Opened 13 years ago

Closed 10 years ago

Last modified 10 years ago

#2009 closed Enhancement (fixed)

quarantine downloaded files

Reported by: bthomas Owned by: livings124
Priority: Normal Milestone: 2.50
Component: Mac Client Version: 1.52
Severity: Normal Keywords:
Cc: transmissionbt@…

Description

Transmission, as a download client, should quarantine downloaded files. From Launch Services release notes for 10.5 (http://developer.apple.com/releasenotes/Carbon/RN-LaunchServices/index.html):

File Quarantine is a new feature in Leopard designed to protect users from trojan horse attacks. It allows applications which download file content from the Internet to place files in “quarantine” to indicate that the file could be from an untrustworthy source. An application quarantines a file simply by assigning values to one or more quarantine properties which preserve information about when and where the file come from.

Quarantining files comes from either

1) Specifically using the LSSetItemAttribute API to set quarantine attributes. This allows transmission to set additional information that will be displayed to the user, e.g. the source URL (such as shown when downloading from Safari).

2) Simply adding "LSFileQuarantineEnabled" = true to Info.plist. This will opt Transmission in to Quarantine, and all files saved by Transmission will be automatically quaranted. This is not an appropriate option if Transmission needs to save out other files, that are not downloaded from the internet, but the user is supposed to double-click on (i.e., temporary files are OK).

Attachments (1)

quarantine.diff (2.2 KB) - added by bsteinb 12 years ago.

Download all attachments as: .zip

Change History (36)

comment:1 Changed 13 years ago by Gimp

safari can have files download on their own in the background when you visit a site. opening a torrent in transmission is a manual task, and when doing that you accept that its from a trusted source.

comment:2 Changed 13 years ago by bthomas

That's not quite the purpose of Quarantine. Quarantine is intended for all applications that download files, regardless of if the user is aware of it or not. Quarantine is used as such (from the linked documentation):

"When the Launch Services API is used to open a quarantined file and the file appears to be an application, script, or other executable file type, Launch Services will display an alert to confirm the user understands the file is some kind of application."

Since files downloaded with Bittorrent are often untrusted, and average users can't be expected to fully investigate whether every file they download is executable (given the various means of disguising executables on OS X), additionally KNOW all the executable/untrusted formats, Quarantine is necessary for all downloaded files.

comment:3 Changed 13 years ago by John Clay

  • Resolution set to wontfix
  • Status changed from new to closed

As Gimp said, this function applies best in a scenario where files may be downloaded without the user's knowledge. Torrents are explicitly downloaded by the user, so they know full well what they're downloading.

comment:4 Changed 12 years ago by jah

  • Resolution wontfix deleted
  • Status changed from closed to reopened

comment:5 Changed 12 years ago by jah

One of the more recent trojans was contained in a pirated copy of iWork spread on BitTorrent?. This feature would have completely eliminated that particular threat as the sig for that trojan is in the Snow Leopard plist.

Regardless of whether or not torrenting is a 'manual operation', files are downloaded from the internet, and are hence subject to risk - even more so when you consider what the vast majority of people use this application for.

Assuming it is not difficult to implement (I don't have a clue), it just seems like a no brainer to me.

comment:6 Changed 12 years ago by livings124

  • Resolution set to wontfix
  • Status changed from reopened to closed

As discussed earlier, the quarantine is more appropriate for apps that download file in the background. Of course a user that downloads a file will click open when the quarantine window comes up. A trojan in pirated content is a risk that users engaging in such activities will have to take. Quarantine won't protect them afaict.

comment:7 Changed 12 years ago by bthomas

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Apple describes apps that use quarantine as: "File quarantine-aware applications that download files from the Internet or receive files from external sources (such as email attachments) will attach file quarantine attributes. " (http://support.apple.com/kb/HT3662)

Your belief that "quarantine is more appropriate for apps that download file in the background" is only a belief, and not based on any documentation. Additionally, the current applications that opt-in to quarantine disprove your theory – Firefox, which doesn't support drive-by-downloads, and Mail, where you must double-click on attachments to open them.

In fact, 10.6 makes it more apparent that file quarantine is intended to be the gatekeeper between the untrusted domain of the internet, and the user's trusted domain (their filesystem). Quarantine protects not just against malware, but also against disguised applications, and also against other files that are unsafe to open.

The responsibility is just too hefty for the individual user to shoulder. They have to know all the ways to disguise applications, know all the document types that are unsafe to open from untrusted sources, and know all the current malware on OS X. It's for this reason that OS X supplies a way to do the heavy lifting for the user.

comment:8 Changed 12 years ago by kjg

  • Resolution set to wontfix
  • Status changed from reopened to closed

As mentioned above, both Web Browsers and Mail clients are capable of downloading files without user interaction. For example you can receive an unsolicited email with an attachment. Also, you can visit a webpage with automatically downloads a file.

