Q&A: MacFixIt Answers

Readers ask about the OS X quarantine system, hot-corner triggers, and file locks in iWork.

MacFixIt Answers is a feature in which I answer Mac-related questions sent in by our readers.

This week, readers asked questions about how the OS X quarantine system works for managing malware, why items disappear from the screen when the mouse is moved to the corner, and what to do about iWork creating file locks on external disks.

I welcome contributions from readers, so if you have any suggestions or alternative approaches to these problems, please post them in the comments!

Question: How OS X detects and quarantines malicious files
MacFixIt reader Dhiraj asks:

I am working on a Mac and I want to know how Mac detects a particular file downloaded from the internet as malicious. I will be thankful if you could guide me to a malware signature database on my Mac.

Answer:
Apple does not have a quarantine database in OS X; rather, it will append a quarantine flag to a file, which will trigger the system to notify you if you try to open the file. As such, quarantining is done on a per-file basis, and not by any central database.

This feature is only carried out by quarantine-aware programs such as Messages and Safari (and third-party programs that support this), so when a file is downloaded by these programs, it is flagged and checked for whether or not it is a "safe" file.

Part of the quarantining process is done by Apple's XProtect routine (in OS X 10.6 or later), which scans the files for known malware and will notify you of the potential danger if you try to open the file. These malware definitions are updated daily and are stored in the following locations on your system:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

The first one contains information on when XProtect was updated and what versions of Flash and Java are allowed to run on your system, and the second contains the list of malware definitions for XProtect.


Question: Items disappearing from screen when mouse moves to the corners
MacFixIt reader "fdavis41" asks:

When I place my mouse at the lower right bottom of screen, all desktop images disappear, forcing retrieval. What's up with that?

Answer:
This may be happening if you have hot corners activated. Go to the Apple menu and choose System Preferences, and then choose "Desktop & Screen Saver." Then click the Screen Saver tab and click the Hot Corners button, and you should see a panel that appears which has drop-down menus for actions when your mouse is placed in the far corners of the screen. For the lower-right corner, choose the dash ("-") from the drop-down menu to disable any actions when the mouse is placed in this corner. Do the same for other corners, and you should be good to go.


Question: iWork creating file locks on external disks
MacFixIt reader Barry asks:

After double-clicking a Numbers or Pages file that is on a USB pen drive (to open the file in its corresponding iWork app) and then closing the file, Finder returns an error alert that the file is in use when I try to eject the pen drive. Finder behaves as if the file were still open in the iWork app when, in fact, it is not. Can the pen drive be ejected without having to quit the iWork app? If so, how?

I have tried the Terminal command "diskutil unmountDisk force /Volumes/DISK_NAME" without success.

Answer:
If the system is not releasing the file lock, then attempts at unmounting the drive will result in an error. iWork should not hold such a lock on the drive, so if the problem is persisting then I would recommend backing the drive up, partitioning and formatting it with Disk Utility, and then copying the files back to it.

If you ultimately need to eject the drive, and if Terminal commands are unsuccessful, then first ensure you are not accessing the drive (close all folders and open documents on it, and then let it idle for a few seconds), and then unplug it from your system. This will result in an error message about needing to properly eject the drive, but you will have it free. This will not affect the system at all, but has the potential to cause corruption in the drive, especially if it is both actively being accessed and if the drive does not have a "journaled" format such as the default Mac OS Extended (Journaled) format that is used by default in OS X.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Read the full CNET Review

Mac OS X 10.9 Mavericks

The Bottom Line: As it's a free upgrade that gives you more apps, improved features across the board, and better performance, there is really no reason not to get Mavericks on your Mac. / Read full review

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    ARTICLE DISCUSSION

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Hot on CNET

    Saving your life at speed and in style

    Volvo have been responsible for some of the greatest advancements in car safety. We list off the top ways they've kept you safe today, even if you don't drive one.