Apps normally have a quarantine extended attribute (xattr) attached to them to warn macOS that they’ve been downloaded from the Internet and need to pass through Gatekeeper’s first run checks. The same happens to documents, and presumably results in them being checked for malware by XProtect. When quarantine xattrs start appearing on files which have only ever been stored locally since their creation, is it time to get worried?
It would appear not.
Thanks to Thomas, who drew my attention to the fact that opening any movie in the QuickTime Player app (the latest ‘X’ version, not the old QuickTime 7) results in a quarantine xattr being attached to it.
A little further exploration revealed that this isn’t the only such case: Preview attaches quarantine xattrs to several of the file types which it opens, including PDF. The high-end PDF editors PDF Expert and PDFPenPro, and Nisus Writer Pro also attach quarantine xattrs to the PDFs which they create. On the other hand, my own apps don’t: DelightEd and Podofyllin leave such flags unchanged, even on PDF files.
These quarantine flags are also out of the ordinary. The flag value seems always to be 0082, the app name is given correctly, but there’s usually no UUID given as a reference to that entry in the quarantine database. Because xattr changes aren’t reflected in regular file attributes such as the timestamp of last modification, it’s hard to pin down exactly how this is happening, and whether it’s a side-effect of the apps themselves, or something in macOS which is responsible.
However this only seems to happen to document types which are known to have been exploitable by malicious software, and which are usually checked by XProtect when being opened. I haven’t yet been able to observe this in any log entries, though, and suspect that writing the com.apple.quarantine xattr is performed in silence.
This first became prominent in macOS 10.13, when many users reported that it appeared to result in repeated scans of large movies. It seems to have settled since, perhaps because of the flag value being set.
My suspicion is that these quarantine flags are being written as part of the XProtect check, to indicate to macOS that they have already been checked, and don’t need to be inspected again. I’m not sure why some apps do this, but others (like my simple AppKit-based editors) don’t. There is a flag which can be included in an app’s Info.plist file, LSFileQuarantineEnabled, which indicates whether the files created by an app are quarantined by default, but that doesn’t seem relevant here (and isn’t used by Preview or QuickTime Player anyway), and I think is intended for apps which download files from the Internet.
If that conjecture is correct, don’t be tempted to strip these quarantine xattrs away, as that will only result in unnecessary checks being made on these documents.
It would be helpful if this sort of behaviour was properly documented, because of the potential implications of all these quarantine flags. System administrators take note.