[Hx] Improve Helix on Virtualized macOS by Disabling MRT Run at Load

[Michael S. Scaramella, Esq.]

To All,

I found a way to significantly improve the experience of running Helix applications on virtualized instances on macOS High Sierra or Mojave. First, a description of the underlying problem is in order:

By default, the macOS Malware Removal Tool (process MRT) runs when it is loaded, which occurs very soon after the first maOS User login. When Apple has updated the malware information used by MRT, or when a virtual machine used to run Helix applications has failed to properly complete the shutdown process, which High Sierra is especially prone to do, then MRT can run for a very long time. This consumes 100% of the processing capacity of typical virtual machines until MRT exits, which I have seen take more than an hour. Other processes which are less “nice” than MRT can take back some of the virtual machine’s processing capacity, but triggering that by launching Helix applications seems to promote instability, including kernel panics. In an effort to work around this, I have set Activity Monitor to launch upon login and try to wait for the CPU Load to drop to normal levels before launching any Helix application. It is not always practical to do this.

A Preference List file causes MRT to run at load. The pathname of this file is: /System/Library/LaunchAgents/com.apple.MRTa.plist. The standard version of this file causes MRT to run at load and when the macOS Notification daemon receives “com.apple.mrt-agent-ready,” apparently from some other system process, possibly the process that updates the malware information used by MRT. The com.apple.MRTa.plist file can be opened and edited by BBEdit, which includes a privileged helper tool, which must be allowed to run when macOS asks.

However, before an edited com.apple.MRTa.plist can be saved, System Integrity Protection (SIP) must be temporarily disabled on the virtual machine. Here are a few hyperlinks to instructions published online: How To Disable System Integrity Protection (SIP) On Mac?, How to Disable System Integrity Protection in Mac OS, and How to Disable System Integrity Protection (SIP) – Intego Support. A few additional points should be made. Starting a virtual machine in Recovery Mode requires that the machine can detect the Command-R key combination when starting. This works when the macOS arrow cursor is over the window displaying the virtual machine as it starts on the host machine. Catching the startup process might take a couple of tries. The virtual machine window likely will be very small after the virtual machine starts. Enlarge or zoom the window to be able to see what you are doing. If you want to restart the virtual machine from the command line in Terminal, then type “reboot” at the command prompt and press the Enter key.

After SIP has been disabled, launch a compatible version of BBEdit on the VM, and open the com.apple.MRTa.plist file in the /System/Library/LaunchAgents/ folder. Lines 7 and 8 in the standard file will be:

<key>RunAtLoad</key>

<true/>

Change the word “true” to “false” in line 8, which will make the lines:

<key>RunAtLoad</key>

<false/>

Malware Removal Tool will still run occasionally after this change has been made, but not after every initial macOS user login. If you want to be able to conveniently run MRT manually, then create a text file named “Run MRT.sh” which contains:

#!/bin/zsh

sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a -r /

Make sure that macOS users in the “admin” user group have permission to execute the file, and set it to open with Terminal. Since running this shell script requires being logged in as a macOS administrator and knowing an administrator password, if you are not accustomed to setting file permissions, then it is safe to use the Finder’s Info window to allow “Read & Write” by “Everyone.” Once the script file is prepared, double-clicking it will launch Terminal, request an administrator password, and then run MRT when the Ether key is pressed.

If you want to know more, visit: Using Apple's Built-In Malware Removal Tool (MRT) - krypted. If you want a much more powerful and convenient way of editing such Preference List files, then consider licensing LaunchControl: The launchd GUI. Finally, remember to re-enable System Integrity Protection on the virtual machine.

I hope that others find this helpful.

Regards,

Michael

<+>-=-<+>-=-<+>-=-<+>-=-<+>-=-<+>-=-<+>

SCARAMELLA & HOOFNAGLE

Computer Division

 ~  *  ~

Voice: 856-424-2100

Web: http://www.ScaraHoof.com

<+>-=-<+>-=-<+>-=-<+>-=-<+>-=-<+>-=-<+>

[Michael S. Scaramella, Esq.]

