False-positives for the `msi` detection

[fazouane-marouane]

Hello

It seems that doc files (in fact all files that are CFB based, meaning: msi, doc, xls, ppt, oft...) are recognized as "msi" files.
Example of a doc file: http://www.softdoteducation.com/upload/study-notes/STNOTES_DOC_5.doc

Checking the code, I found the following:

	if (check([0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1])) {
		return {
			ext: 'msi',
			mime: 'application/x-msi'
		};
	}

The issue here is that 0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1 is the header signature for CFB format not msi specifically. https://msdn.microsoft.com/en-us/library/dd941946.aspx

Can we please remove this entry and discuss other ways of recognizing such files?
Thanks

---

IssueHunt Summary

hugodf has been rewarded.

Backers (Total: $40.00)

• issuehunt ($40.00)

Submitted pull Requests

• #225 reduce msi false positives (longer check)

---

Tips

• Checkout the Issuehunt explorer to discover more funded issues.
• Need some help from other developers? Add your repositories on IssueHunt to raise funds.

---

IssueHunt has been backed by the following sponsors. Become a sponsor

[karlhiramoto]

Old office docs, and msi files are all OLE/CFBF container files

• https://www.forensicswiki.org/wiki/OLE_Compound_File
• https://en.wikipedia.org/wiki/Compound_File_Binary_Format

[thehappycoder]

mmmagic detects .doc files correctly as application/msword

[fazouane-marouane]

I have something that detects doc/xls/ppt/msi... but it needs to parse the whole cfb container file and doesn’t use magic values which is not that perfect for most people. (+1ko gzipped if my memory serves me right)

[ilsundal]

I have the same issue.

wrong: (using "file-type-cli")
$ node cli.js my.doc
msi
application/x-msi

correct: (using Ubuntu's "file" command)
$ file --mime-type -b my.doc
application/msword

[ilsundal]

I have something that detects doc/xls/ppt/msi... but it needs to parse the whole cfb container file and doesn’t use magic values which is not that perfect for most people. (+1ko gzipped if my memory serves me right)

If this is the only way then so be it :)

Note that Ubuntu's "file" command/utility also works nicely (and super-fast). One option could be to investigate how it does it and then do the same in the "file-type" library.

[PhantomSophia]

FYI, if it is OK to same accuracy to libmagic (cf: http://man7.org/linux/man-pages/man3/libmagic.3.html), you can find "magic byte" list from following page:
https://github.com/threatstack/libmagic/blob/1249b5cd02c3b6fb9b917d16c76bc76c862932b6/magic/Magdir/msdos#L484

[sindresorhus]

The fix would not be to add doc support, which I'm not interested in, but rather improve the msi detection.

[issuehunt-oss]

@issuehunt has funded $40.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[HugoDF]

Hi, is anyone able to provide true positive .msi files?

Using the following check I've been able to detect msi (that I've found) without having a false positive on .doc, .xls or .ppt

Full disclosure: I started with the commented out magic bytes from #162 (comment) but ended up just reading the byte stream of msi files.

check([0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x04, 0x00, 0xFE, 0xFF, 0x0C, 0x00, 0x06])