Snake&Apple VII — Antivirus
Introduction to the Gatekeeper, Quarantine, and XProtect on macOS
INTRO
Welcome to another article in the series on macOS security internals!
The last episode explained how the Mandatory Access Control Framework (MACF) enforces its policies focusing on Apple Mobile File Integrity (AMFI).
In this episode, we will learn about another MACF policy — Quarantine. Together with Gatekeeper and XProtect, it forms an Antivirus Trinity.
It is not officially called that, it is just my imagination.
The article is structured in a “reverse engineering” way. We will start with what we can see in the GUI, then provide a general overview of how the Gatekeeper works and explain its dependency on the Quarantine attribute.
We will search the filesystem for one of the Launch Services databases that utilize the quarantine-related data. To explain this data, we will decompile the Launch Services Framework and review how the quarantine is used.