About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection) in OS X
OS X improves download validation by providing file quarantine in applications that download files from the Internet. This means that
downloads are checked for safety (known malware) when you try to open
them.
File Quarantine
File quarantine-aware applications that download files from the
Internet, or receive files from external sources (such as email
attachments), attach quarantine attributes.
- Quarantine-aware applications include Safari, Messages, iChat and Mail.
- These attributes include date, time, and a record of where the file was downloaded from.
When you open a file received through a quarantine-aware application,
OS X warns you where the file came from. You receive an alert asking,
"Are you sure you want to open it?" You should click Cancel if you
have any doubts about its safety.
If you have multiple user accounts on your Mac, the user account that
downloaded the file is the only user account that can remove the
quarantine attribute on a file. All other user accounts can open a
quarantined file, but they are still presented with an alert asking
"Are you sure you want to open it?" every time they open the file.
Known malware check
Mac OS X Snow Leopard v10.6 and later also check for known instances
of "malware", or malicious software. When you open a quarantined
file, OS X checks to see if it includes known malware. If so, an alert
message similar to the following appears:
If you see "(file name) will damage your computer." You should click
Move to Trash.
If the file is a disk image, you should click Eject Disk Image and
then delete the source file.
Tip: Click the Help icon in the lower left corner of the alert message
for more information about malware.
Blocking web plug-ins
To help limit exposure to potential "zero day" exploits from web
plug-in enabled content, OS X also blocks specific versions of web
plug-ins from functioning – including Java web apps, or Adobe Flash
content. Typically an update to the web plug-in is available on the
same day, or shortly after OS X blocks the web plug-in. Install the
new update to restore web plug-in function.
Gatekeeper
OS X Lion v10.7.5 and later include Gatekeeper, a technology that
allows developers to sign applications. Signed applications normally
don't present an alert when you download and open them. Internet files
downloaded from other applications get file quarantine attributes but
without date, time, and link of the file downloaded.
Advanced users only
You can toggle the ability of File Quarantine to receive updates from
Apple about malware and web plug-ins.
Important: Deselecting this option disables the ability to identify
new malware, and leaves your Mac vulnerable to new malware without
notification.