That didn't work. I'll try w/o the {}. Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
--Mark -----Original Message----- From: Mark Foley <mfo...@novatec-inc.com> Date: Sat, 22 Jul 2017 11:08:28 -0400 To: clamav-users@lists.clamav.net So, like this? BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} --Mark On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote: > Yes, they can be added to a local .ign2 file, but the last time it was > discussed here, the entry needed to be followed by {} for some unknown > reason, to make it work. > > -Al- > > On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > > > > Are bytecodes individually blockable? > > > > --Mark > > > > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote: > >> > >> FYI, the following were added by bytecode 306: > >> > >> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 > >> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 > >> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > >> > >> -Al- > >> > >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > >>> > >>> I ran clamscan by hand on the files before and after the error, and it's > >>> the file > >>> after the error. I've bumped the --bytecode-timeout to 120000, 180000 and > >>> finally 600000 (10 minutes) and it fails for all these values, even > >>> though the > >>> file itself is not that big (1.2M). > >>> > >>> This is a pretty recent phenomenon. Perhaps something introduced in a > >>> recent > >>> update. I received bytecode.cld version 306 in freshclam starting on > >>> July 16, > >>> 2017; which is exactly when I started seeing this warning. I did not get > >>> the > >>> warning with version 305. > >>> > >>> Is this a bug? > >>> > >>> For now, I guess I'll just have to live with it. > >>> > >>> Thanks, --Mark > >>> > >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com> wrote: > >>>> > >>>> It's almost certainly a file that follows S=12386 since that one is > >>>> being reported as "OK". The file that failed might not even be listed, > >>>> having failed the scan, although I suppose it's possible for it to be > >>>> the next one shown. > >>>> > >>>> It's my understanding that not all files receive a bytecode signature > >>>> scan, making it even more difficult to determine the problem file. > >>>> > >>>> -Al- > >>>> > >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > >>>>> > >>>>> Here's the partial output from clamscan w/o the --infected option: > >>>>> > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > >>>>> OK > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag > >>>>> set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > >>>>> OK > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > >>>>> OK > >>>>> > >>>>> These are Maildir format files. The "S=12386" part is in fact the file > >>>>> size. > >>>>> It's not apparent from where the Warning message is issues what file is > >>>>> causing > >>>>> the warning. The 12,657 byte file couldn't have been it and why would > >>>>> the > >>>>> 1,266,193 size file cause the warning and not the more that > >>>>> twice-as-large file > >>>>> immediately following? Also there are much larger files in this > >>>>> directory, up to > >>>>> 21M, but this is the only warning issued. > >>>>> > >>>>> --Mark > >>>>> > >>>>> -----Original Message----- > >>>>> From: Mark Foley <mfo...@novatec-inc.com> > >>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400 > >>>>> To: clamav-users@lists.clamav.net > >>>>> Subject: Re: [clamav-users] Bytecode run timed out > >>>>> > >>>>> OK, I'll turn that off and see what I get. > >>>>> > >>>>> --Mark > >>>>> > >>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan > >>>>> <smor...@sourcefire.com> wrote: > >>>>>> > >>>>>> --infected suppresses the printing of clean file names. > >>>>>> > >>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfo...@novatec-inc.com> > >>>>>> wrote: > >>>>>> > >>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > >>>>>>> <smor...@sourcefire.com> > >>>>>>> wrote: > >>>>>>> My parameters are: > >>>>>>> > >>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected > >>>>>>> --recursive \ > >>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > >>>>>>> > >>>>>>> > >>>>>>> --Mark > >>>>>>> > >>>>>>>> > >>>>>>>> The default is 60000 milliseconds. What clamscan parameters are you > >>>>>>> using? > >>>>>>>> I am seeing file names by default. > >>>>>>>> > >>>>>>>> Steve > >>>>>>>> > >>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>>> It doesn't give any file names, even in the logfiles. It happens > >>>>>>>>> when > >>>>>>> I'm > >>>>>>>>> running clamscan. > >>>>>>>>> > >>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail > >>>>>>> files). > >>>>>>>>> > >>>>>>>>> What is the default for --bytecode-timeout? If I get it again I'll > >>>>>>>>> increase it. > >>>>>>>>> > >>>>>>>>> Thanks, --Mark > >>>>>>>>> > >>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > >>>>>>> smor...@sourcefire.com> > >>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the > >>>>>>> amount > >>>>>>>>>> of processing. > >>>>>>>>>> > >>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the > >>>>>>> bytecode > >>>>>>>>>> signature may require attention. > >>>>>>>>>> > >>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for > >>>>>>> clamscan > >>>>>>>>>> and BytecodeTimeout for clamd. > >>>>>>>>>> > >>>>>>>>>> Steve > >>>>>>>>>> > >>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > >>>>>>>>>> <mfo...@novatec-inc.com> > >>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>>> What is this? I just started happening. > >>>>>>>>>>> > >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>>>>>> flag set > >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>>>>>> error! > >>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>>>>>>>> > >>>>>>>>>>> Thanks, Mark > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > -Al- > -- > Al Varnell > Mountain View, CA > > > > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml