OS X: About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection)
OS X improves download validation by providing file quarantine in applications that download files from the Internet. This means that downloads are checked for safety (known malware) when you try to open them.
File quarantine-aware applications that download files from the Internet, or receive files from external sources (such as email attachments), attach quarantine attributes.
- Quarantine-aware applications include Safari, Messages, iChat and Mail.
- These attributes include date, time, and a record of where the file was downloaded from.
When you open a file received through a quarantine-aware application, OS X warns you where the file came from. You receive an alert asking, "Are you sure you want to open it?" You should click Cancel if you have any doubts about its safety.
Known malware check
Mac OS X Snow Leopard v10.6 and later also check for known instances of "malware", or malicious software. When you open a quarantined file, OS X checks to see if it includes known malware. If so, an alert message similar the following appears:
If you see "(file name) will damage your computer." You should click "Move to Trash".
If it is a disk image, you should click "Eject Disk Image" and then delete the source file.
Tip: Click the Help icon in the lower left corner of the alert message for more information about malware.
Blocking web plug-ins
To help limit exposure to potential "zero day" exploits via web plug-in enabled content, OS X also blocks specific versions of web plug-ins from functioning – including Java web apps, or Adobe Flash content. Typically an update to the web plug-in is available on the same day or shortly after OS X blocks the web plug-in. Install the new update to restore web plug-in function.
If you have multiple user accounts on your Mac, the user account that downloaded the file is the only user account that can remove the quarantine attribute on a file. All other user accounts can open a quarantined file, but they are still presented with an alert asking "Are you sure you want to open it?" every time they open the file.
OS X Lion v10.7.5 and later include Gatekeeper, a technology that allows developers to sign applications. Signed applications normally don't present an alert when you download and open them. Internet files downloaded from other applications get file quarantine attributes but without date, time, and link of the file downloaded.
Advanced users only
You can toggle File Quarantine ability to receive updates about malware and web plug-ins from Apple via the "Automatically update safe downloads list" check box.
Choose Apple () menu > System Preferences… > Security & Privacy > Advanced…
Note: If the padlock in the lower left corner of the Security & Privacy pane is locked, click it and enter an administrator name and password, then click the Advanced button.
Select or deselect the "Automatically update safe downloads list" setting to toggle File Quarantine updates.
Important: Unchecking "Automatically update safe downloads list" disables the ability to identify new malware, and leaves your Mac vulnerable to new malware without notification.