Re: [Hx] Improve Helix on Virtualized macOS by Disabling MRT Run at Load

Skip to first unread message

Michael S. Scaramella, Esq.

May 23, 2022, 4:33:42 PMMay 23
to Helix-L Discussion List
To All,

This is the final installment of the recommendation that I posted on Dec 10, 2021 about disabling MRT run at load. It covers a needed refinement to make the edited MRT configuration permanent. I previously addressed setting the immutable file flag. This is the same as opening the file Info window in Finder and setting the Locked checkbox to Yes. I missed that there is a separate file flag that makes a file immutable by the System.

The commands to enter at the command prompt in Terminal while logged in as a macOS user with administrative privileges are:

sudo chmod 444 /System/Library/LaunchAgents/

The preceding command makes the file read-only by all users.

sudo chflags simmutable,uimmutable /System/Library/LaunchAgents/

The preceding command makes the file immutable by the System and by all users.

If you want to make the file editable again, then run:

sudo chmod 666 /System/Library/LaunchAgents/

The preceding command makes the file readable and writable by all users.

sudo chflags nosimmutable,nouimmutable /System/Library/LaunchAgents/

The preceding command clears the immutable file flags for the System and for all users.

If you want to learn more about file flags, then launch Terminal and run:

man chflags

Vertical scrolling of the manual page can be done using the up and down arrow keys or by two-finger swiping on a trackpad. When you are done reading the manual page, press the Q key to quit the man application.

I should note that changing the MRT configuration is more important when running Helix on a High Sierra virtual machine. Mohave seems to run MRT better, so waiting for MRT to finish is less burdensome. Failing to wait too often causes Helix to crash when running on a virtual machine with typical virtualization settings.



On Feb 22, 2022, at 12:09 AM, Michael S. Scaramella, Esq. <> wrote:

I am replying to my own message quoted below because I discovered that the High Sierra virtual machine that I normally use to run Helix somehow automatically reversed the change that I made to restore MRT run at load. I made the configuration change again, and then set the mode of the file to 444, which is read-only by all users, including root; and then locked the file by setting the user immutable file flag (uchg). This should make the change stick. We will see. I should have anticipated that Apple made it difficult to prevent MRT from running at load.



On Dec 10, 2021, at 8:02 PM, Michael S. Scaramella, Esq. <> wrote:

To All,

I found a way to significantly improve the experience of running Helix applications on virtualized instances on macOS High Sierra or Mojave. First, a description of the underlying problem is in order:

By default, the macOS Malware Removal Tool (process MRT) runs when it is loaded, which occurs very soon after the first maOS User login. When Apple has updated the malware information used by MRT, or when a virtual machine used to run Helix applications has failed to properly complete the shutdown process, which High Sierra is especially prone to do, then MRT can run for a very long time. This consumes 100% of the processing capacity of typical virtual machines until MRT exits, which I have seen take more than an hour. Other processes which are less “nice” than MRT can take back some of the virtual machine’s processing capacity, but triggering that by launching Helix applications seems to promote instability, including kernel panics. In an effort to work around this, I have set Activity Monitor to launch upon login and try to wait for the CPU Load to drop to normal levels before launching any Helix application. It is not always practical to do this.

A Preference List file causes MRT to run at load. The pathname of this file is: /System/Library/LaunchAgents/ The standard version of this file causes MRT to run at load and when the macOS Notification daemon receives “,” apparently from some other system process, possibly the process that updates the malware information used by MRT. The file can be opened and edited by BBEdit, which includes a privileged helper tool, which must be allowed to run when macOS asks.

However, before an edited can be saved, System Integrity Protection (SIP) must be temporarily disabled on the virtual machine. Here are a few hyperlinks to instructions published online: How To Disable System Integrity Protection (SIP) On Mac?How to Disable System Integrity Protection in Mac OS, and How to Disable System Integrity Protection (SIP) – Intego Support. A few additional points should be made. Starting a virtual machine in Recovery Mode requires that the machine can detect the Command-R key combination when starting. This works when the macOS arrow cursor is over the window displaying the virtual machine as it starts on the host machine. Catching the startup process might take a couple of tries. The virtual machine window likely will be very small after the virtual machine starts. Enlarge or zoom the window to be able to see what you are doing. If you want to restart the virtual machine from the command line in Terminal, then type “reboot” at the command prompt and press the Enter key.

After SIP has been disabled, launch a compatible version of BBEdit on the VM, and open the file in the /System/Library/LaunchAgents/ folder. Lines 7 and 8 in the standard file will be:


Change the word “true” to “false” in line 8, which will make the lines:


Malware Removal Tool will still run occasionally after this change has been made, but not after every initial macOS user login. If you want to be able to conveniently run MRT manually, then create a text file named “Run” which contains:

sudo /System/Library/CoreServices/ -a -r /

Make sure that macOS users in the “admin” user group have permission to execute the file, and set it to open with Terminal. Since running this shell script requires being logged in as a macOS administrator and knowing an administrator password, if you are not accustomed to setting file permissions, then it is safe to use the Finder’s Info window to allow “Read & Write” by “Everyone.” Once the script file is prepared, double-clicking it will launch Terminal, request an administrator password, and then run MRT when the Ether key is pressed.

If you want to know more, visit: Using Apple's Built-In Malware Removal Tool (MRT) - krypted. If you want a much more powerful and convenient way of editing such Preference List files, then consider licensing LaunchControl: The launchd GUI. Finally, remember to re-enable System Integrity Protection on the virtual machine.

I hope that others find this helpful.




Computer Division
 ~  *  ~
Voice: 856-424-2100


Reply all
Reply to author
0 new messages