Why some Mac apps launch slowly: A follow-up

Summary

Previous: Google Chrome 136 automatically upgrades your accounts to use passkeys Articles index Why some Mac apps launch slowly: A follow-up May 1 2025 Last year I wrote a blog post Mac app launches slowed by malware scan: I discovered that the slow launches are caused by the syspolicyd process, specifically DispatchQueue "com.apple.security.syspolicy.yara". The backtrace showed syspolicyd calling the yr_rules_scan_file function. Recently, however, voluminous blogger Howard Oakley has written a series of blog posts, starting with Why some apps launch very slowly and culminating with Why some apps sometimes launch extremely slowly, that appear to be in denial of my discovery. Oakley says, Malware scan using any known Yara rules is most unlikely, as: XProtect Yara rules commonly include file size limits, resulting in few rules applying to larger files, and more rapid completion. Known checks using Yara rules are all well-recorded in log entries, and the source of those rules is stated clearly. Yara scans are normally reported with their result. Scan results are succinct and hardly likely to be lost in a ‘cache miss’. I'm truly baffled by this denial, because the backtrace I mentioned comes directly from spindumps (/usr/sbin/spindump), which take frequent (10 milliseconds by default) samples of all running processes on the system. Spindumps don't lie! The spindumps also indicate that the syspolicyd malware checks are triggered by the dlopen function to load a dynamic library. These are the framework checks that Oakley mentions; a framework is essentially bundled dynamic library. You can see the series of function calls in the samples of the launching app: dyld4::APIs::dlopen_from(char const*, int, void*) AppleSystemPolicy::fileCheckLibraryValidation(proc*, fileglob*, long long, long long, unsigned long) AppleSystemPolicy::perform_malware_scan_if_necessary(ASPProcessInfo*, ASPEvaluationInfo*, int, ScanMeta*, int*, unsigned int, int, long long*) AppleSystemPolicy::waitFo...