Category Archives: Mac OS

YaraScanService – How to remove it

after Mac OS is upgraded to High Sierra, YaraScanService which is part of MRT.app would start automatically.
YaraScanService takes about 20GB memory in my macbook pro.

so it would make whole mac os frozen.

Even it is working, it would stop a while and start to work.
User wouldn’t feel smoothly operation.

Here is step on how to remove YaraScanService
1. reboot mac os and press ‘Command + R’ to boot into recovery mode.
2. Click the “Utilities” menu and select “Terminal” to open a terminal window.
3. run command csrutil
# csrutil status
# csrutil disable
4. reboot mac os again, now command such as ‘rm -rf xxx’ will work and won’t receive any deny message.
5. after login into macos, open “Terminal” and run
$ sudo rm -rf /System/Library/CoreService/MRT.app
6. in /System/Library/LaunchDaemons , run
$ grep -nri “mrt” *

and delete all files that are displayed on result
7. in /System/Library/LaunchAgent, run
$ grep -nri “mrt” *

and delete all files that are displayed on result

8. reboot mac os, now do some test to check YaraScanService is started or not.
9. go to recovery mode to enable csrutil
$ csrutil enable

gdb – enable gdb on mac os

Mac OS X 10.10.2 does not come with gdb pre installed. It is available on homebrew:

$ brew tap homebrew/dupes
$ brew install gdb
The binary is installed on /usr/local/bin

When initializing gdb on a program (a.out) it will produce the following error:

Starting program: a.out
Unable to find Mach task port for process-id XXXXX: (os/kern) failure (0x5).
(please check gdb is codesigned – see taskgated(8))
Start Keychain Access application (/Applications/Utilities/Keychain Access.app)
This error occurs because OSX implements a pid access policy which requires a digital signature for binaries to access other processes pids. To enable gdb access to other processes, we must first code sign the binary. This signature depends on a particular certificate, which the user must create and register with the system.

To create a code signing certificate, open the Keychain Access application. Choose menu Keychain Access -> Certificate Assistant -> Create a Certificate…

Choose a name for the certificate (e.g., gdb-cert), set Identity Type to Self Signed Root, set Certificate Type to Code Signing and select the Let me override defaults. Click several times on Continue until you get to the Specify a Location For The Certificate screen, then set Keychain to System.

Double click on the certificate, open Trust section, and set Code Signing to Always Trust. Exit Keychain Access application.

Restart the taskagted service, and sign the binary.

$ sudo killall taskgated
$ codesign -fs gdb-cert /usr/local/bin/gdb

update:
mac os sierra, gdb will show following error.
During startup program terminated with signal ?, Unknown signal.

touch ~/.gdbinit
vim ~/.gdbinit
copy “set startup-with-shell off” into the file and save