Wrong package identified - ident package overwriting File init (pick) package within main.unpack()

[timeaston]

I noticed some large ELF binaries having a package set as 'js' instead of 'generic' due to strings found within & that the ident.py identifiers check by looking across the entire file contents. As one mitigation method should the buffer/contents being checked be limited to 0x1000 to align with the check at the top of the identifier function (if not f.stream.read(0x1000):)?

Was the purpose of overwriting the package predominantly for archives? Is it worth placing a conditional within main.unpack() along the line of-
if f.type == "container": # or != "file" ?
ident(f)

[jbremer]

Could make sense although you might want to move the logic slightly. Do you have a sample to showcase this behavior?