However, with Transmission you can only receive files that you have actively sought out to download. The quarantine IS NOT a malware checker as far as I can tell. The only thing it does is tell you where the file came from when you try to open it.

In the case of trojan mentioned above, the person would have certainly clicked the "OK, I know this is from the internet" button. This would not have prevented them from getting the trojan.

comment:9 Changed 12 years ago by Gimp

Regarding kjg's comment, Snow Leopard's quarentine is actually a malware checker and will detect a couple of the trojans out there, and warn you that the file you're trying to open contains the malware. See http://www.slashgear.com/wp-content/uploads/2009/08/snow_leopard_anti-virus-540x2351.jpg for example.

comment:10 follow-up: Changed 12 years ago by charles

I don't have a Mac and don't care one way or the other about whether or not this feature gets implemented, but to me the question is, where are the users asking for this feature.

bthomas is not a Transmission user. This is a drive-by ticket he's filed, identical to a drive-by in the utorrent forums and a drive-by in the Vuze forums.

By my count, only one user (jah) has asked for this.

comment:11 follow-up: Changed 12 years ago by livings124

Gimp: are you sure that dialog is part of the quarantine feature?

comment:12 in reply to: ↑ 11 Changed 12 years ago by Gimp

Replying to livings124:

Gimp: are you sure that dialog is part of the quarantine feature?

No, I am not sure if its a part of the quarantine feature, all I know is it exists as well. If it is separate, however, that makes it even better. If we could implement the malware-checker without the full quarantine, then we could solve the "damaging" issue without making things annoying.

comment:13 Changed 12 years ago by livings124

I assume the "malware checker" is just part of the OS.

comment:14 Changed 12 years ago by jah

  • Resolution wontfix deleted
  • Status changed from closed to reopened

@livings124: the screenshot Gimp posted is definitely part of the Quarantine feature in Snow Leopard. See this link for general info, which was in my ticket that you closed. http://www.macworld.com/article/142457/2009/08/snowleopard_malware.html

As far as I can tell, it only brings up the 'warning' for 'risky' files, like executables etc. If you download a movie, i don't think you will get the dialogue - just like if you download a movie in safari, you don't get that dialogue when you open it.

As for users asking for this feature, given the anti-malware part is very very new (as it only arrived with Snow Leopard), I'm sure many users don't even know about it yet - but would be glad to have the feature included.

As I have already said, regardless of whether the responsibility lies with the user or not, the fact is that BitTorrent? is a major vector for malware on Mac OS X. Given that this seems like a simple way to leverage the OS to protect against that, why wouldn't you want to do this??

Cheers

comment:15 Changed 12 years ago by bsteinb

If the developers are indeed interested in this functionality, but do not want to put an effort into this at the moment (seeing that there may be more interesting things to play with, now SL is out), I would offer to implement this. Just wanted to check that there is no duplicate effort.

comment:16 Changed 12 years ago by nate

I would love to see this feature implemented in Transmission. Hopefully it would reduce the chance of similar iWork trojans.

Changed 12 years ago by bsteinb

comment:17 Changed 12 years ago by bsteinb

For now I have put the quarantine functionality into libtransmission. Putting it in the Mac OS X GUI application seems to be more sensible, but to my knowledge there is no easy way for the application to know when exactly a file is created on disk and the metainfo cannot be set until the file is existent.

Also, I am still facing problems with the actual quarantine mechanisms. That is, the metainfo seems to be attached to the file (as reported by the xattr utility) but the Finder does not show the quarantine dialog upon opening a file. Maybe someone can test this.

comment:18 Changed 12 years ago by bthomas

The dialog will only appear when you're opening an "unsafe" file-try downloading an app.

comment:19 Changed 12 years ago by bsteinb

Yes, downloading an app solved that problem. Earlier I only tested with an .app that was packaged in a .zip file and apparently the unarchiver does not propagate the quarantine meta info to the unpacked files. Copying an .app from a .dmg on the other hand does.

comment:20 Changed 12 years ago by bthomas

It should, how did you open the zip? Did you use OS X built-in unarchiver (Bom) or a 3rd party (e.g. StuffIt?)?

comment:21 Changed 12 years ago by bsteinb

You are right. I checked again. When unpacking the file with The Unarchiver.app [1] the quarantine attribute is not propagated. Using the built-in unarchiver, quarantine works as expected. Thanks for your input.

[1] - http://wakaba.c3.cx/s/apps/unarchiver.html

comment:22 Changed 12 years ago by plambert

I would definitely like to see this feature.

It's very easy to make a file that looks like it is a movie, image, text file, etc, but is actually an application. Quarantine will protect me and other users against malicious deception—it'd be hard for a typical user to be able to tell otherwise.

