What does File Quarantine do for you on your Mac?

File Quarantine WarningWhen you attempt to open a file from the internet using Safari, or from an attachment to an email in the Mail program, the operating system will pop up a window warning you that the file comes from the internet and ask whether you really do want to open it. After you’ve seen this message a few times relating to different downloads it’s tempting to start thinking that the operating system is being a bit of a nanny and trying to save you from yourself (which, of course, you don’t need as you’re a perfectly rational person capable of making your own mind up).

However, this is not the only job that Mac’s File Quarantine does. When you come to open the file, It also checks the file to see if contains any known malware. Both of those words are important:

  • Known – as with all security programs on computers, there is always a small chance that something nasty is roaming around cyberspace and lands on your computer before the program that should check for it has become aware of it.
  • Malware – File Quarantine is not looking for computer viruses and it’s not looking for Adware (programs that pop adverts up at you).

Hellraiser warning

Figure 2. Malware has been detected

If File Quarantine does detect malware then it will display the dialog box shown in figure 2. Since you have already got the file in your system, you should respond by clicking on the “Move to trash” button. Clicking on the “Cancel” button will cancel your attempt to open the file, but it will still be left on your system. If the file is a “disk image” rather than a normal file then the options will be to “Cancel” or “Eject Disc Image”. Click on the latter option.

You can read more about File Quarantine at this Apple web page.

If you decide that File Quarantine is just nannying you and annoying you, then you can actually turn it off. This is achieved by opening a window in Terminal, entering the following command, and then re-booting the machine:

defaults write com.apple.LaunchServices LSQuarantine -boo1 NO

To turn File Quarantine back on, just repeat the command, but type “YES” instead of “NO”.

Having pointed that out (and you can read a bit more about it at Mactips), I don’t recommend turning File Quarantine off. As long as you have a fairly recent version of Mac OSX the popup window only happens the first time you open something downloaded from the internet. I think it’s worth having to click through that one window in order to keep the benefits of having OXS check for known malware.

AdwareMedic logoAs mentioned above, File Quarantine will not prevent the lesser threats posed by Adware getting onto your computer. In the world of Windows PCs, I recommend Malwarebytes and Spybot to clean a machine of known threats. In the world of Macs it’s a bit piecemeal. To add to the protection offered by File Quarantine, you can download and run a free program called AdwareMedic.

It’s very simple to download and run AdwareMedic and it should only take it a minute or so to check your system. See figure 4 for a results screen when I ran it on my MacBook Pro. I’d never seen any evidence of Adware on the Mac, but it’s still good to know that something unpleasant has been removed.

Adware found

Figure 4. AdwareMedic found this piece of adware on my MacBook Pro

If you still think you have an adware problem after running AdwareMedic then visit this AdwareMedic page for further advice. The suggestions on that page are largely concerned with problems that you think may be adware but which are, in fact, something else (such as your browser Home Page or your chosen Search Engine having been changed).

The next time that an IT horror story breaks through into mainstream consciousness, it could well be caused by CryptoLocker

What is CryptoLocker?

It’s a horrible piece of malware that encrypts the most common types of data files on your computer (especially Microsoft data files such as Word documents and Excel spreadsheets). Once attacked, you can not get access to those files unless you pay the perpetrators to decrypt them. Strangely, it appears that paying the ransom does actually get you the “key” to unlock your files again. Maybe the “perps” are very clever and have realised that if they get a reputation for “honouring their promise” (huh?), then sufferers will be more likely to take a risk and pay.

At this point, Mac users are permitted a smirk – CryptoLocker only attackes Windows computers.

How do you get it?

It’s usually downloaded as an email attachment when the user is duped into accepting something that looks like a pdf file, but isn’t. I received a similar thing just a few days ago (although it displayed as a zip file in this instance). Take a look at Figure 1. It appears to be from Amazon and it would be very easy indeed to apply 20% of my attention to it and just open the attachment. I don’t know if this one contains CryptoLocker, but I do know that this message is fake. Look at the “sent” address. Since when did Amazon send emails out in the name of “crescenzireider@yahoo”?

Fake email message, purportedly from Amazon

Figure 1. Fake email message that may contain CryptoLocker or other malware


Also, this just isn’t how Amazon send despatch notices etc. and, anyway, I have a system (of sorts!) for tracking Amazon orders and know I’ve got nothing outstanding. So, I haven’t opened the attachment and this has kept me safe from any “payload” it may have (and don’t worry – you can’t catch anything from Figure 1: it’s just a harmless image file by the time you see it).

Other common ways of getting you to open an infected file include faking the attachment as a FedEx or UPS delivery note, or faking a document from your bank.

Once you’ve been infected, you will be presented with a demand for money (typically $100 or $300) and a short time (4 days) to pay up. If you don’t pay in that time then your files go to data heaven. The bad guys “forget” the key that will unlock them and that’s that. Moreover, if your regular backups are made on other hard drives on your own computer then those backups are also at risk. Apparently, the malware isn’t yet configured to look in networked drives, but that’s got to be just a matter of time.

CryptoLocker Window

Figure 2. If you see this window, you’ve got problems

How do you stop it?

