C
- Ekoms A
- Eleanor A
- Fruitfly A, B
- Frutas A
- Geneio A, D
- HackingTeamRCS A
- HMining A, B, C and D
- InstallCore A
- InstallImitator A
- Keydnap A
- MaMi A
- Morcut A
- MudMiner (believed to be CreativeUpdate) A
- Mughthesec A
- Netwire A
- Nwm0zjrk A
- Proton B, C and D
- ShellDrop A
- Snake A
- Testing A
- Trovi A, A2, B, C and D
- VSearch A
- WireLurker A
- XcodeGhost A.
MRT also removes several unwanted or malicious Safari extensions and modifiers. In MRT 1.35, those include:
- Omnibar.safariextz, part of Genieo
- SafariProxy, part of Dok.