OS X: About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection)
OS X improves download validation by providing file quarantine in applications that download files from the Internet. This means that downloads are checked for safety (known malware) when you try to open them.
File quarantine-aware applications that download files from the Internet, or receive files from external sources (such as email attachments), attach quarantine attributes.
- Quarantine-aware applications include Safari, Messages, iChat and Mail.
- These attributes include date, time, and a record of where the file was downloaded from.
When you open a file received through a quarantine-aware application, OS X warns you where the file came from. You receive an alert asking, "Are you sure you want to open it?" You should click Cancel if you have any doubts about its safety.
If you have multiple user accounts on your Mac, the user account that downloaded the file is the only user account that can remove the quarantine attribute on a file. All other user accounts can open a quarantined file, but they are still presented with an alert asking "Are you sure you want to open it?" every time they open the file.
Known malware check
Mac OS X Snow Leopard v10.6 and later also check for known instances of "malware", or malicious software. When you open a quarantined file, OS X checks to see if it includes known malware. If so, an alert message similar to the following appears:
If you see "(file name) will damage your computer." You should click Move to Trash.
If the file is a disk image, you should click Eject Disk Image and then delete the source file.
Tip: Click the Help icon in the lower left corner of the alert message for more information about malware.
Blocking web plug-ins
To help limit exposure to potential "zero day" exploits from web plug-in enabled content, OS X also blocks specific versions of web plug-ins from functioning – including Java web apps, or Adobe Flash content. Typically an update to the web plug-in is available on the same day, or shortly after OS X blocks the web plug-in. Install the new update to restore web plug-in function.
OS X Lion v10.7.5 and later include Gatekeeper, a technology that allows developers to sign applications. Signed applications normally don't present an alert when you download and open them. Internet files downloaded from other applications get file quarantine attributes but without date, time, and link of the file downloaded.
Advanced users only
You can toggle the ability of File Quarantine to receive updates from Apple about malware and web plug-ins. Important: Deselecting this option disables the ability to identify new malware, and leaves your Mac vulnerable to new malware without notification.
OS X Mavericks
- Choose Apple () menu > System Preferences.
- Click the App Store icon in the System Preferences window.
- Select or deselect the option to "Install system data files and security updates."
OS X Mountain Lion or earlier
- choose Apple () menu > System Preferences
- Click the Security & Privacy icon in the System Preferences window.
- If the padlock in the lower left corner of the Security & Privacy pane is locked, click it and enter an administrator name and password.
- Click the Advanced button.
- Select or deselect the "Automatically update safe downloads list" setting to toggle File Quarantine updates.