--- title: "Prevent Quarantine Attribute Stripping | Security Cookbook" description: "Block xattr commands that strip or forge Gatekeeper quarantine attributes, stopping attackers from bypassing first-launch signature checks." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/prevent-quarantine-stripping" --- [Back](https://northpole.security/cookbook) ### Idea macOS's Gatekeeper is supposed to prevent untrusted software from running on a Mac. When you download a file from the internet on macOS, it gets tagged with a quarantine extended attribute (com.apple.quarantine), which triggers Gatekeeper to prompt the user that this file was downloaded from the internet or came from an external source, before allowing it to run. However, the attribute can be stripped away with a single `xattr` command — or forged with a value that marks the file as already-approved — which skips the checks when the user opens the app. Workshop and Santa's CEL rules can block the most common quarantine-stripping and quarantine-forgery patterns. ### Solutions ExecutionBlock Quarantine Stripping Prevent xattr from removing quarantine attributes Signing ID platform:com.apple.xattr CEL Expression ( args.exists(a, a.matches("^-\[a-z\]\*\[dw\]\[a-z\]\*$")) && args.exists(a, a \== "com.apple.quarantine") ) || args.exists(a, a.matches("^-\[a-z\]\*c\[a-z\]\*$")) ? BLOCKLIST : ALLOWLIST Copy Custom Message Removing quarantine attributes is not allowed ### Mitre Attack Tactics [Defense Impairment](https://attack.mitre.org/tactics/TA0112/) Techniques [T1553.001: Gatekeeper Bypass](https://attack.mitre.org/techniques/T1553/001/)[T1685: Disable or Modify Tools](https://attack.mitre.org/techniques/T1685/) ### Tags xattrquarantinegatekeeper ### Deployment Notes This rule blocks three `xattr` operations: deleting the quarantine attribute (`-d com.apple.quarantine`), forging an "already-approved" quarantine value (`-w com.apple.quarantine ...`), and clearing all extended attributes with the `-c` flag family (which removes quarantine alongside everything else). Bundled flag variants like `-dr`, `-rc`, and `-crv` are caught as well. Legitimate use is rare but not unheard of — the `-c` family in particular is sometimes used by power users managing extended attributes, so an aggressive rule may generate more noise. This won't stop direct use of the `removexattr()` and `fremovexattr()` system calls. Make sure to test this in your environment before deploying widely. ### False Positive Guidance Power users occasionally need to strip quarantine attributes for legitimate reasons: - Developers testing apps - IT staff deploying internal tools - System administrators Consider using Workshop tags to exempt specific users or hosts. ### Resources [MITRE ATT&CK - Gatekeeper BypassTake a look](https://attack.mitre.org/techniques/T1553/001/) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)