Jump to content

Real-time protection (RTProtectionDaemon) CPU hog

Torre

By Torre
in Malwarebytes for Mac Support Forum

 Share

Recommended Posts

brec

brec

Posted
Posted
2 minutes ago, Torre said:

Not sure... in my case RTProtectionDaemon definitely went nuts two evenings ago (I have Activity Monitor running as MWB support & I are still debugging this issue).  This was after an OSX update and Office 365 also updated.  The next morning RTPD seemed better behaved and I also found a stuck Office 365 update.  Not sure if they are related.  RTPD is now back to "acceptable" but still high CPU levels and I am still working with MWB support.

I was unclear -- I was referring to  my slow-apps-opening problem that I had even after uninstalling MWB and thereby getting rid of RTPD.  Indeed a workaround for the oscd.apple.com issue that GuruGuy linked to did solve that problem. MWB is still uninstalled here.

Link to post
Share on other sites
  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

alvarnell
alvarnell

I'm not in a position to know about staffing details, but it seems obvious to me that it's the same as it is for the volunteers here. There aren't nearly as many Mac users as their are Windows subscri

treed
treed

Yes, actually, most users aren't seeing these issues. The way that adas has been handling this, both here and on our support system, is appropriate. The data you sent in shows that you've got mul

Posted Images

alvarnell

alvarnell

Posted
Posted

This afternoon's app opening issue has been resolved by Apple and it's critical that anybody who implemented the ocsp.apple.com workaround reverse it immediately. Otherwise you will give malware developers a clean path to install whatever they want to on your Mac without fear of having their credentials revoked.

Link to post
Share on other sites
GuruGuy

GuruGuy

Posted
Posted
5 hours ago, alvarnell said:

This afternoon's app opening issue has been resolved by Apple and it's critical that anybody who implemented the ocsp.apple.com workaround reverse it immediately. Otherwise you will give malware developers a clean path to install whatever they want to on your Mac without fear of having their credentials revoked.

Agreed.  I didn't implement that and instead uninstalled MBam which fixed my issue.  After the Big Sur server update issues and subsequent install many hours after it was released, I reinstalled mbam and so far it's working problem free; app block off.  

Link to post
Share on other sites
Torre

Torre

Posted
  • Author
Posted

That's a GREAT question.  I wish I knew what "normal" was but I don't, so I define "acceptable" as "It doesn't get in the way" and "isn't running at 60+% most every time I look", which was how it was before.

Just as a recap 2-3 weeks ago I reported that RealTimeProtectionDaemon was going mostly 50% CPU, occasionally dropping to 20%, and frequently spiking to 90+%.  Now it is (1) mostly hovering under 10 (2) occasionally hovering around 20% (3) sometimes spiking above 80.

I was able to profile RTPD behaviour on a similar machine and also tried out a different user account on the same machine and get much lower CPU usage, and thus far we have not been able to isolate why one user account on one machine runs so hot.

Link to post
Share on other sites
brec

brec

Posted
Posted

A little more than a week ago I uninstalled MWB because RTProtectionDaemon was taking more than 50% CPU. As there hasn't been any new release -- I have 4.6.11.3824 -- today I cancelled autorenewal of my subscription which would have triggered tomorrow. Just to make sure the problem wasn't transient I just reinstalled it and observed 53% CPU, and then again uninstalled it. I'll check from time to time for a new release.

Link to post
Share on other sites
  • 4 weeks later...
brec

brec

Posted
Posted
4 minutes ago, grundle said:

I am having similar issues. In addition, MWB always has a CPU usage of about 55%, even if malware protection and app block are both turned off. I am using version 4.6.12.

 

 

 

 

OK, thanks for letting me know that .12 doesn't fix it. I haven't had MWB installed for about a month.

Link to post
Share on other sites
grundle

grundle

Posted
Posted

No problem. I have uninstalled it for now on my Mac, I still have it on other Windows and Android devices. I have a spare Bit Defender licence that I put on to the mac for now. I also noticed that MWB was taking a very long time to scan my Mac. This together made me feel a little insecure about using it as my main line of defence. If it gets fixed I may add it as a secondary product on my Mac.

Link to post
Share on other sites
Torre

Torre

Posted
  • Author
Posted

So I promised to post the findings of the support ticket.  Here we go.

  • After testing MBAM across 4 machines and at least 5 accounts, There was no root cause found and I am still having high but not obscene CPU usage on one account (call this machine "Mac 1")
  • One of the test machines (Mac 2) was more or less of the same vintage and used in a similar manner to the "problem" account on Mac 1, it did not exhibit high CPU
  • Other accounts on Mac 1 also did not exhibit high CPU, however I was not able to replicate usage as closely I as I did on Mac 2
  • The only possibility remaining is that the "problem" account on Mac 1 is very large (>280GB of space) compared to all other accounts

In the end I simply gave up as all this testing took too much time out of my work day.

