An alternative approach to document quarantine problems: Pratique

Removing ‘spurious’ quarantine flags attached to documents using Sandstrip often proves only a temporary solution to the problem of security alerts, when trying to open documents which have been set to be opened by non-default apps. I’ve been looking at how XProtect behaves in response to changes made in quarantine flags, and can offer an alternative approach which can work better.

When you open a document which has no quarantine flag attached to it using the GUI, such as the Finder (double-click) and LaunchServices, the sandbox seems quick to add a ‘spurious’ quarantine flag to it, even when the sandboxed app doesn’t save that document. So the approach used by Sandstrip to completely remove these ‘spurious’ flags is often too transient to help much. Without tinkering with the sandbox itself, there seems little to be done to help, unless Apple changes this behaviour.

However, the behaviour isn’t as quick or consistent if a document already has a quarantine flag, either one gained as a result of being downloaded from the Internet, or an existing flag attached by the sandbox. Following a little experimentation, I discovered that the best way to maintain access to flagged documents and resist the sandbox from adding an active quarantine flag, is to set an existing flag as if the document had been checked by XProtect and passed – in the same way that this is handled for apps.

Surprisingly, this still isn’t perfect. When a sandboxed app saves a document, it’s most likely to write a fresh ‘spurious’ quarantine flag to it. Even more surprisingly, that occurs with ‘genuine’ quarantine flags – a behaviour which appears to reduce security.

Quarantine flags which are written to files which have been downloaded from the Internet contain a UUID which refers to their entry in the QuarantineEvents database at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Those entries contain additional information which is significant, and readily available to apps and other software.

When the sandbox overwrites an existing ‘genuine’ quarantine flag, that UUID is lost, and its ‘spurious’ flags don’t contain any reference to entries in the QuarantineEvents database. Thus the sandbox behaviour loses the association with that additional information which is of security value.

Pratique has a similar interface to my free utility for stripping ‘spurious’ quarantine flags, Sandstrip, but instead of removing them, it marks files with a flag which indicates that they have been checked by XProtect – in the same way that flags change when an app has passed its first run checks. So long as that modified flag remains attached to a document, you can change the app set to open it, and double-clicking it won’t trigger a security alert and refusal.

This should prove a more lasting way of dealing with the problems caused by quarantine flags on documents, particularly if you don’t save them using an app which runs in a sandbox.

However, changing flags indiscriminately could also cause a major vulnerability. If you had downloaded an app in a Zip archive, for example, setting the flag on either the archive or that app to indicate that it had passed first run would let it escape the security checks which take place when you first run an app. So Pratique is careful not to change quarantine flags on apps and other executable bundles, or on archive documents.

The first beta-release version of Pratique is now available from here: pratique10b1
from Downloads above, and its Product Page.

This should run in Sierra, High Sierra and Mojave, although I have only been able to test it in Mojave, so would greatly appreciate reports from those older versions of macOS, please.

9Comments

Add yours

1

Joss on May 6, 2019 at 5:44 pm

Is there a CLI command to add this “already checked by XProtect” attribute in shell scripts?

LikeLiked by 1 person
- 2
  
  hoakley on May 6, 2019 at 5:52 pm
  
  You can do it with the xattr command, either with the -d option to delete the com.apple.quarantine xattr altogether, or to write one out with the -w option. Be very careful though: don’t inadvertently clear the flag on a quarantined app or archive which does still need proper Gatekeeper checks. That’s an issue I have tried to address in Pratique.
  Howard.
  
  LikeLike
  - 3
    
    Joss on May 6, 2019 at 11:55 pm
    
    Yes, normally I’m just deleting the quarantine XA, e.g. when I want to launch unsigned applications. But for documents etc. I was thinking about the `xattr -w com.apple.quarantine VALUE FILEPATH` command. The question is: how do you set the VALUE, when you want to change the first numbers of the quarantine string from 0082 to 00e2? Plain text? Or do you have to pipe it to xxd first in some way? If so, with which arguments? And what about the other parts of the quarantine string? There’s a number, then a semicolon, then some kind of other value (hash?), then another semicolon, and then finally the app or process identifier. So the questions are: (1) what is this hash value? Can it be something random? (2) does the process name need to conform to some kind of special formatting? (3) is plaintext sufficient to fake macOS into believing that a file has already been scanned by XProtect (0082 to 00e2)?
    
    LikeLiked by 1 person
    - 4
      
      hoakley on May 7, 2019 at 7:24 am
      
      Joss,
      The com.apple.quarantine xattr is plain UTF-8 text. What Pratique does is read the existing xattr, change the third character from 8 to C (although XProtect uses E instead, either will do), and write it back. I can code that in Swift, but not in a shell script!
      Howard.
      
      LikeLike
  - 5
    
    Joss on May 7, 2019 at 8:57 am
    
    Thank you. Then it’s possible, e.g. like so:
    
    “`
    quar=$(xattr -p com.apple.quarantine “$filepath” | grep “^0081;”) ; [[ $quar ]] && { quar=$(echo “$quar” | sed ‘s/^0081/008c/’) ; xattr -w com.apple.quarantine “$quar” “$filepath” ; }
    “`
    
    If you want “008e” instead of “008c”, just change the substitution value in the sed command from “008c” to “008e”.
    
    LikeLiked by 1 person
  - 6
    
    Joss on May 7, 2019 at 11:44 am
    
    So if you write a new quarantine XA that is to block a file from execution, should you use “0081”, “0082”, or “0083”? With xattred you are using “0083”. Is there any difference to the other ones?
    
    For whom it may concern: you can get the hex timestamp in bash with:
    
    echo “obase=16; $(date +%s)” | bc | tr ‘[:upper:]’ ‘[:lower:]’
    
    And another question: is a 008[1-3] quarantine XA even effective, if you don’t add a UUID?
    
    LikeLiked by 1 person
    - 7
      
      hoakley on May 7, 2019 at 11:59 am
      
      Yes, any of those three quarantine numbers puts that file into quarantine. As Apple doesn’t document any of this, no one seems to know the significance of the other bits. My experience is that their usage varies with macOS version but doesn’t form any consistent pattern.
      The UUID isn’t needed at all – the ‘spurious’ flags written by the sandbox never have a UUID. However, on apps the UUID is important as it links into the quarantine database to provide additional info which is of value when deciding the risk, etc. If you’re not adding a UUID, then end the flag with a terminal semi-colon, just as the sandbox does.
      Howard.
      
      LikeLike
  - 8
    
    Joss on May 7, 2019 at 12:04 pm
    
    Awesome, thank you!
    
    LikeLiked by 1 person
9

Michael Tsai - Blog - Quarantine: Apps and Documents on May 14, 2019 at 8:21 pm

[…] Update (2019-05-14): Howard Oakley: […]

LikeLike

Share this:

Related