Q&A: MacFixIt Answers

MacFixIt Answers is a feature in which I answer Mac-related questions sent in by our readers.

This week, readers asked questions about how the OS X quarantine system works for managing malware, why items disappear from the screen when the mouse is moved to the corner, and what to do about iWork creating file locks on external disks.

I welcome contributions from readers, so if you have any suggestions or alternative approaches to these problems, please post them in the comments!

Question: How OS X detects and quarantines malicious files
MacFixIt reader Dhiraj asks:

I am working on a Mac and I want to know how Mac detects a particular file downloaded from the internet as malicious. I will be thankful if you could guide me to a malware signature database on my Mac.

Answer:
Apple does not have a quarantine database in OS X; rather, it will append a quarantine flag to a file, which will trigger the system to notify you if you try to open the file. As such, quarantining is done on a per-file basis, and not by any central database.

This feature is only carried out by quarantine-aware programs such as Messages and Safari (and third-party programs that support this), so when a file is downloaded by these programs, it is flagged and checked for whether or not it is a "safe" file.

Part of the quarantining process is done by Apple's XProtect routine (in OS X 10.6 or later), which scans the files for known malware and will notify you of the potential danger if you try to open the file. These malware definitions are updated daily and are stored in the following locations on your system:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

The first one contains information on when XProtect was updated and what versions of Flash and Java are allowed to run on your system, and the second contains the list of malware definitions for XProtect.

Question: Items disappearing from screen when mouse moves to the corners
MacFixIt reader "fdavis41" asks:

When I place my mouse at the lower right bottom of screen, all desktop images disappear, forcing retrieval. What's up with that?

Answer:
This may be happening if you have hot corners activated. Go to the Apple menu and choose System Preferences, and then choose "Desktop & Screen Saver." Then click the Screen Saver tab and click the Hot Corners button, and you should see a panel that appears which has drop-down menus for actions when your mouse is placed in the far corners of the screen. For the lower-right corner, choose the dash ("-") from the drop-down menu to disable any actions when the mouse is placed in this corner. Do the same for other corners, and you should be good to go.

Question: iWork creating file locks on external disks
MacFixIt reader Barry asks:

After double-clicking a Numbers or Pages file that is on a USB pen drive (to open the file in its corresponding iWork app) and then closing the file, Finder returns an error alert that the file is in use when I try to eject the pen drive. Finder behaves as if the file were still open in the iWork app when, in fact, it is not. Can the pen drive be ejected without having to quit the iWork app? If so, how?

I have tried the Terminal command "diskutil unmountDisk force /Volumes/DISK_NAME" without success.

Answer:
If the system is not releasing the file lock, then attempts at unmounting the drive will result in an error. iWork should not hold such a lock on the drive, so if the problem is persisting then I would recommend backing the drive up, partitioning and formatting it with Disk Utility, and then copying the files back to it.

If you ultimately need to eject the drive, and if Terminal commands are unsuccessful, then first ensure you are not accessing the drive (close all folders and open documents on it, and then let it idle for a few seconds), and then unplug it from your system. This will result in an error message about needing to properly eject the drive, but you will have it free. This will not affect the system at all, but has the potential to cause corruption in the drive, especially if it is both actively being accessed and if the drive does not have a "journaled" format such as the default Mac OS Extended (Journaled) format that is used by default in OS X.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.