Table of Contents

A primary line of defense against malware on macOS is the Malware Removal Tool (MRT). MRT's objective is to uninstall harmful software cleanly and safely, whereas XProtect focuses on detecting it.

MRT on Mac

Malware Removal Tool (MRT) eliminates malware when it receives new data and checks for infestations every time you log in or restart your computer. Let's discover more about MRT for Mac.

Apple's Malware Removal Tool ( isn't found in the standard Applications or Utilities directories as most other apps are; instead, it's kept in the CoreServices subdirectory in /System/Library. Even though it seems like a collection of apps, users aren't intended to run MRT.

However, it does have command line settings that let it run in agent or daemon mode, and it has the potential to throw an error message about the mystery new malware family. Unfortunately, the error message does not provide any light on the nature of MACOS.35846e4.

MRT on Mac

Multiple strategies are needed to determine the targets of MRT. To begin tinkering with the binary, we must first get a copy. Working with a copy of a binary during analysis is a good practice when reverse engineering, even if we don't intend to write to the binary and it's guarded by System Integrity Protection (which is supposed to prevent alterations).

A copy of the binary will be saved to the Desktop by running ditto, where it may be easily retrieved.

sudo ditto MRT ~/Desktop/MRT COPY

An official MRT settings file, named, may be found in the following location on Macs:

Macintosh HD/Library/Apple/System/Library/LaunchAgents/

In the same folder, you'll discover another file with a similar name,

Macintosh HD/Library/Apple/System/Library/LaunchDaemons/

The file might be flagged as malicious by antivirus programs like Webroot because it modifies the system in ways that could be considered harmful. Don't worry if something occurs to you; just disregard the alert. Deleting and might compromise the safety of your Mac and should be avoided.

MRT osx ref.9eae4e3av

Similar to the, the malware defense tool that comes standard on your Mac, MRT, may be flagged as a danger by third-party software such as Trend Micro HouseCall for Mac. When anti-malware software flags a file as suspicious, you may double-check it using Etrecheck or Malwarebytes, both of which are available for no cost.

Techniques For Figuring Out If Any MRT.App Is A False Positive

Without third-party software, removing might severely compromise your computer's security. However, if you're experiencing heavy CPU utilization due to the program and would like to utilize a third-party alternative, you may terminate the service using the following commands:

sudo launchctl stop
sudo launchctl remove

Furthermore, you need to locate the following files and remove them from your system:


Once again, if you are unclear about's features, avoid doing this.

If isn't causing you any trouble, there's no need to mess with it since any suspicious third-party detection is always a false positive. If you want to double-check that it is a false positive, you may run it through another security software or get in touch with the AV provider.

High CPU Use Due To MRT Procedure On Mac

If you check Activity Monitor and see that the MRT process uses a lot of memory or a disproportionate amount of CPU, your Mac may become unresponsive or produce a lot of noise from the fans. Activity Monitor's MRT process may take a lot of Mac processing power while scanning compressed files, eradicating malware, or obtaining a new malware database.

But unless MRT is experiencing difficulties, the procedure shouldn't take too long. Here are several options you might attempt if the MacBook MRT procedure is interfering with your day-to-day operations.

Force Quit MRT

If the MRT process utilizes a lot of CPU on Mac, pick it, click the X symbol, and choose Force Quit in Activity Monitor.

Inspect And Clean Your Files Using Etrecheck

Some customers have reported successfully resolving the MRT High CPU problem by running EtreCheck, following the removal recommendations, and then restarting their Macs.

Update MRT

The defective MRT may struggle to delete files or applications, entering an infinite cycle and utilizing a lot of CPU. MRT updates itself by default, but sometimes it doesn't. Also, updating to the newest MRT version is typically more functional.

Safe Mode Mode Booting

A restart in Safe Mode may clear corrupted caches, which may be contributing to the MRT high CPU issue. If your Mac functions normally in Safe Mode, you may restart normally.

Conclusion is an official malware scanner, and removal tool for macOS and Mac OS X. Apple's anti-malware program is included in all its operating systems. It may be accessed through the /System/Library/CoreServices/ directory, where it has been designed to fend off potential malware attacks.

DoYourData Products

Do Your Data Recovery for Mac

Do Your Data Recovery for Mac

The reliable Mac data recovery software to recover deleted or lost files.

Free Trial
Super Eraser for Mac

DoYourData Super Eraser for Mac

Permanently shred files or wipe hard drive to prevent data recovery on Mac.

Free Trial
DoYourClone for Mac

DoYourClone for Mac

Clone HDD, SSD, Mac OS, external disk, USB drive, and more under Mac OS.

Free Trial
DoYourData Author

Written & Updated by Justin Kenny

Justin Kenny is a writer & editor of DoYourData. He joined DoYourData in 2016 and focuses on writing articles about Windows data recovery, Mac data recovery, external device data recovery, hard drive clone, data erasure, Mac cleanup, computer issue fixes, etc. He is a super fan of Apple devices and is big on testing new digital device and system utility software.

Read full bio