It looks like this one that gives the "Bytecode run timed out" warning. I'm trying the other two as well.
BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} Plus, there's a new bytecode exploit that seems to be giving me a lot of positives: BC.Pdf.Exploit.CVE_2017_3032-6316401-6 I've put that (with the trailing '.{}') in the .ign2 file as well. Can I use a '#' at the beginning of the lines in the .ign2 file as a comment? I've found no documentation on this and, if not, I might be getting false results. --Mark -----Original Message----- From: Mark Foley <mfo...@novatec-inc.com> Date: Thu, 27 Jul 2017 14:56:44 -0400 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Bytecode run timed out Yes, I was able to find the file as well. I've used the syntax in the /var/lib/clamav/local.ign2 file recommended by Al Varnell: BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} and that worked to block the warning. Now I will test each one in turn to see which bytecode is causing the message. --Mark On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind <r...@twister.dyndns.org> wrote; > > I have been noticing the same issue. I found at least one file that was > causing the error, and was able to test with a single file, instead of > having to virus scan an entire directory tree to test. > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set > LibClamAV Warning: [Bytecode JIT]: recovered from error > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > LibClamAV Warning: Bytcode 64 failed to run: Time limit reached > > This worked for me: > > # cat /var/lib/clamav/local.ign2 > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} > > The problem file was the one listed under the JIT error messages, in my > case, it was a pdf file that caused it. > > - Fred > > On 7/22/2017 6:56 PM, Al Varnell wrote: > > That's the correct place to put the file. > > > > I suspect you'll want to try one at a time to nail down which signature is > > causing the problem. > > > > Checking back I see there was a period rather than a space between the > > signature name and the brackets, so: > > > > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} > > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} > > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} > > > > -Al- > > > > > > On Jul 22, 2017, at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote: > > > >> That didn't work. I'll try w/o the {}. > >> > >> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? > >> > >> --Mark > >> > >> -----Original Message----- > >> From: Mark Foley <mfo...@novatec-inc.com> > >> Date: Sat, 22 Jul 2017 11:08:28 -0400 > >> To: clamav-users@lists.clamav.net > >> > >> So, like this? > >> > >> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} > >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} > >> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} > >> > >> --Mark > >> > >> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote: > >>> Yes, they can be added to a local .ign2 file, but the last time it was > >>> discussed here, the entry needed to be followed by {} for some unknown > >>> reason, to make it work. > >>> > >>> -Al- > >>> > >>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > >>>> Are bytecodes individually blockable? > >>>> > >>>> --Mark > >>>> > >>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote: > >>>>> FYI, the following were added by bytecode 306: > >>>>> > >>>>> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 > >>>>> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 > >>>>> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > >>>>> > >>>>> -Al- > >>>>> > >>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > >>>>>> I ran clamscan by hand on the files before and after the error, and > >>>>>> it's the file > >>>>>> after the error. I've bumped the --bytecode-timeout to 120000, 180000 > >>>>>> and > >>>>>> finally 600000 (10 minutes) and it fails for all these values, even > >>>>>> though the > >>>>>> file itself is not that big (1.2M). > >>>>>> > >>>>>> This is a pretty recent phenomenon. Perhaps something introduced in a > >>>>>> recent > >>>>>> update. I received bytecode.cld version 306 in freshclam starting on > >>>>>> July 16, > >>>>>> 2017; which is exactly when I started seeing this warning. I did not > >>>>>> get the > >>>>>> warning with version 305. > >>>>>> > >>>>>> Is this a bug? > >>>>>> > >>>>>> For now, I guess I'll just have to live with it. > >>>>>> > >>>>>> Thanks, --Mark > >>>>>> > >>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com> > >>>>>> wrote: > >>>>>>> It's almost certainly a file that follows S=12386 since that one is > >>>>>>> being reported as "OK". The file that failed might not even be > >>>>>>> listed, having failed the scan, although I suppose it's possible for > >>>>>>> it to be the next one shown. > >>>>>>> > >>>>>>> It's my understanding that not all files receive a bytecode signature > >>>>>>> scan, making it even more difficult to determine the problem file. > >>>>>>> > >>>>>>> -Al- > >>>>>>> > >>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > >>>>>>>> Here's the partial output from clamscan w/o the --infected option: > >>>>>>>> > >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > >>>>>>>> OK > >>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>>>>> flag set > >>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>>>>> error! > >>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > >>>>>>>> OK > >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > >>>>>>>> OK > >>>>>>>> > >>>>>>>> These are Maildir format files. The "S=12386" part is in fact the > >>>>>>>> file size. > >>>>>>>> It's not apparent from where the Warning message is issues what file > >>>>>>>> is causing > >>>>>>>> the warning. The 12,657 byte file couldn't have been it and why > >>>>>>>> would the > >>>>>>>> 1,266,193 size file cause the warning and not the more that > >>>>>>>> twice-as-large file > >>>>>>>> immediately following? Also there are much larger files in this > >>>>>>>> directory, up to > >>>>>>>> 21M, but this is the only warning issued. > >>>>>>>> > >>>>>>>> --Mark > >>>>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>> From: Mark Foley <mfo...@novatec-inc.com> > >>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400 > >>>>>>>> To: clamav-users@lists.clamav.net > >>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out > >>>>>>>> > >>>>>>>> OK, I'll turn that off and see what I get. > >>>>>>>> > >>>>>>>> --Mark > >>>>>>>> > >>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan > >>>>>>>> <smor...@sourcefire.com> wrote: > >>>>>>>>> --infected suppresses the printing of clean file names. > >>>>>>>>> > >>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley > >>>>>>>>> <mfo...@novatec-inc.com> wrote: > >>>>>>>>> > >>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > >>>>>>>>>> <smor...@sourcefire.com> > >>>>>>>>>> wrote: > >>>>>>>>>> My parameters are: > >>>>>>>>>> > >>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected > >>>>>>>>>> --recursive \ > >>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> --Mark > >>>>>>>>>> > >>>>>>>>>>> The default is 60000 milliseconds. What clamscan parameters are > >>>>>>>>>>> you > >>>>>>>>>> using? > >>>>>>>>>>> I am seeing file names by default. > >>>>>>>>>>> > >>>>>>>>>>> Steve > >>>>>>>>>>> > >>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley > >>>>>>>>>>> <mfo...@novatec-inc.com> > >>>>>>>>>> wrote: > >>>>>>>>>>>> It doesn't give any file names, even in the logfiles. It > >>>>>>>>>>>> happens when > >>>>>>>>>> I'm > >>>>>>>>>>>> running clamscan. > >>>>>>>>>>>> > >>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail > >>>>>>>>>> files). > >>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again > >>>>>>>>>>>> I'll > >>>>>>>>>>>> increase it. > >>>>>>>>>>>> > >>>>>>>>>>>> Thanks, --Mark > >>>>>>>>>>>> > >>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > >>>>>>>>>> smor...@sourcefire.com> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit > >>>>>>>>>>>>> the > >>>>>>>>>> amount > >>>>>>>>>>>>> of processing. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the > >>>>>>>>>> bytecode > >>>>>>>>>>>>> signature may require attention. > >>>>>>>>>>>>> > >>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for > >>>>>>>>>> clamscan > >>>>>>>>>>>>> and BytecodeTimeout for clamd. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Steve > >>>>>>>>>>>>> > >>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > >>>>>>>>>>>>> <mfo...@novatec-inc.com> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>>>> What is this? I just started happening. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, > >>>>>>>>>>>>>> timeout > >>>>>>>>>>>> flag set > >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted > >>>>>>>>>>>>>> runtime > >>>>>>>>>>>> error! > >>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks, Mark > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml