Prevent Quarantine Attribute Stripping
Block xattr commands that strip or forge Gatekeeper quarantine attributes, stopping attackers from bypassing first-launch signature checks.
Idea
macOS's Gatekeeper is supposed to prevent untrusted software from running on a Mac. When you download a file from the internet on macOS, it gets tagged with a quarantine extended attribute (com.apple.quarantine), which triggers Gatekeeper to prompt the user that this file was downloaded from the internet or came from an external source, before allowing it to run. However, the attribute can be stripped away with a single xattr command — or forged with a value that marks the file as already-approved — which skips the checks when the user opens the app. Workshop and Santa's CEL rules can block the most common quarantine-stripping and quarantine-forgery patterns.
Solutions
- Signing ID
- CEL Expression
- Custom Message
Mitre Attack
Tags
Deployment Notes
This rule blocks three xattr operations: deleting the quarantine attribute (-d com.apple.quarantine), forging an "already-approved" quarantine value (-w com.apple.quarantine ...), and clearing all extended attributes with the -c flag family (which removes quarantine alongside everything else). Bundled flag variants like -dr, -rc, and -crv are caught as well.
Legitimate use is rare but not unheard of — the -c family in particular is sometimes used by power users managing extended attributes, so an aggressive rule may generate more noise. This won't stop direct use of the removexattr() and fremovexattr() system calls. Make sure to test this in your environment before deploying widely.
False Positive Guidance
Power users occasionally need to strip quarantine attributes for legitimate reasons:
- Developers testing apps
- IT staff deploying internal tools
- System administrators
Consider using Workshop tags to exempt specific users or hosts.