it's in `mdls` info, likewise if you have santa it...
# macos
it's in
info, likewise if you have santa it can give you the same info (although it would only get logged/scraped when it's an executable being launched, not unpacked from another artifact)
Agree, quick note both mdls and extended_attributes table will not show the origin url if you use incognito/private mode to download the file
yup, it's circumventable a bunch of ways, for a while it was opt-in by e.g. chat clients and browsers for if they would implement applying the quarantine attribute, etc.