Member-only story
Snake&Apple VII — Antivirus
Introduction to the Gatekeeper, Quarantine, and XProtect on macOS
INTRO
Welcome to another article in the series on macOS security internals!
The last episode explained how the Mandatory Access Control Framework (MACF) enforces its policies focusing on Apple Mobile File Integrity (AMFI).
In this episode, we will learn about another MACF policy — Quarantine. Together with Gatekeeper and XProtect, it forms an Antivirus Trinity.
It is not officially called that, it is just my imagination.
The article is structured in a “reverse engineering” way. We will start with what we can see in the GUI, then provide a general overview of how the Gatekeeper works and explain its dependency on the Quarantine attribute.
We will search the filesystem for one of the Launch Services databases that utilize the quarantine-related data. To explain this data, we will decompile the Launch Services Framework and review how the quarantine is used.
We will learn about the connection between Launch Services and Launchd and how this daemon interacts with the Quarantine Kernel Extension.
There will also be a brief chapter about System Policy components with a small experiment on how Gatekeeper whitelisting does not work.
We will review how the XProtect anti-malware scanner works and how it is connected to other Antivirus Trinity components via CoreServicesUIAgent.
Finally, I will provide an overview of some Gatekeeper Bypasses and links to resources I read during the learning process that are worth reading.
The table below summarizes all of these. The main objective is to analyze the logic of the quarantine-blocking mechanism utilized by the Gatekeeper.
