By default, quarantine xattrs aren’t attached to new files created by an app. That behaviour is controlled by a setting in their Info.plist, and can be overridden in an Exceptions property list.
Gatekeeper
How to check secure boot, SIP, Gatekeeper/XProtect, its SSV, FileVault, macOS and its firmware, and XProtect Remediator scans.
Whether a quarantined and notarized app undergoes translocation, Tahoe doesn’t run XProtect checks to determine if it’s malicious. And how to tell when an app is running from translocation.
XProtect, XProtect Remediator, XProtect Behaviour Service, kernel extension excludes, incompatible apps, and some historical remnants, including a database that’s downloaded then vanishes.
Over the last 6 years, XProtect’s Yara rules for detection of malware have increased by a factor of 4, and they now take over 22 times as much space. Here are the numbers and charts.
Stepping through the stages in security checks made on a notarized Mach-O binary command tool, in Ventura 13.4.1 2 years ago, and now in Sequoia 15.4.1.
Why can apps take many seconds or even minutes to launch on some Macs? More results to puzzle and perplex, and a strategy to address the problem.
Opening Pages can take several seconds, and other apps can hang around for 30 seconds before they’re ready to use. Is it XProtect, online certificate checks, or what?
Overview of how different subsystems work together during launching a notarized app, from LaunchServices to checking WritingTools and AI availability.
After setting a record of 29 updates through the year, XProtect’s Yara rules have grown from about 195 in 167 KB of text to 328 in 921 KB. Here are other details for the other XProtects, Gatekeeper and more.
The Eclectic Light Company 