I got tired of seeing ransomware slip through because attackers just rename malware.exe to invoice.pdf. So I built a tool that validates file extensions against magic numbers in real-time.
What it does:
- Monitors file creation/modification using inotify (Linux) or watchdog (Windows)
- Checks if invoice.pdf is actually a PDF (magic number validation)
- Quarantines mismatched files automatically
- Outputs SIEM-ready JSON logs (Splunk/ELK/Wazuh compatible)
- SHA256 hashing + user attribution
Why I built this:
During a recent IR engagement, we found ransomware that got past AV by being renamed to .docx. A simple magic number check would've caught it immediately.
Install (one command):
# Linux
curl -sSL https://raw.githubusercontent.com/AnasRm01/file-validator/main/install.sh | sudo bash
# Windows
# Download and run install-windows.bat
Use cases I'm seeing:
- Web server upload directories (/var/www/uploads)
- Shared network drives
- Employee Downloads folders
- Compliance logging (PCI-DSS requires FIM)
Performance:
- <10MB RAM, <1% CPU
- Event-driven (not scanning loops)
- Tested on CentOS, Ubuntu, Windows 10/11
GitHub: https://github.com/AnasRm01/file-validator
Open to feedback! What other file types should I add?
Top comments (0)