Written by
Jenny ZengSummary: This post will explain the MRT process on Mac and common files related to it, such as com.apple.MRTa.plist and MRT osx ref.9eae4e3av. It also tells you what to do when you find the MRT process taking too much CPU in Activity Monitor, Logs or Terminal.
A common way to trick you into installing malware on Mac is to embed it in a seemly harmless application or extension. That's why Apple has three layers of built-in protection to ensure that your Mac is free of known malware.
- The first layer helps prevent you from downloading malware. The risk of installing malware is reduced by downloading apps from a reliable source - App Store and identified developers that can pass Gatekeeper.
- The second layer aims to block malware from launching. The anti-virus technology XProtect will check an app when it's first launched for malware and block its execution when a known malicious content is detected.
- The third layer is designed to remove the malware that has been launched on your Mac using MRT.
Now, let's take a closer look at the MRT process on Mac.
What is MRT on Mac?
MRT, standing for Malware Removal Tool, is a malware protection technology that automatically removes harmful software from your Mac based on the information updated by Apple. It examines your Mac for malware when restarting and logging in.
You can access MRT by navigating to Macintosh HD/Library/Apple/System/Library/CoreServices/MRT. If you right-click on the MRT app and select Show Package Contents > Contents > MacOS, you will find two Unix Executable Files named MRT and mrt-helper that run in Terminal when you double-click on them.
Usually, MRT is silently updated in the background so you won't receive any notification for its update. To make sure MRT is automatically updated, ensure that the "Automatically Check for Updates" and "Install system data files and security updates" are enabled in System Preferences > Software Update > Advanced.
If you want to check the latest update to MRT on your Mac, open the Apple menu > About This Mac > System Report(the location has been changed on macOS Ventura), find the Installation tab under the Software section and look for MRTConfigData.
com.apple.MRTa.plist
com.apple.mrta.plist is a legitimate settings file for MRT on Mac that you can find in the following directory:
- Macintosh HD/Library/Apple/System/Library/LaunchAgents/com.apple.MRTa.plist
You will also find a similar one called com.apple.MRTd.plist in this directory:
- Macintosh HD/Library/Apple/System/Library/LaunchDaemons/com.apple.MRTd.plist
Some anti-virus software like Webroot may mistake the com.apple.MRTa.plist file as a suspicious activity because it makes changes to the system. If that also happens to you, ignore the notification. It's also not recommended to delete com.apple.MRTa.plist and com.apple.MRTd.plist since it may affect your Mac's security.
MRT osx ref.9eae4e3av
Like com.apple.mrta.plist, some third-party software like Trend Micro HouseCall for Mac may flag osx ref.9eae4e3av as a threat, though it's just MRT - the malware defence program that comes with your system. The next time you see a potential threat reported from anti-malware software, you can double-check with the free Etrecheck or Malwarebytes.
MRT process high CPU usage on Mac
If you notice the process MRT in Activity Monitor consumes a large amount of memory or an abnormally high percentage of CPU, chances are, your Mac may slow down or make a loud fan noise. The MRT process in Activity Monitor may cause high CPU usage on Mac when scanning all the compressed files on your system, removing malware, or downloading a new malware database.
But the process shouldn't take long unless MRT is facing some challenges. If the MacBook MRT process is hampering your normal work, here are some solutions you can try.
Force Quit MRT
If the MRT process uses a high CPU on Mac, you can temporarily disable it and other processes related to it in Activity Monitor by selecting the process, clicking the X sign, and choosing Force Quit. If you find other processes peg CPU on your Mac such as macOS installed high CPU, you can also force quit them.
Check and clean files with Etrecheck
Some users have managed to get rid of the MRT High CPU issue by checking their Macs with EtreCheck and deleting the files it suggests to remove, then restarting Mac.
Update MRT
The faulty MRT may struggle to remove some files or programs, thus putting itself in an endless loop and using a huge CPU. Although MRT updates on its own by default, there may be times when it's not updated automatically. Therefore, another fix is to update to the latest MRT version that's usually more functional.
- Open Terminal.
- Paste the following command and press Enter.sudo softwareupdate --background
The background check may take some time to complete. Check whether the MRT process disappears from Activity Monitor.
Boot into Safe Mode
The MRT high CPU problem could also result from corrupted caches, which you can clean by restarting your Mac in Safe Mode. If your Mac works correctly in Safe Mode, reboot as usual.
Disable and re-enable SIP
In some cases, disabling SIP (System Integrity Protection) helped stop the MacBook MRT process from occupying critical memory and CPU. Here are the steps:
- Boot into Mac Recovery Mode.
- Click Utilities > Terminal.
- Execute this command to disable SIP:csrutil disable
- Enter another command to restart your Mac:reboot
You should re-enable SIP once the issue is resolved to prevent unauthorized codes from launching on your Mac. To enable SIP, you can follow the same steps but change the first command to csrutil enable.
Introduction to Distnoted on Mac & Fixes for High Memory/CPU Distnoted
This post talks about the distnoted process on Mac. After reading this post, you will know what the distnoted is, and the reasons and solutions for distnoted using high memory and CPU. Read more >>
How to disable MRT on Mac?
You should not disable MRT on your Mac unless you are sure that it won't be infected without the automatic malware protection of MRT. If you have decided to disable it, follow these steps:
- Restart your Mac in Recovery Mode.
- Click Utilties > Terminal.
- Run the following command to disable SIP:csrutil disable
- Execute this command to remove executable permission on the MRT:chmod -R -x+X /System/Library/CoreServices/MRT.app
- Re-enable SIP with this command:csrutil enable
- Restart your Mac.