To All,

I just double-checked whether using the Finder’s Info window to grant Read & Write permission to Everyone includes granting execute permission. It does not. If you store the Run MRT.sh file in your Desktop folder, then running these two commands in Terminal will work:

Mojave-Virtual-Mac% chgrp admin ~/Desktop/Run\ MRT.sh 

Mojave-Virtual-Mac% chmod 750 ~/Desktop/Run\ MRT.sh 

This example shows a virtual machine with hostname, Mojave-Virtual-Mac, and presumes that you have write permission for the MRT.sh file. If you see an error message that you do not have required privileges when you run the commends, then make sure that you are logged into the virtual machine as an administrator, and preface each command with “sudo” and enter an administrator password when asked to do so. If you prefer to use a utility with a GUI, then install Batchmod which is freeware.

Regards,

Michael

On Dec 10, 2021, at 8:02 PM, Michael S. Scaramella, Esq. <Hel...@gibhenry.com> wrote:

Make sure that macOS users in the “admin” user group have permission to execute the file, and set it to open with Terminal. Since running this shell script requires being logged in as a macOS administrator and knowing an administrator password, if you are not accustomed to setting file permissions, then it is safe to use the Finder’s Info window to allow “Read & Write” by “Everyone.” Once the script file is prepared, double-clicking it will launch Terminal, request an administrator password, and then run MRT when the Ether key is pressed.

[Quipu Pty Ltd]

Thanks Mike. Arcane but interesting.

—
Lee Rydstrand
l...@quipu.com.au

041 140 3281

Quipu Pty Ltd

[Lenny Eiger]

Michael,

So let me see if I have this right - 

The problem, as you outline it, is that the MRT process runs when a VM is loading and sometimes it takes way longer than it should - up to an hour. Is this correct?

I have two VM's running and have not seen this issue. So  should be ok?

Lenny

On Dec 10, 2021, at 5:02 PM, Michael S. Scaramella, Esq. <Hel...@gibhenry.com> wrote:

To All,

I found a way to significantly improve the experience of running Helix applications on virtualized instances on macOS High Sierra or Mojave. First, a description of the underlying problem is in order:

By default, the macOS Malware Removal Tool (process MRT) runs when it is loaded, which occurs very soon after the first maOS User login. When Apple has updated the malware information used by MRT, or when a virtual machine used to run Helix applications has failed to properly complete the shutdown process, which High Sierra is especially prone to do, then MRT can run for a very long time. This consumes 100% of the processing capacity of typical virtual machines until MRT exits, which I have seen take more than an hour. Other processes which are less “nice” than MRT can take back some of the virtual machine’s processing capacity, but triggering that by launching Helix applications seems to promote instability, including kernel panics. In an effort to work around this, I have set Activity Monitor to launch upon login and try to wait for the CPU Load to drop to normal levels before launching any Helix application. It is not always practical to do this.

A Preference List file causes MRT to run at load. The pathname of this file is: /System/Library/LaunchAgents/com.apple.MRTa.plist. The standard version of this file causes MRT to run at load and when the macOS Notification daemon receives “com.apple.mrt-agent-ready,” apparently from some other system process, possibly the process that updates the malware information used by MRT. The com.apple.MRTa.plist file can be opened and edited by BBEdit, which includes a privileged helper tool, which must be allowed to run when macOS asks.

However, before an edited com.apple.MRTa.plist can be saved, System Integrity Protection (SIP) must be temporarily disabled on the virtual machine. Here are a few hyperlinks to instructions published online: How To Disable System Integrity Protection (SIP) On Mac?, How to Disable System Integrity Protection in Mac OS, and How to Disable System Integrity Protection (SIP) – Intego Support. A few additional points should be made. Starting a virtual machine in Recovery Mode requires that the machine can detect the Command-R key combination when starting. This works when the macOS arrow cursor is over the window displaying the virtual machine as it starts on the host machine. Catching the startup process might take a couple of tries. The virtual machine window likely will be very small after the virtual machine starts. Enlarge or zoom the window to be able to see what you are doing. If you want to restart the virtual machine from the command line in Terminal, then type “reboot” at the command prompt and press the Enter key.

