At the risk of being contradicted, since it's been a while since I've written any assembly language code, my recollection is that all .com files start with a jmp instruction.
That's true for most, but not all. Just look at LOADFIX.COM, for example.
Just a 1 byte pattern at the start = E9 will probably work for many .COM, but may cause a number of false positive too, probably. I had done some testing in the first days of TrID about this filetype, and end up choosing to not provide a generic defs for some .COM files. But you can create & use one, off course.
Others have an .exe signature: format.com with 'MZ', diskcopy.com with 'MZ', diskcopy with 'MZ'. I havent checked the all the rest, but it does seem to me that checking these first two bytes is somewhat preferable to "unknown" -- even if you just pick up the 'MZ' signature.
Those file will in fact recognized as the EXE files they are ("Generic Win/DOS executable", or some as DLL since they share so much in common).
But since TrID has no hardcoded rules or special detection code, obviously trhere can be better identifier software for some category of files. Text based files (like sources code) are a category that is especially not well suited for TrID. Executables, while there are many that can be more or less identified, are probably another.
PEiD for example is a very good id program for executables.
It also mean that you are free to experiment creating new defs, as you see fit for your particular needs.
Bye!
