Gatekeeper in Practice

When push comes to shove, this is what Gatekeeper does. It automatically detects and stops suspicious operations and notifies you of the event.

This alert tells you what program appears to have been responsible for the suspicious operation (Kermit), what privilege the program attempted to violate (Res(System)), and who the intended victim was (the System file). For the technical and the curious, it also includes in brackets the name of the actual Toolbox or OS operation that was blocked (AddResource) and what it's immediate intent was (to add a resource of type 'nVIR' with an ID number of 0 to the System file).

In this case the operation being stopped was an attempt by the nVIR virus to implant itself in a Macintosh's System file. But what if you didn't know about the nVIR virus? How would you determine whether or not this was an operation that should have been permitted?

Unfortunately, there's no perfect method. The first thing to do is to run John Norstad's Disinfectant utility, version 3.3 or later, to check for known viruses. If Disinfectant gives your Mac a clean bill of health, you're probably safe. If you're still not sure whether or not that operation should have been permitted, there are a few rules of thumb that take care of most situations, so, when in doubt, ask yourself the following questions:

Does the program modify, create, install, decode, recover or restore applications, extensions or control panels? If so, it'll need some type of File privilege.

All file manipulation, backup and recovery software will require File(Other) privileges in order to work properly.
Examples: Finder, DiskFit, Symantec Tools, HFS Recover, MacTools, Scanner, Floppy Recover, HD TuneUp, File Splitter.
Communications programs, compression utilities, and electronic mail packages require File(Other) privileges when decoding downloaded applications and system files.
Examples: Compact Pro, StuffIt, PackIt, BinHex, NCSA Telnet, XferIt, VersaTerm, MacTerminal, White Knight, AppleLink, etc.

NOTE: Gatekeeper does not require that self extracting archives (SEAs) created by Compact Pro, StuffIt, Zoom or Disk Doubler have any privileges in order to operate. These types of SEAs are handled as special cases internally, so they can be used without privileges and without worry.

Does the program modify, create, install or delete resources that contain programs? If so, it'll need some type of Res privilege. Some of the most common examples of resources that contain programs are desk accessories, FKEYs, and HyperCard's XCMDs and XFCNs.

Installer and Updater applications almost always require Res(Other) and/or Res(System) privileges and are likely to require similar File privileges. However, since these applica- tions are used infrequently, they shouldn't be granted any privileges. Just turn Gatekeeper off (after using Disinfectant 3.3, or later, to verify that the items to be installed are free of known viruses) while you perform the installation.
Examples: Apple's Installer, PageMaker Installer, TOPS Installer.
Resource manipulation utilities generally need Res(Other) privileges and will need Res(System) privileges if they are used to modify the System file. The exact privileges they require will depend on what you use these utilities for.
Examples: Font/DA Mover, ResEdit, FKey Manager, ResCopier stack, RMaker, Rez.
Development systems (i.e. programming languages) require File(Other) and Res(Other) privileges in order to build virtually all projects.
Examples: THINK C, THINK Pascal and Apple's MPW.

If none of these cases seem to fit your situation, or you're just not sure, check with others who might have relevant knowledge - users groups can be good places to find such people.

If none of the programs listed in the examples above sound very familiar to you, don't worry: most programs don't need any privileges.