If you are working in a large or medium organisation (with IT staff) then Windows can be configured to stop you opening all kinds of attachments that are “executables”. This is probably neither possible nor practical for the average home user. To begin with, you need to have Windows 7 Professional, Ultimate, or Enterprise (ie not Windows 7 Home). If you have Windows 8, it needs to be either the Pro or Enterprise version. If you are using Vista you are unlucky, and if you are still using Windows XP then here’s yet another reason to move on – Microsoft support for Windows XP is ending. There is, anyway, a danger of throwing the baby out with the bathwater. Putting restrictions in place to stop you opening a fake file would probably also stop you opening genuine ones – very annoying.

Another thing you can do is to change the view of your files in Windows Explorer so that file extensions are always displayed. This may alert you to the fact that a file that appears to be called “readme.pdf” is actually “readme.pdf.exe”

Why doesn’t antivirus software stop it?

I don’t know. I’ve been to a number of websites to help me prepare this blog and none of them are specific on this point. They just say things like “(antivirus programs) have a particularly difficult time stopping this infection” and “Security software might not detect CryptoLocker, or detect it only after encryption is underway or complete“.

Removal

I understand that removal of the software is just a case of uninstalling it in the usual Windows way – ie go to “Programs and Features” in the Control Panel. That doesn’t decrypt your data, of course.

So, where does that leave us?

  1. We have to be even more vigilant than ever in opening email attachments. Don’t open any email attachment until you’ve looked at the email and made a definite decision that you trust the sender. For goodness sake, don’t think, “I’ll open it and just delete it if it’s crap” (which is how, I suspect, a lot of people filter their email). If it’s got CryptoLocker in it then it will be too late by the time you realise what’s happening.
  2. We have to review our data backup situation. Are you one of the millions who “haven’t got round to” creating backups? If so, do you really want to find out the hard way why they are so important? And if you do take backups, but these are just file copies on your hard drive or permanently attached drives, then my advice is to take an “offline” backup asap (eg to a USB drive or DVDs).

Cartoon robber stealing away from laptopSorry for delivering yet another warning of the dangers of the internet. I really don’t want to put anyone off using it, but we need to pay close attention to what we are doing. Think in terms of being “streetwise” about the internet (“cyberwise”?) You wouldn’t park your bicycle, unlocked, on Oxford Street and expect it to be there when you got back, would you? If you apply the same common sense online then I think the chances of being caught out will be greatly reduced.

What is The Registry?

keyboard with toolsThe registry is a huge database on Windows computers that stores information essential for running Windows and the individual programs that are installed. It also stores information such as the lists of “most recently used” documents that are often available in programs such as word processors and spreadsheets. This database is automatically updated by Windows and the programs using it. The registry is absolutely essential for the running of a Windows computer and the integrity of its structure is also absolutely essential. Never mess with the registry unless you know what you are doing and what the consequences might be.

Why clean it?

Cleaning the registry used to be just a part of “housekeeping” to keep a Windows computer running smoothly and as fast as possible. Nowadays, though, users often encounter registry cleaners when surfing the web to find solutions to problems involving malware and viruses. In this context, the registry is a place that can harbour nasty things, so cleaning it is intended as a way of removing these.

What are Registry Cleaners?

Genuine registry cleaners are programs that scour the registry looking for, and fixing, problems with individual items such as orphans items (settings that refer to programs that are no longer installed) and redundant items (such as those referring to previous versions of installed programs). They now also claim to search the registry looking for (and removing) entries that enable malware to run. These are all tasks that are very difficult, if not impossible, to carry out manually on account of the sheer size of the registry and the difficulty for humans in deciphering just what the individuals entries are.

Why not use Registry Cleaners?

Even if they do any good at all, the benefit is an insignificant drop in the ocean. I have been unable to find any evidence whatever that there is any measurable improvement to a system that has had its registry cleaned. Also, as the hardware resources have improved (size and speed of memory, hard drive space, processing speed and power), the effects of having a marginally sub-optimal registry database have probably become less significant. Indeed, Microsoft don’t even provide any method of cleaning the registry. They used to have a product called Windows Live OneCare that included a registry cleaner but support for that ceased in April 2011 and I don’t know of any successor.

Even if the registry cleaner is “well meaning” and is trying to do nothing but good to your system it may break it. And when I say “break it” I mean “really break it” – from rendering individual programs unusable to rendering the entire system unbootable. Short of a hard drive failure, this is just about as serious as it gets. Even if the risk of breaking the registry is low, the consequences of breaking it are very high so the potential marginal benefits are just not worth seeking out.

Moreover, a lot of so-called registry cleaners are not only ineffective and/or incompetent, they are also intent on doing harm. This usually takes the form of trying to convince you that your registry is full of problems and that you must pay for the program to clean the system up. This “persuasion” (by what is usually called a “scareware” program) can even extend to hijacking your system and holding you to ransom. In this case, the “registry cleaner” is out-and-out malware. The program takes control of your computer and holds it to ransom – you must buy the program to get control back. It gets much worse than that, of course, as buying their program does not guarantee that that will be the end of the issue and you have now given your credit card details to extortionists. Not wise.

What are the alternatives?

As far as optimising the registry is concerned, forget it. Life’s too short. It’s not worth worrying about and not worth taking the risk of breaking it.

As far as malware removal is concerned, use a free reputable malware removal tool such as MalwareBytes and/or SpyBot.

© 2011-2017 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha