{ "id": "a51e6410-3295-40c3-a790-902fde91738e", "created_at": "2026-04-06T00:10:24.905928Z", "updated_at": "2026-04-10T03:20:07.436916Z", "deleted_at": null, "sha1_hash": "f8be19c85dcf9ea355409c106eb9942c306f7866", "title": "Quarantine and the quarantine flag", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72950, "plain_text": "Quarantine and the quarantine flag\r\nPublished: 2020-10-29 · Archived: 2026-04-05 14:31:11 UTC\r\nWe all know that a ‘quarantine flag’ is attached to files which are downloaded from the Internet, using most but\r\nnot all apps, and determines whether an app needs to undergo a full first run check by Gatekeeper. In fact, there’s a\r\ngreat deal more to quarantine and its extended attribute than that. For a start, the majority of items on your Mac\r\nwhich carry a quarantine flag aren’t apps at all, but non-executable documents. And in most cases, macOS doesn’t\r\neven know why they are there.\r\nQuarantine and the com.apple.quarantine extended attribute (xattr) originated in macOS 10.5 in 2007, although\r\nGatekeeper didn’t appear until 10.7 in 2011-12, at around the same time that sandboxing was introduced.\r\nEntering quarantine\r\nAll files which are downloaded from the Internet, using HTTPS or HTTP, in email messages, over AirDrop, and\r\nby other means, can have a quarantine flag attached to them by the app which performs the downloading. Custom\r\napp download-installers and most updaters either don’t set the flag at all, or, when one is set, remove it (for\r\nexample, Sparkle-based updaters).\r\nThe quarantine flag is an opt-in system, not one imposed by macOS itself. Any developer, including malware\r\nauthors, can download files from the Internet without setting the flag on them, and any app on your Mac can\r\nchange or strip the quarantine flag on any item to which it has write permission. The use of these flags in security\r\nis very much a gentleman’s agreement, which is easily broken when software doesn’t behave like a gentleman.\r\nSetting the quarantine flag is normally determined the Info.plist property list which every app is required to\r\ncontain. The entry there which controls flag behaviour is named LSFileQuarantineEnabled, and you can inspect\r\nthis in each app to check what should happen when that app creates a new file, for example when downloading\r\nsomething from the Internet. When this is set to true, every new file created by that app should have the quarantine\r\nflag set; when false, they won’t unless macOS overrides that behaviour. If an unsandboxed app’s Info.plist doesn’t\r\nset LSFileQuarantineEnabled explicitly, then the default is not to set the quarantine flag.\r\nmacOS also provides a set of overrides to what appears in the Info.plist of many apps, listed in the Additions item\r\nin /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist.\r\nThe Exceptions.plist property list contains five dictionaries:\r\nAdditions, which assigns a lot of app categories, sets Java version requirements, and determines default\r\nsettings for quarantine on documents created by apps.\r\nAppNapOverrides, which sets App Nap behaviours.\r\nHighResolutionOverrides, which overrides High Res options for apps.\r\nLaunchOverrides, which can disable specific version ranges of apps from being launched; these prevent\r\nmany older apps from being run.\r\nMergeDocumentTypes, which merges some document types such as doc and docx for specific apps.\r\nhttps://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/\r\nPage 1 of 5\n\nOverrides, which can override other settings.\nFor example, the entry in the Additions dictionary for the popular BitTorrent client Transmission reads:\norg.m0k.transmissionLSApplicationCategoryTypepublic-category.internetLSFileQuarantineEnabled Referring to the app by its ID of org.m0k.transmission , that first assigns the app to an app category of public-category.internet , and then sets the app to set the quarantine flag on all documents that it creates, including\neverything that it downloads.\nAmong the existing overrides in Catalina, for example, are org.pythonmac.unspecified.BitTorrent and\norg.xlife.Xtorrent, which ensures that Transmission, Xtorrent and PythonMac BitTorrent clients should write\nquarantine flags to all their downloaded files. Although this Exceptions property list doesn’t cover every client, it\nshould ensure that most do protect their downloads with quarantine flags. However, there’s no method by which\nyou can add or modify these, and they don’t appear to apply to command tools such as curl , which is often used\nto bypass quarantine flag attachment.\nBehaviour – apps\nThe quarantine flag is among the stickiest of all xattrs. When you unZip an archive which has been flagged, the\nxattr is normally propagated to all items which are saved from that, a behaviour which ensures that compressed\napps retain their flag when uncompressed, for example. This isn’t, though, imposed by macOS, and some tools\nand utilities which can decompress archives may not follow this behaviour; the bundled Archive Utility does,\nthough.\nIn macOS Mojave and later, a typical quarantine xattr consists of a Unicode string of the form\n0083;5991b778;Safari.app;BC4DFC58-0D26-460D-9688-81D119298642\nwith the components:\n1. the quarantine value in hexadecimal,\n2. the time at which the xattr was attached, in hexadecimal,\n3. the app or agent responsible for creating the xattr (normally the downloading app too),\n4. a UUID referring to the entry for this quarantine flag in the QuarantineEvents database\nseparated by semi-colons.\nThe QuarantineEvents database is an SQLite database at\n~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. There appears to be no system-level\nequivalent, so each user is only able to access details of their own quarantine events, not those of other users. It’s\nnot known whether spent events are ever removed from there, nor whether maintenance is performed on it.\nhttps://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/\nPage 2 of 5\n\nWhen an app or other executable is run from the GUI, its quarantine xattr is checked before opening. If the\r\nexecutable code hasn’t been cleared previously by a full Gatekeeper check, that is deemed to be its first run, and a\r\nfull check is performed. If that’s successful, the quarantine value on all checked executable code is changed from\r\n(for example)\r\n00000000 10000011 = 83\r\nto\r\n00000000 11000011 = C3\r\nSubsequent attempts to run that code are then no longer blocked for the first run Gatekeeper check to be\r\nperformed. Successful completion of that first run check doesn’t alter the quarantine xattrs attached to non-executable files within an app bundle, though.\r\nEarlier versions of macOS have used other bits in the quarantine value too. For example, in Sierra and earlier an\r\napp which has passed first run and been successfully opened could end up with a value of\r\n00000000 11100011 = E3\r\nthe lower-order bit signifying that the app had also been run. These appear to have fallen into disuse in Mojave.\r\nThe QuarantineEvents database contains and retains additional information for these flags, which includes the\r\nreason for their attachment in the LSQuarantineType value, which includes: LSQuarantineTypeWebDownload,\r\nLSQuarantineTypeEmailAttachment, LSQuarantineTypeOtherDownload,\r\nLSQuarantineTypeInstantMessageAttachment, LSQuarantineTypeCalendarEventAttachment,\r\nLSQuarantineTypeOtherAttachment, and LSQuarantineTypeSandboxed, which is only attached to documents.\r\nIn normal circumstances, quarantine xattrs which are attached to apps and other executables remain in place until\r\nthat app is removed.\r\nDevelopers who ship apps which are signed or notarized need to check that those will successfully pass through\r\nGatekeeper first run checks before distributing those apps. I have discussed ways of doing this here.\r\nExecutable scripts with quarantine flags may not undergo Gatekeeper checks, because most are unsigned. The\r\npresence of a quarantine flag on a script therefore normally results in macOS blocking it from running until that\r\nflag has been removed.\r\nBehaviour – documents\r\nmacOS has been attaching quarantine flags to documents for as long as it has been to apps, as part of the the same\r\nprocess. If a webpage or other file is downloaded from the Internet and saved on your Mac by an app which adds\r\nquarantine flags, then a normal quarantine xattr will be added to it. When you decompress a flagged Zip archive,\r\nquarantine flags are automatically attached to all the files extracted from it.\r\nThese non-app flags differ as follows:\r\nOpening a quarantined document or non-executable file doesn’t trigger a Gatekeeper check, which would\r\nin any case be meaningless.\r\nNothing appears to change or remove a flag, unless you use a utility or command to do so. The sole\r\nexception to this is with flags attached by sandboxed apps, which can replace one another.\r\nhttps://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/\r\nPage 3 of 5\n\nmacOS also adds its own quarantine flags to documents which haven’t been downloaded from the Internet.\r\nOddly, while quarantine of apps is an opt-in behaviour, you can’t opt out of this behaviour, as it’s built into\r\nthe macOS sandbox.\r\nPerforming certain operations with quarantined documents may be forbidden. For example, a flagged shell\r\nscript can’t normally be executed. Thus using flagged files can result in errors.\r\nDocument quarantine xattrs attached following download from the Internet have identical content to those\r\nattached to apps, including the UUID of an entry in the QuarantineEvents database. Those attached to files which\r\nhaven’t been downloaded differ, as they aren’t associated with entries in the QuarantineEvents database, so lack\r\nthe UUID. Quarantine values you’re likely to encounter include:\r\n00000000 10000001 = 81\r\n00000000 10000010 = 82\r\n00000000 10000011 = 83\r\neach of which has the high-order bit set to indicate that the file is still in quarantine, and are normally given with\r\nan LSQuarantineType of LSQuarantineTypeSandboxed.\r\nThe addition of quarantine flags to files which have never been downloaded from the Internet appears to be a\r\nrelatively recent behaviour, but has now been seen to occur in macOS Sierra and later. Apple doesn’t appear to\r\nhave documented this for users, and references to this behaviour are buried deep in Apple’s now outdated but not\r\nreplaced Entitlement Key Reference.\r\nSandboxed apps, which includes many of those bundled with macOS and all delivered by the App Store, will\r\nattach quarantine flags to files which Apple describes as executable unless the app has the\r\ncom.apple.security.files.user-selected.executable entitlement. Apple explains:\r\n“By default, when writing executable files in sandboxed apps, the files are quarantined. Gatekeeper prevents\r\nquarantined executable files and other similar files (shell scripts, web archives, and so on) from opening or\r\nexecuting unless the user explicitly launches them from Finder.\r\nIf those executables are tools that are intended to run from the command line, such as shell scripts, this presents a\r\nproblem.”\r\nNote that this refers to a sandboxed app writing executable files, which should only account for a very small\r\nnumber of files having a quarantine flag attached.\r\nThe role and purpose of these quarantine flags added by sandboxed apps remains obscure, beyond being used to\r\nprevent the execution of shell scripts, web archives, etc. Not only that, but sandboxed apps write them, when\r\npermissions allow, to all documents which they open, even though the document may not be formally saved by\r\nthat app.\r\nAccess\r\nAs extended attributes, you can view and edit quarantine flags using standard tools including the xattr\r\ncommand and my free utility xattred. These flags are easier to work with than many xattrs as they are UTF-8 text,\r\nnot encoded binary.\r\nhttps://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/\r\nPage 4 of 5\n\nAs a developer, you can opt to access them as xattrs, which is easiest using extensions to the URL class in Swift,\r\nfor instance. They’re also accessible more directly as NSURL Resources, using code such as\r\nvar theQuarFlag: AnyObject? = nil\r\ntry theNSURL.getResourceValue(\u0026theQuarFlag, forKey: kCFURLQuarantinePropertiesKey as URLResourceKey)\r\nwhich, if theQuarFlag is non-nil, is a dictionary containing key-value pairs for all known fields in the quarantine\r\nflag. These not only include the data in the xattr, but where there’s an extant entry in the QuarantineEvents\r\ndatabase, this also returns information from that. Keys are listed in LSQuarantine.h, and include:\r\nLSQuarantineAgentNameKey, the name of the downloading agent;\r\nLSQuarantineAgentBundleIdentifierKey, the bundle ID of the downloading agent;\r\nLSQuarantineTimeStampKey, a CFDateRef to the date and time that the quarantine flag was attached;\r\nLSQuarantineTypeKey, one of the values listed above;\r\nLSQuarantineOriginURLKey, a CFURLRef to the original location of the file;\r\nLSQuarantineDataURLKey, a CFURLRef to the data source of the file.\r\nRemoving a quarantine flag simply requires setting it to nil, as in\r\ntry theNSURL.setResourceValue(nil, forKey: kCFURLQuarantinePropertiesKey as URLResourceKey)\r\nSource: https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/\r\nhttps://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/" ], "report_names": [ "quarantine-and-the-quarantine-flag" ], "threat_actors": [], "ts_created_at": 1775434224, "ts_updated_at": 1775791207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f8be19c85dcf9ea355409c106eb9942c306f7866.pdf", "text": "https://archive.orkl.eu/f8be19c85dcf9ea355409c106eb9942c306f7866.txt", "img": "https://archive.orkl.eu/f8be19c85dcf9ea355409c106eb9942c306f7866.jpg" } }