After SIP has been disabled, launch a compatible version of BBEdit on the VM, and open the com.apple.MRTa.plist file in the /System/Library/LaunchAgents/ folder. Lines 7 and 8 in the standard file will be:

<key>RunAtLoad</key>

<true/>

Change the word “true” to “false” in line 8, which will make the lines:

<key>RunAtLoad</key>

<false/>

Malware Removal Tool will still run occasionally after this change has been made, but not after every initial macOS user login. If you want to be able to conveniently run MRT manually, then create a text file named “Run MRT.sh” which contains:

#!/bin/zsh

sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a -r /

Make sure that macOS users in the “admin” user group have permission to execute the file, and set it to open with Terminal. Since running this shell script requires being logged in as a macOS administrator and knowing an administrator password, if you are not accustomed to setting file permissions, then it is safe to use the Finder’s Info window to allow “Read & Write” by “Everyone.” Once the script file is prepared, double-clicking it will launch Terminal, request an administrator password, and then run MRT when the Ether key is pressed.

If you want to know more, visit: Using Apple's Built-In Malware Removal Tool (MRT) - krypted. If you want a much more powerful and convenient way of editing such Preference List files, then consider licensing LaunchControl: The launchd GUI. Finally, remember to re-enable System Integrity Protection on the virtual machine.

I hope that others find this helpful.

Regards,

Michael

[Michael S. Scaramella, Esq.]

Lenny,

The default MRT System Agent Preference List file tells the macOS launch daemon running on a virtual machine to run MRT when it is loaded. This occurs after the VM loads and macOS starts, and typically after the first macOS user logs into the VM. MRT is very compute resource intensive, so it regularly consumes all compute resources available to MRT. The nice value of MRT is relatively high, so most other processes have priority over MRT. Consequently, when MRT is running, it consumes all processing capacity not being consumed by processes with higher priority, which causes the VM to run at 100% capacity until MRT exits. MRT usually exited within five to ten minutes when it ran at load, yet now being able to safely launch Helix applications within a minute of starting a VM has been refreshing.

MRT running at load too often made VMs unstable, sometimes triggering kernel panics. On one occasion, a kernel panic irreparably damaged one or more configuration files in one of our VM bundles. Recovery would have been speculative, and would have required storage transplant into a newly created VM, so the damaged VM was relegated to the Trash. This risk is why I strongly recommend never storing anything important on VM storage, and instead storing important files on host computer storage accessed by a VM via macOS file sharing using Bonjour.

My host machine has four physical CPU cores which appear as eight virtual CPU cores to macOS, and 16 GB of RAM. I usually allocate two virtual CPU cores and 4 GB of RAM to VMs. Allocating more host resources to VMs would leave too little for use by other processes running on my host. I recall that you have a Mac Pro with substantially greater resources, so you can allocate more resources to VMs. That likely helps your VMs run more stably. Still, one can never have too much system stability and performance, especially when storage and management of critical data are involved. The MRT related launch daemon reconfiguration that I suggested is modest, easily implemented, and safe because it only disables running MRT at load.

The MRT reconfiguration that I described seems recommendable for all running Helix applications on virtualized macOS High Sierra or Mojave. I posted detailed instructions to share the benefit of my research and testing with the Helix community. You might remain OK running as you have been, but we were not that lucky.

Regards,

Michael

On Dec 11, 2021, at 3:33 PM, Lenny Eiger <Hel...@gibhenry.com> wrote:

Michael,

So let me see if I have this right - 

The problem, as you outline it, is that the MRT process runs when a VM is loading and sometimes it takes way longer than it should - up to an hour. Is this correct?

I have two VM's running and have not seen this issue. So  should be ok?

Lenny

On Dec 10, 2021, at 5:02 PM, Michael S. Scaramella, Esq. <Hel...@gibhenry.com> wrote:

To All,

I found a way to significantly improve the experience of running Helix applications on virtualized instances on macOS High Sierra or Mojave. First, a description of the underlying problem is in order:

By default, the macOS Malware Removal Tool (process MRT) runs when it is loaded, which occurs very soon after the first maOS User login. When Apple has updated the malware information used by MRT, or when a virtual machine used to run Helix applications has failed to properly complete the shutdown process, which High Sierra is especially prone to do, then MRT can run for a very long time. This consumes 100% of the processing capacity of typical virtual machines until MRT exits, which I have seen take more than an hour. Other processes which are less “nice” than MRT can take back some of the virtual machine’s processing capacity, but triggering that by launching Helix applications seems to promote instability, including kernel panics. In an effort to work around this, I have set Activity Monitor to launch upon login and try to wait for the CPU Load to drop to normal levels before launching any Helix application. It is not always practical to do this.…