With MBAM support help, we tried the following.  All had little to no effect on lowering CPU.

  • Removing / reducing the size of the Library/Caches (most files were due to iTunes & Music, so understandable that this directory is so large)
  • Removing / reducing the size of Library/Favorites
  • Removing / reducing browser plugins 
  • Removing / reducing login items 

My observations on MBAM RTProtectionDaemon usage over these months (using Activity Monitor) are:

  • RTPD seems extremely sensitive and frequently jumps the CPU, things that can cause higher CPU usage include
    • Switching application windows, especially to browsers
    • Using the scroll wheel in Safari
    • Web sites with a lot of embedded video content, even if the videos don't play (e.g. YouTube, ESPN)
  • RTPD also spikes the CPU when some other application is "not behaving well".  I had a Office update that got stuck and RTPD went crazy along with installd.  I also had OneDrive for Business behave badly and that spiked RTPD as well (maybe it's just Microsoft).  While I understand abnormal app behaviour can spike anti-malware programs, RTPD seems much more susceptible than other AV programs I have used
  • As mentioned, I wonder if RTPD performance is related to the home directory size, as that is the only difference between the machines and accounts

My conclusions?  I'll keep MBAM for now as IME it's one of the best anti-malware programs but will evaluate at the end of my subscription period.

Link to post
Share on other sites
Torre

Torre

Posted
  • Author
Posted

MBAM support was very responsive in the end for me.  However I am quite disappointed that the only suggested remedies were "remove browser extensions" (aside from one or two the rest are needed) and "remove your Library/Caches directory because it's larger than normal" (most of these were  iTunes / Apple Music files, so not surprising they are large as I have a LOT of music).  Neither helped.

In my case MBAM CPU hogging (as opposed to occasional spikes) seem to be related to something else such as stuck installs.  MBAM just seems very sensitive and happy to eat a lot of CPU at the slightest provocation compared to other real-time protection tools I've used.  No surprise then that if something goes haywire, MBAM goes along with it.

I do hope this gets better as I'm not keen to re-up my sub next year if this persists.

Link to post
Share on other sites
Torre

Torre

Posted
  • Author
Posted

Thanks, brcd.  In my case I tested with 5 different accounts on 4 different machines.  Most of them showed ~1% CPU with infrequent jumps to 20%/40%.  On the "problem" account it shows mostly ~15% with more frequent jumps to 60-80% (this is a long term estimated average; I've also seen it drop to sub-1%).  This is also the account which has the largest home directory so I wonder if that has anything to do with the CPU usage.  Would you be ok posting how much disk space your home directory uses?  Mine as mentioned is >280GB.

Link to post
Share on other sites
Torre

Torre

Posted
  • Author
Posted

Thanks brcd.  If you don't have a lot of music, movies, photos and don't do a lot with large files stored locally on your disk (such as Virtual Machines, don't worry if you don't know what these are), you probably don't have a large home directory.  Easiest way is to click on a Finder window, then type Shift-Cmd-H, then Cmd-I (shortcut for Get Info).  Make sure you don't click on anything in between the two key sequences.  You should see the info window pop up with a house icon and your login name on the top left, and the size of your home folder is on the top right.

For me, after trying everything MBAM asked plus doing my own testing, home directory size was the only difference I can think of between the accounts that behaved and the one that doesn't.

Link to post
Share on other sites
brcd

brcd

Posted
Posted
43 minutes ago, Torre said:

Thanks brcd.  If you don't have a lot of music, movies, photos and don't do a lot with large files stored locally on your disk (such as Virtual Machines, don't worry if you don't know what these are), you probably don't have a large home directory.  Easiest way is to click on a Finder window, then type Shift-Cmd-H, then Cmd-I (shortcut for Get Info).  Make sure you don't click on anything in between the two key sequences.  You should see the info window pop up with a house icon and your login name on the top left, and the size of your home folder is on the top right.

For me, after trying everything MBAM asked plus doing my own testing, home directory size was the only difference I can think of between the accounts that behaved and the one that doesn't.

Thanks.  I have 16.08 gig .

Link to post
Share on other sites
  • 2 weeks later...
Donelson

Donelson

Posted
Posted

I ran the MalwareBytes analysis, then after word came back, they had me run an even larger one, including my participation in real time testing with Safari and other programs.

Their recommendation: Turn off Real-Time Protection and run 2-3 system checks per day.

My open letter reply to them:

Quote

 

Turning off Real-Time Protection fixed your horrific attack on my iMac. Who is selling Malware now?

When your software is so invasive that it actually STOPS my Bluetooth Logitech mouse from working, for up to 4-5 seconds at a time, then YOU ARE THE PROBLEM.
 
And this has been a problem since last OCTOBER.
 
When will this be fixed? 
 
Regards,

 

 
 
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.