For an example of intentional deception of this nature, look at the "Read Me" files that Apple distributes in many of their software installers: they are actually applications, which open a PDF or RTF file in the user's language.

comment:23 Changed 12 years ago by John Clay

  • Resolution set to wontfix
  • Status changed from reopened to closed

kjg: "Apple describes apps that use quarantine as: "File quarantine-aware applications that download files from the Internet or receive files from external sources (such as email attachments) will attach file quarantine attributes. " ( http://support.apple.com/kb/HT3662)

Your belief that "quarantine is more appropriate for apps that download file in the background" is only a belief, and not based on any documentation. Additionally, the current applications that opt-in to quarantine disprove your theory – Firefox, which doesn't support drive-by-downloads, and Mail, where you must double-click on attachments to open them.

In fact, 10.6 makes it more apparent that file quarantine is intended to be the gatekeeper between the untrusted domain of the internet, and the user's trusted domain (their filesystem). Quarantine protects not just against malware, but also against disguised applications, and also against other files that are unsafe to open.

The responsibility is just too hefty for the individual user to shoulder. They have to know all the ways to disguise applications, know all the document types that are unsafe to open from untrusted sources, and know all the current malware on OS X. It's for this reason that OS X supplies a way to do the heavy lifting for the user."

comment:24 Changed 12 years ago by John Clay

Crap, wrong paste. I blame early morning and a severe lack of caffeine :)

kjg: "As mentioned above, both Web Browsers and Mail clients are capable of downloading files without user interaction. For example you can receive an unsolicited email with an attachment. Also, you can visit a webpage with automatically downloads a file.

However, with Transmission you can only receive files that you have actively sought out to download. The quarantine IS NOT a malware checker as far as I can tell. The only thing it does is tell you where the file came from when you try to open it.

In the case of trojan mentioned above, the person would have certainly clicked the "OK, I know this is from the internet" button. This would not have prevented them from getting the trojan."

comment:25 Changed 12 years ago by bsteinb

  • Resolution wontfix deleted
  • Status changed from closed to reopened

According to Apple, file quarantine is a malware checker as of 10.6, see http://support.apple.com/kb/HT3662

comment:26 Changed 12 years ago by jah

@John Clay, no offence, but you really should read comments in the ticket before closing it, especially when they contradict your reasons for closure. Why are you so against this feature (this isn't the first time you've closed the ticket)? Especially since a user has been kind enough to contribute a patch??

comment:27 Changed 12 years ago by plambert

The purpose of quarantine is not only to protect users from drive-by downloads and other activity they didn't initiate, but also from masquerading applications, et al.

If a user intentionally downloads a torrent file, believing its contents to be a .mov file of a presentation they wanted to see, but its actual contents are a trojan application called "presentation.mov.app", the quarantine will warn them as they open it.

This is certainly not unreasonable behavior, to protect users from files they did not actively seek out to download.

What drawbacks would there be to including this?

comment:28 follow-up: Changed 12 years ago by charles

  • Summary changed from Transmission (Mac OS X) doesn't quarantine downloaded files to quarantine downloaded files
  • Type changed from Bug to Enhancement

comment:29 in reply to: ↑ 28 Changed 12 years ago by dethbunny

  • Cc transmissionbt@… added

So, if there's a patch for this, and considered an open issue, is there a reason the patch has not been applied? What needs to be improved with it? Perhaps an #ifdef or two to make sure things compile for GTK+ etc.?

comment:31 in reply to: ↑ 10 Changed 11 years ago by jordan

Replying to charles:

I don't have a Mac and don't care one way or the other about whether or not this feature gets implemented, but to me the question is, where are the users asking for this feature. By my count, only one user (jah) has asked for this.

Seventeen months later, five users (jah, bsteinb, nate, plambert, dethbunny) have requested this, and bsteinb has written a patch. However, nobody's spoken up on this ticket in over a year.

I still don't have a Mac and still don't care whether this feature gets added or not, but it seems pointless to leave this ticket open without deciding...

comment:32 Changed 11 years ago by livings124

  • Resolution set to wontfix
  • Status changed from reopened to closed

Decided.

comment:33 Changed 10 years ago by livings124

  • Resolution wontfix deleted
  • Status changed from closed to reopened

comment:34 Changed 10 years ago by livings124

  • Milestone changed from None Set to 2.50
  • Resolution set to fixed
  • Status changed from reopened to closed

comment:35 Changed 10 years ago by collegeitdept

livings124,

Thanks for fixing/adding this feature!

I was wondering if you have tested it to see if OS X properly scans... does it work? So that way Mac users are caught in a false-positive situation and it's too late.

comment:36 Changed 10 years ago by livings124

It properly tags the files. Everything else is up to the OS.

Note: See TracTickets for help on using tickets.