I just updated to 15.4. Trying to open a simple text file (with srt extension) pops this up: "Apple could not verify" xxxx.srt "is free of malware that may harm your Mac or compromise your privacy." Some other srt files open fine.
This is a dealbreaker for me if I can't disable this "feature". I know I can go burrowing into settings and exempt this one file. No. How do I turn off the whole thing?
MacBook Pro 16″
Dessicator wrote:
etresoft, why do you think that's a malware site? I've downloaded many subtitles from it. They have nothing but subtitles in them, and I've never had any trouble.
Any subtitle file that I click on opens up this very respectable looking new "Browser Update" window:
I've obscured the name of the site, but I left the very respectable "xyz" TLD.
To display that page, it redirects to a couple of other similarly respectable domains first. One of those URLs is 12 lines long. It isn't doing these redirect via standard HTTP methods. The first redirect is done via Javascript somewhere on the site itself. I didn't bother to look where. The second redirect is also done via Javascript, but this time using very respectable and very obfuscated Javascript.
Normally I would look at these things on the command line with curl or similar. That didn't work in this case. I had to use Safari's Web Inspector timeline. I must have clicked on links at least 30 times altogether.
But curiously, one of those clicks via Safari's web Inspector actually didn't give me the whole respectable redirection. It gave me a different page with what may have been download links. So it's a website that seems to be able to detect when it's being inspected and alter its behaviour to work more legitimately in that scenario. OK, then!
I did once get a page for the "Best Crypto Casino and Online Sports Betting". Sadly, it wasn't available in my jurisdiction. Maybe because we have laws here?
I keep trying. Now I get a page where I can "Get paid for testing apps, games & surveys". Sure. Oh, look. I can sign in with Google or Facebook, but not Apple. Bummer.
But still I keep trying. I am able to get that legitimate-looking download page one more time. I click on one of the "translate" buttons and I'm back to the original redirector.
But wait! The "English" version has a "download" button. I click that - still the redirection. In not a single case was I able to download an SRT file.
If this really is a source of 10,364,786 subtitles, then perhaps Apple is right to associate SRT files with malware.
Dessicator wrote:
etresoft, why do you think that's a malware site? I've downloaded many subtitles from it. They have nothing but subtitles in them, and I've never had any trouble.
Any subtitle file that I click on opens up this very respectable looking new "Browser Update" window:
I've obscured the name of the site, but I left the very respectable "xyz" TLD.
To display that page, it redirects to a couple of other similarly respectable domains first. One of those URLs is 12 lines long. It isn't doing these redirect via standard HTTP methods. The first redirect is done via Javascript somewhere on the site itself. I didn't bother to look where. The second redirect is also done via Javascript, but this time using very respectable and very obfuscated Javascript.
Normally I would look at these things on the command line with curl or similar. That didn't work in this case. I had to use Safari's Web Inspector timeline. I must have clicked on links at least 30 times altogether.
But curiously, one of those clicks via Safari's web Inspector actually didn't give me the whole respectable redirection. It gave me a different page with what may have been download links. So it's a website that seems to be able to detect when it's being inspected and alter its behaviour to work more legitimately in that scenario. OK, then!
I did once get a page for the "Best Crypto Casino and Online Sports Betting". Sadly, it wasn't available in my jurisdiction. Maybe because we have laws here?
I keep trying. Now I get a page where I can "Get paid for testing apps, games & surveys". Sure. Oh, look. I can sign in with Google or Facebook, but not Apple. Bummer.
But still I keep trying. I am able to get that legitimate-looking download page one more time. I click on one of the "translate" buttons and I'm back to the original redirector.
But wait! The "English" version has a "download" button. I click that - still the redirection. In not a single case was I able to download an SRT file.
If this really is a source of 10,364,786 subtitles, then perhaps Apple is right to associate SRT files with malware.
Here's the simplest workaround I found for opening .srt files without triggering the Mac OS 15.4 malware warning. It's not quite as easy as double-clicking but it's a little easier than opening an application and then using the File > Open or dragging a file into that application. As others have noted, simple double-clicking, right-click > Open with... and other methods force you to get rid of the malware warning for each file that is downloaded or that you make fresh, etc... The method here allows editing such .srt files without dealing with the malware warning.
It uses BBEdit and involves right-clicking an .srt (or multiple .srt's) and selecting Open File in BBEdit from the context menu (see image). To customize your context menu like this go to System Settings > Keyboard > Services > Files and Folders > and check the box for Open File in BBEdit (optional: add a shortcut key)
Notice that there is also a box to check for "Open Selected File in TextEdit" but I couldn't get that to work.
If anyone comes up with something simpler than this, let me know.
