Editing Filename extension (section)

== Security issues ==
File extensions alone are not a reliable indicator of a file's type, as the extension can be modified without changing the file's contents, such as to disguise [[malware|malicious content]]. Therefore, especially in the context of [[cybersecurity]], a file's true nature should be examined for [[file signature|its signature]], which is a distinctive sequence of bytes affixed to a file's header. This is accomplished using file identification software or a [[hex editor]], which provides a [[hex dump]] of a file's contents.<ref>{{cite book|last1=Aquilina|first1=James M.|last2=Casey|first2=Eoghan|author2-link=Eoghan Casey|last3=Malin|first3=Cameron H.|date=2008|url=https://books.google.com/books?id=lRjO8opcPzIC&q=extension%20signature&pg=PA211|title=Malware Forensics: Investigating and Analyzing Malicious Code|publisher=[[Syngress]]|pages=211, 298–299|isbn=978-1-59749-268-3|access-date=2025-02-25}}</ref> For example, on [[UNIX-like]] systems, it is not uncommon to find files with no extensions at all,<ref name="Skoudis-2004">{{cite book|last1=Skoudis|first1=Ed|last2=Zeltser|first2=Lenny|date=2004|url=https://books.google.com/books?id=TKEAQmQV7O4C&pg=PA32|title=Malware: Fighting Malicious Code|publisher=[[Prentice Hall]]|pages=32–34, 253–254|isbn=0-13-101405-6|access-date=2025-02-25}}</ref> as commands such as <code>[[file (command)|file]]</code> are meant to be used instead, and will read the file's header to determine its content.{{citation needed|date=February 2025}}

Malware such as [[Trojan horse (computing)|Trojan horse]]s typically takes the form of an [[executable]], but any file type that performs [[input/output]] operations may contain malicious code. A few [[data file]] types such as [[PDF]]s have been found to be vulnerable to exploits that cause [[buffer overflow]]s.<ref name="Grimes-2001">{{cite book|last1=Grimes|first1=Roger|date=August 2001|url=https://books.google.com/books?id=1HYlDwAAQBAJ&pg=PA71|title=Malicious Mobile Code: Virus Protection for Windows|publisher=[[O'Reilly Media]]|pages=41–42, 71–74, 221–222, 395–396, 422|isbn=1-56592-682-X|access-date=2025-02-25}}</ref> There have been instances of malware crafted to exploit such vulnerabilities in some Windows applications when opening a file with an overly long, unhandled filename extension.

[[File manager]]s may have an option to hide filenames extensions. This is the case for [[File Explorer]], the file browser provided with [[Microsoft Windows]], which by default does not display extensions. Malicious users have tried to spread [[computer virus]]es and [[computer worm]]s by using file names formed like <code>[[ILOVEYOU|LOVE-LETTER-FOR-YOU.TXT.vbs]]</code>. The idea is that this will appear as <code>LOVE-LETTER-FOR-YOU.TXT</code>, a harmless text file, without alerting the user to the fact that it is a harmful computer program, in this case, written in [[VBScript]].<ref name="Grimes-2001"/> The default behavior for [[ReactOS]] is to display filename extensions in [[Windows Explorer|ReactOS Explorer]]. Later Windows versions (starting with [[Windows XP Service Pack 2]] and [[Windows Server 2003]]) included customizable lists of filename extensions that should be considered "dangerous" in certain "zones" of operation, such as when [[download]]ed from the [[World Wide Web|web]] or received as an e-mail attachment. Modern [[antivirus software]] systems also help to defend users against such attempted attacks where possible.{{citation needed|date=February 2025}}

A virus may couple itself with an executable without actually modifying the executable. These viruses, known as ''companion viruses'', attach themselves in such a way that they are executed when the original file is requested. One way such a virus does this involves giving the virus the same name as the target file, but with a different extension to which the operating system gives priority, and often assigning the former a "hidden" [[file attribute|attribute]] to conceal the malware's existence. The efficacy of this approach depends on whether the user attempts to open the intended file by entering a command and whether the user includes the extension. Later versions of DOS and Windows check for and attempt to run <code>[[COM file|.COM]]</code> files first by default, followed by <code>.EXE</code> and finally <code>[[batch file|.BAT]]</code> files. In this case, the infected file is the one with the <code>[[COM file|.COM]]</code> extension, which the user unwittingly executes.<ref name="Skoudis-2004"/><ref name="Grimes-2001"/>

Some viruses take advantage of the similarity between the "[[.com]]" [[top-level domain]] and the <code>.COM</code> filename extension by emailing malicious, executable command-file attachments under names superficially similar to URLs (''e.g.'', "myparty.yahoo.com"), with the effect that unaware users click on email-embedded links that they think lead to websites but actually download and execute the malicious attachments.{{citation needed|date=February 2025}}