XProtect stealing RAM randomly every day? (xprotectremediatorsheepswap)

[tockie]

Is anyone else experiencing the issue where xprotectremediatorsheepswap is using taking a huge amount of RAM every day?

Since Sonoma 14.3.1, this process would pop up and start eating up 100GB of RAM and making >50GB of swaps into SSD.

This issue also seems to have affected many other users since the update

• https://discussions.apple.com/thread/255477437
• https://discussions.apple.com/thread/255481754
• https://discussions.apple.com/thread/255465538

Currently, I couldn't find any fix other than force shutting down, so meaning dear Apple considers it appropriate to make customer's machines unusable and remove 15+min of productivity every day.
Hope apple will release a patch or just revert back to whatever XProtect is before this ASAP, otherwise, let's pray this XProtect **** doesn't pop up when I'm presenting in front of a class of a few hundred students, and they will all have to watch me live to deal with Apple's incompetent software quality control.

 

[brassring]

Yes; but I'm running Ventura 13.6.

Every day for the past week, I've been getting the popup that says I'm out of memory and need to force-quit apps. It's the process "XProtectRemediatorSheepSwap" every time.

Yep, that's taking up 70+ gigs of system memory.

 

[tockie]

Happy to say found a workaround
This seems to be a problem caused by Apple’s automatically installed security responses.

I managed to “fix” the SheepSwap-gate by rolling back to a previous version of XProtectRemediator.
It is located at:
/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorSheepSwap

Unfortunately, you’ll need a TimeMachine backup to roll it back to a previous version.
(I’ve reached out to Apple senior support, and they refuse to support me tampering with their XProtect)
If you have an earlier version of XProtect.app backup, you’ll need to disable SIP, (preferably then booting in safe mode), and replace XProtect.app with that earlier version. Then, I turned SIP back on and haven’t experienced any issues yet.
You also need to uncheck “Installed Security Responses” from Settings - Software update since this will automatically update to the latest XProtect version without any notifications.

I believe the problematic version is XProtectPayloads 125 (see screenshot), since then Apple released version 126, but the issue persisted, so I went back to 122 (the only version backed-up prior to 125 I have).
The system and XProtect version logs are retrieved using SystHist (https://eclecticlight.co/lockrattler-systhist/), and SilentKnight shows the rolled back 122 version still performs automatic scans and without blowing up RAM usage.

I do understand this workaround sound sussy, but I cannot allow XProtect to randomly kick in and cause a days’ worth of computation work being terminated due to low memory issues.
Adding salt to injury, I have made multiple attempts to get a resolution from Apple, but they’re either ghosting me or telling me to wipe and reinstall, which is just reckless and irresponsible.