Hans Luijten wrote:
I know reporting may not do a thing, but not reporting for sure doesn't do a thing 😉
It gives you 3-30 minutes of your life to spend in meaningful, pleasurable, and/or entertaining endeavours that you would have otherwise spent writing that feedback, running sysdiagnose, developing a set of procedures to reproduce the bug, giving examples, making video recordings, etc. And then there is the cost in time and blood pressure when you read Apple's nonsensical reply to your bug report 3 months later.
Do I sound jaded to you?
Not quite sure how malware can beg embedded in an ASCII file though - besides maybe bad JavaScript pulling in code from elsewhere? I honestly do not know. Not trying to argue that this cannot be done, I just do not know how.
I think you're reading too much into the output from that "file" command-line tool. How much of an analysis does it do on that text? And how can it analyze how a given extension has been used to deliver executable code in other contexts, malicious or not?
Furthermore, the fact that it's a text file is irrelevant. The issue here is that you're double-clicking it. That kicks off some kind of automated process. Maybe it opens the file in a text editor like BBEdit. Maybe it opens the file in some kind of script interpreter, which BBEdit also is, and executes it. Script interpreters are every bit as powerful as binary apps, and their scripts can be obfuscated to an even greater degree.
I agree that this is an inconvenience. But this is the state of the world we live in. No longer do we wait until some hacker living in his parents' basement finds some exploit during the rare moments when he's not live-streaming his gameplay on Twitch. Instead, we have teams of very highly-paid software engineers hammering on Apple products 24/7 until they find a way in. If Apple doesn't patch the bug in 90, they release it to those basement hackers and social media influencers.
And ... it was not a problem until 15.4 😞
I reproduced your example on 15.3.2.
Hans Luijten wrote:
+1 here for ".inc" files (used in Pascal), which are also plain text files as well.
This is prime example of two problems that appear similar, but are not.
No one was able to reproduce the problem with ".srt" files. But it is possible to reproduce this with ".inc" files. So kudos to you for posting a reply instead of following the OP's suggestion to disable your system security.
Not sure what Gatekeeper is expecting to find in a simple plain text file.
It's expecting to find some kind of executable code.
Observations:
".md" and ".pas" files open just fine without a Malware nonesense dialog popping up.
Apparently, Markdown used to be the example for this kind of behaviour. I don't know if Apple has changed that for Markdown or if the system is actually inspecting the contents. But regardless, I cannot reproduce this, even with Markdown containing HTML with Javascript.
Unfortunately, Markdown is very popular and Pascal is not.
• Looking at file info (in Forklift) shows the content just fine of these blocked files.
That's what you'll have to do with these files. You can always open them in some other app. You just won't be able to double-click them in the Finder.
ps I did report this issue with "Feedback Assistant" as well (applefeedback://), I recommend others to do the same thing so it may appear on Apple's blooper radar.
Don't get your hopes up. Remember that you are trying this with vanilla ".inc" files that are harmless. There is a huge industry dedicated to hacking Apple products. I'm not talking about a few guys in dark rooms wearing hoodies. I'm talking about trillion-dollar international corporations. They have probably figured out that they can construct a malicious ".inc" with executable code that bypasses Gatekeeper due to it being considered "text". Therefore, Apple has to be more careful. It doesn't matter if this is an extremely rare situation that only affects 8 people in the world. Most of those "update your Apple device now!" viral stores that you see on social media involve these extremely rare situations that only affects 8 people in the world
+1 here for ".inc" files (used in Pascal), which are also plain text files as well.
Not sure what Gatekeeper is expecting to find in a simple plain text file.
The "file" command in Terminal reports it as "ASCII Text".
How is this embedding malware?
The file was downloaded from GitHub, and before the "update" to 15.4 they opened just fine.
Observations:
ps I did report this issue with "Feedback Assistant" as well (applefeedback://), I recommend others to do the same thing so it may appear on Apple's blooper radar.
With the exception of the technically correct statement of the very last sentence, every other thing in that reply is wrong.
How are you getting these files?
What you're describing is the Gatekeeper security system. Normally that only applies to apps downloaded from the internet. People often report this kind of problem where Gatekeeper protection is being incorrectly applied to documents. But as of this date, years after the fact, no one has ever been willing to provide any detailed information. Therefore, the problem remains unsolved and unsolvable.
Lacking any information, my best guess is that some 3rd party app was involved at some point and that app did something wrong. I don't know what else to tell you. I had never heard of SRT files before. I guess they are subtitle files. So I found a YouTube video, pasted it into a link, downloaded the SRT file. And it opens fine.
<shrug>
Dessicator wrote:
Hey etresoft, I didn't suggest to Hans or anyone else to "disable their system security" or any part of it.
You posted a link to a site that recommends and instructs people on how to disable their system security so they can be infected with actual malware.
