MRT (Malware Removal Tool) is a safe macOS security process. MRT (Malware Removal Tool) is Apple's built-in malware cleanup utility on macOS. Unlike XProtect, which prevents malware from running, MRT actively removes malware that has already been installed on your system. It runs automatically in the background after signature updates and during system scans, checking for and removing known malware infections, adware, and unwanted software that may have bypassed other defenses. MRT running briefly after a system update is completely normal and expected. Be concerned if MRT is running repeatedly in short intervals, which may indicate it is detecting malware but unable to fully remove it. If you suspect malware that MRT cannot handle, consider using a dedicated malware scanner for a second opinion. Also investigate if MRT logs show repeated detections of the same threat.
Malware Removal Tool
MRT (Malware Removal Tool) is Apple's built-in malware cleanup utility on macOS. Unlike XProtect, which prevents malware from running, MRT actively removes malware that has already been installed on your system. It runs automatically in the background after signature updates and during system scans, checking for and removing known malware infections, adware, and unwanted software that may have bypassed other defenses.
Temporary high CPU usage when MRT runs a post-update scan of the system
Disk activity spikes as MRT scans applications and system directories
MRT removing a legitimate application it mistakenly identifies as malware (rare)
Confusion about what MRT detected, since it operates silently without notifications
When MRT runs (usually after an automatic update), allow it to finish. It typically completes within 15-30 minutes. High CPU from MRT is a sign it is actively scanning your system for known malware — interrupting it reduces your protection.
Run 'log show --predicate "process == \"MRT\"" --last 24h' in Terminal to see MRT's recent activity logs. This shows what MRT scanned and whether it found or removed any malware. The log messages indicate which malware signatures were checked.
Run 'system_profiler SPInstallHistoryDataType | grep -A 5 MRT' in Terminal to see when MRT was last updated. Apple pushes MRT updates alongside XProtect signature updates. If MRT has not updated recently, check System Settings > General > Software Update.
While MRT does not offer a manual scan button, you can trigger a system integrity check by running 'sudo xprotect scan --full' in Terminal on macOS Sonoma or later. On older versions, MRT runs automatically and cannot be manually invoked — ensure your system is up to date to get the latest definitions.
MRT running briefly after a system update is completely normal and expected. Be concerned if MRT is running repeatedly in short intervals, which may indicate it is detecting malware but unable to fully remove it. If you suspect malware that MRT cannot handle, consider using a dedicated malware scanner for a second opinion. Also investigate if MRT logs show repeated detections of the same threat.
CoreLock complements MRT by providing real-time behavioral monitoring that catches threats before they require removal. While MRT cleans up known infections after the fact, CoreLock monitors process behavior continuously to detect suspicious activity as it happens, giving you an early warning system that works alongside Apple's built-in removal tool.
Download CoreLock FreeXProtect is Apple's built-in antimalware system on macOS that automatically scans downloaded files and applications for ...
syspolicyd implements macOS Gatekeeper — the security feature that verifies applications are from identified developers ...
sandboxd enforces the macOS App Sandbox — a security technology that restricts what applications can access. When an app...
No. MRT (Malware Removal Tool) is Apple's official malware cleanup utility built into macOS. It is code-signed by Apple, distributed through software updates, and protected by System Integrity Protection. Its entire purpose is to remove malware from your Mac, not to cause harm. Seeing it in Activity Monitor is a sign your Mac's security is working.
XProtect prevents known malware from running by scanning files before they execute — it is a gatekeeper. MRT removes malware that has already been installed on your system — it is a cleanup crew. They work together: XProtect blocks new threats, and MRT cleans up infections that may have occurred before the latest signatures were available.
Yes. MRT runs automatically in the background when Apple pushes new malware signature updates. You do not need to launch it manually, and there is no user interface. It scans your system, removes any detected malware, and exits quietly. On macOS Sonoma and later, Apple has integrated MRT's functionality more deeply into the XProtect framework for periodic background scans.
MRT can remove malware that Apple has specifically identified and created removal signatures for. It is effective against known threats but cannot detect or remove novel malware, sophisticated rootkits, or threats that Apple has not yet cataloged. For comprehensive protection, pair MRT with a real-time monitoring tool like CoreLock that detects suspicious behavior regardless of whether the specific threat is known.
Download CoreLock to identify suspicious processes, detect threats, and keep your Mac running smoothly.
Download CoreLock FreeAvailable for macOS and Windows