Thursday, February 15, 2024

Mac App Launches Slowed by Malware Scan

Jeff Johnson:

macOS is periodically scanning FileMerge for malware on launch, which causes very slow app launches. I don’t know what the exact period is between scans, but rebooting the Mac seems to reset the cache[…]. I’ve noticed the same syspolicyd malware scanning and consequent slow launches with some other apps such as Xcode itself, Google Chrome, and Wireshark. You can even see syspolicyd spinning up % CPU in Activity Monitor when the malware scan happens.

[…]

I also saw somewhat slow launching from another app bundled with Xcode, Accessibility Inspector. This app is larger than FileMerge, yet it launches much more quickly. I suspect the reason is that it links to fewer Xcode frameworks[…]

[…]

You may remember our friend syspolicyd as the process that phones home to Apple when running unsigned executables. It was also the culprit in making Xcode tools slow after reboot.

[…]

I’ve now confirmed that disabling SIP does indeed eliminate the syspolicyd malware scan. Xcode launches so fast, it’s beautiful.

Previously:

8 Comments RSS · Twitter · Mastodon


Even though it's annoying to occasionally write bugs into software that are caused by my dev system having SIP turned off, turning it off is still a huge net win. Most importantly I can run software that tweaks macOS's behavior.

I just wish it were possible to run iOS apps with SIP disabled in a way that wasn't essentially the same thing as "sideloading" them in iOS.


syspolicyd has become a bit too proactive since macOS 14, or 14.1? Now it recheck apps every few hours. It didn't run so often before.


I don't disable SIP on the MacBook I travel with, but that's literally just about locking down the otherwise encrypted system against outside intruders with physical access, enabling iOS apps and ApplePay; otherwise, it's off on my systems like home desktop and server. If you think of Macs as mere iPads with keyboards, this logic makes perfect sense; if you think of Macs as computers, then it obviously represents a stupid and regressive trend. Guess how I think of Macs these days?


This...this is kind of astounding to me. There's no way to disable or tweak this without entirely disabling SIP apparently, according to one of the few people to actually document it. Which of course does not include Apple itself.

I really hope that now that Apple Vision Pro has launched and the car is (please god I hope) cancelled, they can get back to their core competency and actually pay attention to the Mac again.

I have noticed this same problem, and it just started recently. It's ironic that people are worried about turning off SIP in order to keep the same development environment as their users. Apparently Apple does not have the same concern.


So is this why launching apps on my brand new MacBook Air is so slow? Sometimes I’m not even sure if I double clicked on the app correctly because nothing happens for 2 or 3 seconds, but then the app finally launches. I often notice it when clicking on a video file to launch VLC, there’s no indication that anything happened until the video pops on the screen 3-5 seconds later. VLC on my previous 2014 MBP opened mp4 files almost instantly.


Speaking of regressive slowness (at the risk of derailing the main subject): I’ve found that iOS “low power mode” now makes the user interface excruciatingly slow to the point of being unusable. This has been the case since day one on the iPhone 15 Pro; by comparison my years-older iPhones, on earlier versions of iOS, presented a more fluid interaction with low power mode enabled. Madness.


Also blocking ocsp.apple.com in hosts improves app openings.

0.0.0.0 ocsp.apple.com


> rebooting the Mac seems to reset the cache

Shouldn't it be possible to only invalidate the cache when a) the application bundle itself changes (obviously, and presumably fast to detect: either the code signature is broken, or the hash has changed), or b) YARA (or whatever other component) has new definition files? Isn't part of the benefit of APFS that the OS should be able to determine this sort of thing fast?

>I'm very careful about what I install, and I've never had malware in over twenty years of full-time Mac usage, so I think it's safe to say that for me, syspolicyd is security theater

I imagine Jeff isn't the typical user, and this kind of feature isn't about him. But perhaps it is indeed time for a "at your own risk" developer mode-style toggle.

Leave a Comment