I made the choice for myself to disable that particular feature because nobody came up with a good alternative.
Try downloading an srt from [malware site redacted] can reproduce it.
LOL!
I know reporting may not do a thing, but not reporting for sure doesn't do a thing 😉
Not quite sure how malware can beg embedded in an ASCII file though - besides maybe bad JavaScript pulling in code from elsewhere? I honestly do not know. Not trying to argue that this cannot be done, I just do not know how. And ... it was not a problem until 15.4 😞
I think it's time to put this thread to bed.
I tried again with the OP's site using my 15.4 machine. This time it only took me about 5 clicks to get to an actual "download" page. Of course the "download" buttons don't work. But I was able to right click on the download link and use the "copy link" function. I could then paste that into a new Safari tab and download an actual SRT file from the OP's site.
And guess what? I double-click on it and it works fine. It opens up in VLC.
At first, I was just going to chalk this up to the OP actually downloading malware from that site hosting subtitles from BitTorrent videos. But when I tried changing the SRT file to open with BBEdit instead, then I got the same malware warning. I don't remember if I had tried that on 15.3.2 or not.
But what this means is that the operating system requires that you have an app that advertises the capability of opening a given file. If not, then you won't be able to double-click it. The file can still be opened in a variety of other methods. So if I leave everything on default, then VLC is the only app that officially supports SRT files. I can double-click the file and it opens right up in VLC. I don't have any of the actual torrent videos to test with, but I assume it would work.
I have exactly the same problem.
The issue is in place for all *.properties files. As a developer, you have plenty of them. Non of them is downloaded from the Internet but from some repository.
After update to 15.4, none of these file can be open e.g. from Finder.
I have associated BBEdit application for opening all *.properties files. BBEdit application has been installed from App Store. But whenever I try to open any property file, I need to explicitly allow it for each single file, which takes like three click and you need to go to Settings as well. This drives me crazy!
The only thing, which helped was to delete com.apple.quarantine attribute by using xattr command.
But that is just a workaround and of course would never work for any new file.
@Apple - please allow this setting to be system wide - to allow certain files to be opened directly by selected application.
Thx.
Link to a page is describing how to get rid of notification and configuration for an application, which was downloaded from "untrusted" source.
But the described problem is not about opening application at all.
It is about opening plain text files, like *.srt, *.properties etc.
Hans Luijten wrote:
I know reporting may not do a thing, but not reporting for sure doesn't do a thing 😉
While I agree with you in principle, I disagree it's a bug or anything Apple will take a serious interest in addressing.
It has been my experience that, when addressed, legitimate bug reports will generally fall into one of several categories.
They are:
That last category is the most frustrating when something so clearly isn't. More on that later.
Again, this is for legitimate, demonstrable and repeatable bugs that can reliably be produced on an unmodified system. If the so-called "bug" is due to some third party product incompatibility, the most Apple will ever do is to forward it to the product developer. Unless that developer is large and influential and represents a significant risk to Apple's customer satisfaction, I doubt they will do even that much. In such cases the developer and Apple have a mutual interest in fixing things. Mutual interest is the only circumstance in which anything ever gets fixed.
Now... for legitimate bug reports indicating something should be working when it isn't, and for which Apple's reply appears to be inexplicably curt, there is a reason for that too. That reason may not become apparent until a future product or service or OS upgrade obviates the complaint, nullifying its relevance. That can take years. I can think of a number of examples for both Macs and iOS. The passage of time and product improvements is what makes that reply sensible in retrospect. Apple's engineers might even take an active interest in your concern, requesting additional data, reports, logs, feedback, etc right up to the moment their project manager tells them to stop. If they should protest, the hapless engineer is told "you don't need to know."
In the case of the OP, the answer to "how do I turn off the whole thing" is you can't. Not if you mean that literally, and certainly not without making compromises I would not recommend to the casual user who represents the overwhelming majority of Apple's customer base.
If you were to file a bug report Apple is nearly certain to say it's "performing as designed / expected" or words to that effect, because it is. The user will need to implement a workaround. But if you are motivated to file feedback or a bug report, go ahead. I won't discourage you. I just wanted to let you know what to expect.
These are movie subtitle files that are UTF-8 (with BOM) text, with CRLF line terminators. The only Finder Open With application that presents itself on my Mac is the VLC player — which is not the correct tool to singularly view these subtitles.
Launching BBEdit and asking it to open one of these *.srt files won't work. However, if one chooses to install the BBEdit Command Line Tools from its application menu, then in the Terminal:
bbedit /path/to/foo.srt
will open the file in a new BBEdit window with line endings translated and normal text entries for timeframe and translation text.
Sequoia 15.4 refusing to open files - possible malware