That didn't work. I'll try w/o the {}.
Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
--Mark
-----Original Message-----
From: Mark Foley <mfo...@novatec-inc.com>
Date: Sat, 22 Jul 2017 11:08:28 -0400
To: clamav-users@lists.clamav.net
So, like this?
BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
--Mark
On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote:
> Yes, they can be added to a local .ign2 file, but the last time it was
> discussed here, the entry needed to be followed by {} for some unknown
> reason, to make it work.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> >
> > Are bytecodes individually blockable?
> >
> > --Mark
> >
> > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>
> >> FYI, the following were added by bytecode 306:
> >>
> >> * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >>
> >> -Al-
> >>
> >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>>
> >>> I ran clamscan by hand on the files before and after the error, and it's
> >>> the file
> >>> after the error. I've bumped the --bytecode-timeout to 120000, 180000 and
> >>> finally 600000 (10 minutes) and it fails for all these values, even
> >>> though the
> >>> file itself is not that big (1.2M).
> >>>
> >>> This is a pretty recent phenomenon. Perhaps something introduced in a
> >>> recent
> >>> update. I received bytecode.cld version 306 in freshclam starting on
> >>> July 16,
> >>> 2017; which is exactly when I started seeing this warning. I did not get
> >>> the
> >>> warning with version 305.
> >>>
> >>> Is this a bug?
> >>>
> >>> For now, I guess I'll just have to live with it.
> >>>
> >>> Thanks, --Mark
> >>>
> >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>>>
> >>>> It's almost certainly a file that follows S=12386 since that one is
> >>>> being reported as "OK". The file that failed might not even be listed,
> >>>> having failed the scan, although I suppose it's possible for it to be
> >>>> the next one shown.
> >>>>
> >>>> It's my understanding that not all files receive a bytecode signature
> >>>> scan, making it even more difficult to determine the problem file.
> >>>>
> >>>> -Al-
> >>>>
> >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>>>>
> >>>>> Here's the partial output from clamscan w/o the --infected option:
> >>>>>
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>>> OK
> >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag
> >>>>> set
> >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>>> OK
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>>> OK
> >>>>>
> >>>>> These are Maildir format files. The "S=12386" part is in fact the file
> >>>>> size.
> >>>>> It's not apparent from where the Warning message is issues what file is
> >>>>> causing
> >>>>> the warning. The 12,657 byte file couldn't have been it and why would
> >>>>> the
> >>>>> 1,266,193 size file cause the warning and not the more that
> >>>>> twice-as-large file
> >>>>> immediately following? Also there are much larger files in this
> >>>>> directory, up to
> >>>>> 21M, but this is the only warning issued.
> >>>>>
> >>>>> --Mark
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: Mark Foley <mfo...@novatec-inc.com>
> >>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
> >>>>> To: clamav-users@lists.clamav.net
> >>>>> Subject: Re: [clamav-users] Bytecode run timed out
> >>>>>
> >>>>> OK, I'll turn that off and see what I get.
> >>>>>
> >>>>> --Mark
> >>>>>
> >>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan
> >>>>> <smor...@sourcefire.com> wrote:
> >>>>>>
> >>>>>> --infected suppresses the printing of clean file names.
> >>>>>>
> >>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfo...@novatec-inc.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan
> >>>>>>> <smor...@sourcefire.com>
> >>>>>>> wrote:
> >>>>>>> My parameters are:
> >>>>>>>
> >>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected
> >>>>>>> --recursive \
> >>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>>>>>>
> >>>>>>>
> >>>>>>> --Mark
> >>>>>>>
> >>>>>>>>
> >>>>>>>> The default is 60000 milliseconds. What clamscan parameters are you
> >>>>>>> using?
> >>>>>>>> I am seeing file names by default.
> >>>>>>>>
> >>>>>>>> Steve
> >>>>>>>>
> >>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com>
> >>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> It doesn't give any file names, even in the logfiles. It happens
> >>>>>>>>> when
> >>>>>>> I'm
> >>>>>>>>> running clamscan.
> >>>>>>>>>
> >>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
> >>>>>>> files).
> >>>>>>>>>
> >>>>>>>>> What is the default for --bytecode-timeout? If I get it again I'll
> >>>>>>>>> increase it.
> >>>>>>>>>
> >>>>>>>>> Thanks, --Mark
> >>>>>>>>>
> >>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> >>>>>>> smor...@sourcefire.com>
> >>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
> >>>>>>> amount
> >>>>>>>>>> of processing.
> >>>>>>>>>>
> >>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the
> >>>>>>> bytecode
> >>>>>>>>>> signature may require attention.
> >>>>>>>>>>
> >>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
> >>>>>>> clamscan
> >>>>>>>>>> and BytecodeTimeout for clamd.
> >>>>>>>>>>
> >>>>>>>>>> Steve
> >>>>>>>>>>
> >>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley
> >>>>>>>>>> <mfo...@novatec-inc.com>
> >>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> What is this? I just started happening.
> >>>>>>>>>>>
> >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> >>>>>>>>> flag set
> >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> >>>>>>>>> error!
> >>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks, Mark
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
