Day 13 — I Stopped Trusting File Names and Started Inspecting Files (SafeOpen v2)

Yesterday my tool only looked at the filename. Today I realised the filename is the lie attackers want you to believe. The Moment Everything Changed I took a harmless malicious.bat and renamed it to invoice.pdf . My old checker (Day 12) said: “Looks safe ✅” Windows Explorer showed: invoice.pdf (icon = PDF) A normal user would double-click without a second thought. But the file was still a batch script. That’s when it hit me: The operating system doesn’t execute the name. It executes the content. Files Have Two Identities What the user sees → filename + icon (easy to fake) What the OS executes → magic bytes (first 2–8 bytes of the file) Real examples: PDF → always starts with %PDF Windows EXE → always starts with MZ ELF binary (Linux) → starts with 7f ELF ZIP (DOCX, XLSX, JAR…) → starts with PK\x03\x04 If the header says “executable” but the name says “document”, that’s a disguise . Game over for filename-only checkers. So I rebuilt everything. SafeOpen v2 — “Inspect Before You Execute”