New app to analyse, display and give direct access to the contents of clipping files, including textClipping and pictClipping files created by the Finder.
quarantine
Verify that the app doesn’t change file extended attributes, discover why false flags result from updating apps in place, check who has been changing your preferences, and how to add App Store apps to Provenance tracking.
A new app to check files for Providence IDs and Quarantine information, so providing info about the origin and recent edit history of those files.
By default, quarantine xattrs aren’t attached to new files created by an app. That behaviour is controlled by a setting in their Info.plist, and can be overridden in an Exceptions property list.
Why do so many files now have quarantine and other extended attributes, although they’re not apps, and may never have left that Mac?
When someone reports the most recent version of Safari that will open their webarchives is 18.6, and that’s the only version that you find can’t open some webarchives. You’ll be only too familiar with the culprit.
Whether a quarantined and notarized app undergoes translocation, Tahoe doesn’t run XProtect checks to determine if it’s malicious. And how to tell when an app is running from translocation.
Notarization is now obligatory for developers, but at the same time, we’re still able to run our own apps that aren’t notarized. Here’s how that works, and why.
App launch security is built in multiple layers, and not all check are run on every launch of an app. Syspolicy plays a key role, CDHashes are now central, and XProtect scans can make checks on large apps slow.
Three malicious apps – Atomic Stealer, Genieo and XCSSET – against macOS 14.6.1, with full security, SIP disabled, and Gatekeeper disabled.
The Eclectic Light Company 