Dear community,
under macOS 15.6.1 (24G90) on a Mac Studio, the Mac refuses to open files (eg. a pdf written by my—legally used and up to date—InDesign) and warns about alleged malware. The same Mac opened that same file yesterday without hesitation, and the file hasn’t been altered since.
Would anyone know what is going on here?
Thanks!
Mac Studio, macOS 15.6
Is it Apple Security or some third-party Security that is complaining...?
EtreCheckPro is an excellent tool for finding and sorting out various problems.
Download and run the free version of EtreCheckPro, from > https://etrecheck.com/en/index.html
Then post back here with your Report, as per > How to use the Add Text Feature When Post… - Apple Community
Hello all,
my apologies, forgive my very belated reply, for some reason I haven't been notified of your replies. (I'll look into that next.)
It is Apple Security that is complaining. 'll attach the EtreCheck report and the warning screenshot.
Thanks !
Get rid of the VPN. Using a VPN to access the Internet does absolutely nothing to protect your privacy or secure your data.
The only legitimate reason to use a VPN is to connect remotely to a secure private network to access resources on that network such as file and application servers provided by your employer or school.
FWIW similar alert was recently issued when opening data files such as .xmp, .webp, .mod, .dat etc if they happened to contain com.apple.quarantine flag.
macOS Sequoia 15.6 fixed that at least for .xmp.
How to permanently allow opening .webp fi… - Apple Community
Control-click the .pdf and select "Open" from the contextual menu.
If that doesn't give you the opportunity to open it, go to Settings/Privacy & Security and scroll down to "Security".
You may see a message saying the file was blocked but giving you the chance to open it anyway at your own risk.
It is extremely unlikely that the VPN has any bearing on the matter.
Would this Issue somehow be related to
Unverified Fonts used in the PDF from InDesign ?
[Running] com.linotype.FontFolderProtector.plist (Linotype GmbH - installed 2025-06-19)
[Other] com.greenworldsoft.syncfoldersprohelper.plist (VADIM ZYBIN - installed 2025-06-20)
https://www.greenworldsoft.com/
As for not getting notifications of new posting
Apple is still working on fixing this issue, that was introduced somewhere around Aug 21
Hello
Thanks a lot all of you.
VPN is off, to no avail unfortunately. (It usually is—there is actually one other scenario for a VPN. I need to access web sites in Mexico. For some reason, many are geo blocked. When in Europe, a VPN is the only way in that I know of.)
Yes, security setting allow for an override. I'd still like to know what causes this, also because it's not the first time this happened. But I take it (from How to permanently allow opening .webp fi… - Apple Community — thanks btw., I hadn't seen that) the problem lies with the system, that is: with Apple. Well.
On that note—I'm not sure it helps pursuing this any further, beyond a feedback to Apple hoping for a fix. Yet if anyone has any other idea—lead the way.
For now: Thanks once more!
So, now. Yes, good idea. I didn't realise this (com.linotype.FontFolderProtector.plist is a FontExplorerX process) was still running. It shouldn't. In this case, I don't see how this could be the problem as the pdf in question contains nothing but vectors. However, I could do a detailed analysis using Acrobat's preflight tools. There seem to be some inconsistencies there that I'll try to do some research on (in particular, preflight claims to have found CMY where there should be K only and where separations see no other colours than K anywhere). Whether that has any bearing on the matter I do not know.
Nikolai Franke wrote:
So, now. Yes, good idea. I didn't realise this (com.linotype.FontFolderProtector.plist is a FontExplorerX process) was still running. It shouldn't. In this case, I don't see how this could be the problem as the pdf in question contains nothing but vectors. However, I could do a detailed analysis using Acrobat's preflight tools. There seem to be some inconsistencies there that I'll try to do some research on (in particular, preflight claims to have found CMY where there should be K only and where separations see no other colours than K anywhere). Whether that has any bearing on the matter I do not know.
There are those far more expert in Fonts than me
I will step way, at this point
XProtect or Gatekeeper flagged your PDF after Apple’s latest security update.
Even if the file hasn’t changed, Apple’s malware definitions update silently and sometimes false-flag newly signed or InDesign-generated files. First, try moving the PDF to a different folder (like Desktop) and open it again. If it still blocks, Control-click > Open to bypass once. If this keeps happening, run spctl --assess --verbose /path/to/file.pdf in Terminal to confirm what’s triggering the block.
If it’s an Apple flag, you’ll need to wait for the next definition update or re-export the PDF with a new signature from InDesign.
Nikolai Franke wrote:
Hello
Thanks a lot all of you.
VPN is off, to no avail unfortunately.
If an app is involved, "off" is often not actually "off". You need to remove it entirely for the test to be valid.
(It usually is—there is actually one other scenario for a VPN. I need to access web sites in Mexico. For some reason, many are geo blocked. When in Europe, a VPN is the only way in that I know of.)
I specifically mentioned "legitimate" reasons to use a VPN. Bypassing a geoblock to access content that is restricted is not a 'legitimate' scenario. It is at best a violation of the terms of use for the content you're attempting to access and at worse a crime.
MacOS quarantines PDFs and other files downloaded from the internet for security reasons, preventing them from opening directly. This feature, part of macOS's Gatekeeper, adds a attribute to downloaded files to protect your system from potential malware. To open the file, you need to manually override the security block. It is possible that Apple Gatekeeper is flagging PDF's offshore in high risk locales. It is very possible to embed malware into a PDF. The 15.6.1 security fix was for an Image API flaw that allowed a malicious image to break macOS security. Not surprising Apple started flagging more potentially suspicious image formats.
Open a specific quarantined PDF
Use System Settings for persistent access
If the right-click method doesn't work or you want to grant persistent access, you can use System Settings:
Use the Terminal to remove the quarantine attribute
For a more permanent fix, you can remove the quarantine attribute directly from the file using the Terminal. Use this method only if you are certain the PDF is safe.
Additional troubleshooting
Hello iamshivam, thanks. Moving the file to another location changed nothing, however making a copy of it to my surprise did. That copy opens as it should.
Terminal answers:
rejected
source=no usable signature
Does that tell you anything?
Hello KiltedTim, yes, that actually makes sense. I never thought of it because I use the same web sites as when I'm there (like home depot and such), difference is that I don't make purchases from over here but have the people I work with on site (in Mexico) do them. I don't really believe that does any harm, but technically I suppose you are right. Problem is I can't do my job any other way.
Yes if you are creating the PDF yourself and not downloading it. It should not be setting a quarantine flag on the PDF. But Gatekeeper is part of Xprotect which is the built-in anti-malware. Apple may be getting aggressive about particular PDF contents using techniques similar to the bad actors embedding malware. Unfortunately, Apple Security is very tight lipped and won't discuss the details beyond the bare essential.
Malware Warning About a File I Created
