Menu
The other day I was messing with some files that had the extended attribute com.apple.quarantine on them. I am aware of its purpose, but I have always been curious what the properties below meant when you output its values.
E.g. when I typed in
xattr -p com.apple.quarantine xmlrpc.php
for a file that has the said xattr, I get output like this:
0083;59b926ad;Safari.app;55847AA4-5562-42A2-89A7-8FAD394B455C
What do the first 4 digits represent? i.e. 0083 Google hasn't brought up anything good and there are a few guides I found from users also trying to figure out what these numbers precisely represent.
885
When the OS detects changes to an executable file on disk, it will under certain circumstances add a com. apple. quarantine extended attribute to the file. The quarantine attribute subsequently prevents execution of the file.
Display and manipulate extended attributes of one or more files, including directories and symbolic links.
The basic idea behind quarantine in macOS is simple: anything that comes from a dubious source, particularly when downloaded from the Internet, should be marked as such, so that macOS security tools can check it for known malware before it's first used.
As you're probably already aware, the quarantine flags are set when an agent (browser, mail client etc) saves a file to your machine. This is responsible for the warning that appears when you first try to open an application that was downloaded from the internet.
All this information is stored and there's a complete history for every user.
The first 4 digits are a set of flags that I expect are defined in quarantine.h, which appears to be a private header included in copyfile.c, within Apple's open source code.
These flags represent states, such as whether the file is quarantined or not.
On closer analysis, the kernel extension quarantine.kext is responsible for handling this and upon disassembly, we can see the function quarantine_get_flags.
Here's just a snippet of the disassembled kext
Note the formatting of the xattr output's first 4 flags with _sscanf(rbx, "%04x;") == 0x1)
This calls quarantine_get_info.
We can see here that the flags denote various states of the file on the system, with vfs being the Virtual File System and vnode is the basic representation structure of a file.
As for the rest of the xattr output, each user has a local sqlite3database that keeps a record of every item downloaded. Its location is
~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
The database has just one table LSQuarantineEvent. You can read all the data by using the sqlite3 command in the terminal
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent;"
If you filter the results (grep or alternative) you'll be able to match up the GUID that makes up the latter part of the xattr output and you'll see all the information about that particular download, including which agent was responsible for downloading the file and even the URL from where it was retrieved.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
