What is System Integrity Protection and how does it affect Anti-Malware for Mac?

Document created by dshull Employee on May 12, 2017Last modified by jyamada on Jun 11, 2017
Version 2Show Document
  • View in full screen mode

Mac OS X 10.11, aka El Capitan, includes a feature called System Integrity Protection (SIP), which prevents modifications from being made to some key locations in the system. This is very powerful protection against malware installing into certain places.

However, it's possible to turn SIP off, and worse, to turn it back on later after some kind of malware has been installed into one of these protected locations. In such a case, Malwarebytes Anti-Malware for Mac will not be able to remove components of the malware from those locations until SIP has been turned off again.

To turn off SIP, follow these instructions:

  1.  Restart the computer.
  2.  Hold down command-R as soon as the chime sounds, and continue to hold until the Apple logo appears.
  3.  Once the machine has entered recovery mode, click Utilities
  4. Click Terminal
  5.  In Terminal, type: csrutil disable
  6.  Press return. You should see a message saying SIP was disabled.
  7.  Restart the computer normally.


Once this is done, scan the computer again with Malwarebytes Anti-Malware and remove the files it was unable to remove previously.
Afterwards, for security purposes, you should re-enable SIP. To do so, repeat the steps above, except enter the command csrutil enable instead of csrutil disable