It looks like this one that gives the "Bytecode run timed out" warning. I'm
trying the other two as well.
BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
Plus, there's a new bytecode exploit that seems to be giving me a lot of
positives:
BC.Pdf.Exploit.CVE_2017_3032-6316401-6
I've put that (with the trailing '.{}') in the .ign2 file as well.
Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
I've found no documentation on this and, if not, I might be getting false
results.
--Mark
-----Original Message-----
From: Mark Foley <mfo...@novatec-inc.com>
Date: Thu, 27 Jul 2017 14:56:44 -0400
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Bytecode run timed out
Yes, I was able to find the file as well. I've used the syntax in the
/var/lib/clamav/local.ign2 file recommended by Al Varnell:
BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
and that worked to block the warning. Now I will test each one in turn to see
which bytecode is causing the message.
--Mark
On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind <r...@twister.dyndns.org>
wrote;
>
> I have been noticing the same issue. I found at least one file that was
> causing the error, and was able to test with a single file, instead of
> having to virus scan an entire directory tree to test.
>
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>
> This worked for me:
>
> # cat /var/lib/clamav/local.ign2
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>
> The problem file was the one listed under the JIT error messages, in my
> case, it was a pdf file that caused it.
>
> - Fred
>
> On 7/22/2017 6:56 PM, Al Varnell wrote:
> > That's the correct place to put the file.
> >
> > I suspect you'll want to try one at a time to nail down which signature is
> > causing the problem.
> >
> > Checking back I see there was a period rather than a space between the
> > signature name and the brackets, so:
> >
> > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
> > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
> >
> > -Al-
> >
> >
> > On Jul 22, 2017, at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
> >
> >> That didn't work. I'll try w/o the {}.
> >>
> >> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
> >>
> >> --Mark
> >>
> >> -----Original Message-----
> >> From: Mark Foley <mfo...@novatec-inc.com>
> >> Date: Sat, 22 Jul 2017 11:08:28 -0400
> >> To: clamav-users@lists.clamav.net
> >>
> >> So, like this?
> >>
> >> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
> >>
> >> --Mark
> >>
> >> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>> Yes, they can be added to a local .ign2 file, but the last time it was
> >>> discussed here, the entry needed to be followed by {} for some unknown
> >>> reason, to make it work.
> >>>
> >>> -Al-
> >>>
> >>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> >>>> Are bytecodes individually blockable?
> >>>>
> >>>> --Mark
> >>>>
> >>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>>>> FYI, the following were added by bytecode 306:
> >>>>>
> >>>>> * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>>>> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>>>> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >>>>>
> >>>>> -Al-
> >>>>>
> >>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>>>>> I ran clamscan by hand on the files before and after the error, and
> >>>>>> it's the file
> >>>>>> after the error. I've bumped the --bytecode-timeout to 120000, 180000
> >>>>>> and
> >>>>>> finally 600000 (10 minutes) and it fails for all these values, even
> >>>>>> though the
> >>>>>> file itself is not that big (1.2M).
> >>>>>>
> >>>>>> This is a pretty recent phenomenon. Perhaps something introduced in a
> >>>>>> recent
> >>>>>> update. I received bytecode.cld version 306 in freshclam starting on
> >>>>>> July 16,
> >>>>>> 2017; which is exactly when I started seeing this warning. I did not
> >>>>>> get the
> >>>>>> warning with version 305.
> >>>>>>
> >>>>>> Is this a bug?
> >>>>>>
> >>>>>> For now, I guess I'll just have to live with it.
> >>>>>>
> >>>>>> Thanks, --Mark
> >>>>>>
> >>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com>
> >>>>>> wrote:
> >>>>>>> It's almost certainly a file that follows S=12386 since that one is
> >>>>>>> being reported as "OK". The file that failed might not even be
> >>>>>>> listed, having failed the scan, although I suppose it's possible for
> >>>>>>> it to be the next one shown.
> >>>>>>>
> >>>>>>> It's my understanding that not all files receive a bytecode signature
> >>>>>>> scan, making it even more difficult to determine the problem file.
> >>>>>>>
> >>>>>>> -Al-
> >>>>>>>
> >>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>>>>>>> Here's the partial output from clamscan w/o the --infected option:
> >>>>>>>>
> >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>>>>>> OK
> >>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> >>>>>>>> flag set
> >>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> >>>>>>>> error!
> >>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>>>>>> OK
> >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>>>>>> OK
> >>>>>>>>
> >>>>>>>> These are Maildir format files. The "S=12386" part is in fact the
> >>>>>>>> file size.
> >>>>>>>> It's not apparent from where the Warning message is issues what file
> >>>>>>>> is causing
> >>>>>>>> the warning. The 12,657 byte file couldn't have been it and why
> >>>>>>>> would the
> >>>>>>>> 1,266,193 size file cause the warning and not the more that
> >>>>>>>> twice-as-large file
> >>>>>>>> immediately following? Also there are much larger files in this
> >>>>>>>> directory, up to
> >>>>>>>> 21M, but this is the only warning issued.
> >>>>>>>>
> >>>>>>>> --Mark
> >>>>>>>>
> >>>>>>>> -----Original Message-----
> >>>>>>>> From: Mark Foley <mfo...@novatec-inc.com>
> >>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
> >>>>>>>> To: clamav-users@lists.clamav.net
> >>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out
> >>>>>>>>
> >>>>>>>> OK, I'll turn that off and see what I get.
> >>>>>>>>
> >>>>>>>> --Mark
> >>>>>>>>
> >>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan
> >>>>>>>> <smor...@sourcefire.com> wrote:
> >>>>>>>>> --infected suppresses the printing of clean file names.
> >>>>>>>>>
> >>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley
> >>>>>>>>> <mfo...@novatec-inc.com> wrote:
> >>>>>>>>>
> >>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan
> >>>>>>>>>> <smor...@sourcefire.com>
> >>>>>>>>>> wrote:
> >>>>>>>>>> My parameters are:
> >>>>>>>>>>
> >>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected
> >>>>>>>>>> --recursive \
> >>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --Mark
> >>>>>>>>>>
> >>>>>>>>>>> The default is 60000 milliseconds. What clamscan parameters are
> >>>>>>>>>>> you
> >>>>>>>>>> using?
> >>>>>>>>>>> I am seeing file names by default.
> >>>>>>>>>>>
> >>>>>>>>>>> Steve
> >>>>>>>>>>>
> >>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley
> >>>>>>>>>>> <mfo...@novatec-inc.com>
> >>>>>>>>>> wrote:
> >>>>>>>>>>>> It doesn't give any file names, even in the logfiles. It
> >>>>>>>>>>>> happens when
> >>>>>>>>>> I'm
> >>>>>>>>>>>> running clamscan.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
> >>>>>>>>>> files).
> >>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again
> >>>>>>>>>>>> I'll
> >>>>>>>>>>>> increase it.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks, --Mark
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> >>>>>>>>>> smor...@sourcefire.com>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit
> >>>>>>>>>>>>> the
> >>>>>>>>>> amount
> >>>>>>>>>>>>> of processing.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the
> >>>>>>>>>> bytecode
> >>>>>>>>>>>>> signature may require attention.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
> >>>>>>>>>> clamscan
> >>>>>>>>>>>>> and BytecodeTimeout for clamd.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Steve
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley
> >>>>>>>>>>>>> <mfo...@novatec-inc.com>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>> What is this? I just started happening.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out,
> >>>>>>>>>>>>>> timeout
> >>>>>>>>>>>> flag set
> >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted
> >>>>>>>>>>>>>> runtime
> >>>>>>>>>>>> error!
> >>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Thanks, Mark
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
