About file quarantine in OS X

Summary

Learn about file quarantine in OS X.

Products Affected

Mac OS X 10.5, Mac OS X 10.6, OS X Lion, OS X Mountain Lion

OS X improves download validation by providing file quarantine in applications that download files from the Internet, such as Safari, Messages or iChat, and Mail. This means that files you download from the Internet are checked for safety when you open them.

File quarantine-aware applications that download files from the Internet, or receive files from external sources (such as email attachments), will attach file quarantine attributes including date, time, and link of the file downloaded. Internet files downloaded from other applications will get file quarantine attributes but without date, time, and link of the file downloaded.

When you open a potentially unsafe file in Finder, Spotlight, or from the Dock, the file quarantine feature will warn you about unsafe file types.

If you open a quarantined file, you will receive an alert asking, "Are you sure you want to open it?" You should click Cancel if you have any doubts about its safety.


 

Mac OS X v10.6 Snow Leopard and later checks for malware

Mac OS X v10.6 Snow Leopard and later builds upon the existing unsafe file type check by also checking for known instances of "malware", or malicious software. When you open a quarantined file, the file quarantine feature will check to see if it may include known malware. If so, an alerts such as these will appear:

If you see "(file name) will damage your computer." You should click "Move to Trash".

If it is a disk image, you should click "Eject Disk Image" and then delete the source file.

Tip: Click the Help icon in the lower left corner of the dialog box for more information about malware.

Blocking web plug-ins

To help limit exposure to potential "zero day" exploits via web plug-in enabled content, File Quarantine can block web plug-ins from functioning--including Java web apps or Adobe Flash content.

Typically an update to the web plug-in is available on the same day or shortly after File Quarantine blocks the web plug-in.

Install the new update to restore web plug-in function.

Additional Information

If you have multiple user accounts on your Mac, the user account that downloaded the file is the only user account that can remove the quarantine attribute to the file.  All other user accounts can open the quarantine file, but they will be presented with an alert asking "Are you sure you want to open it?" every time they open the file.

Advanced users only

You can toggle File Quarantine ability to receive updates about malware and web plug-ins from Apple via the "Automatically update safe downloads list" check box.

Choose Apple () menu > System Prefernces… > Security & Privacy > Advanced…

Note: If the padlock in the lower left corner of the Security & Privacy pane is locked, click it and enter an administrator name and password, then click the Advanced button.

Check / uncheck "Automatically update safe downloads list" to toggle File Quarantine updates.

Important: Unchecking "Automatically update safe downloads list" will disable File Quarantine's ability to identify new malware, and leave your Mac vulnerable to new malware without notification.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Ask other users about this article
in Apple Support Communities
See all questions on this article See all questions I have asked