Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

2024-02-21 Thread Ralf Hildebrandt via clamav-users
* Micah Snyder (micasnyd) :

> There are 3 bytecode rules for detecting CVE's that seem to take a
> rather long time to run, particularly as the file grows in size.  I'm
> discussing with our threat research team if we can remove them as
> CVE's are old enough that no one should reasonably still be affected
> by the vulnerabilities.
> 
> I am curious though - what are your MaxFileSize / MaxScanSize
> settings? I wonder if you're seeing timeouts with the default settings
> or if you increased them.

MaxFileSize 100M
MaxScanSize 200M
MaxScanTime 12

-- 
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

2024-02-20 Thread Micah Snyder (micasnyd) via clamav-users
Hi Ralf,

There are 3 bytecode rules for detecting CVE's that seem to take a rather long 
time to run, particularly as the file grows in size.  I'm discussing with our 
threat research team if we can remove them as CVE's are old enough that no one 
should reasonably still be affected by the vulnerabilities.

I am curious though - what are your MaxFileSize / MaxScanSize settings? I 
wonder if you're seeing timeouts with the default settings or if you increased 
them.

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Ralf 
Hildebrandt via clamav-users 
Sent: Tuesday, February 20, 2024 9:36 AM
To: clamav-users@lists.clamav.net 
Cc: Ralf Hildebrandt 
Subject: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

In yesterdays logs I found this:

Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode run 
timed out in interpreter after 5000 opcodes
Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode 
'BC.Img.Exploit.CVE-2017-16386-6404655-1.{}' (id: 77) failed to run: Exceeded 
time limit

is this a bad Bytecode rule?

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


Re: [clamav-users] Bytecode run timed out

2017-07-31 Thread Al Varnell
Note that the bytecode - 308 update just dropped the following:

> Dropped Detection Signatures:
> 
>* BC.Win.Packer.LizardNest-5588995-3
> 
>* BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> 
>* BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> 
>* BC.Pdf.Exploit.CVE_2017_3032-6316401-6

-Al-

On Fri, Jul 28, 2017 at 01:38 AM, Al Varnell wrote:
> 
> On Fri, Jul 28, 2017 at 01:35 AM, Mark Foley wrote:
>> 
>> It looks like this one that gives the "Bytecode run timed out" warning. I'm
>> trying the other two as well.
>> 
>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>> 
>> Plus, there's a new bytecode exploit that seems to be giving me a lot of
>> positives: 
>> 
>> BC.Pdf.Exploit.CVE_2017_3032-6316401-6
>> 
>> I've put that (with the trailing '.{}') in the .ign2 file as well.
>> 
>> Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
>> I've found no documentation on this and, if not, I might be getting false
>> results.
> 
> That has not worked for me in the past.  If there is a way to comment out 
> signature lines, I've not discovered it.
> 
> -Al-
> 
>> --Mark
>> 
>> -Original Message-
>> From: Mark Foley 
>> Date: Thu, 27 Jul 2017 14:56:44 -0400
>> To: clamav-users@lists.clamav.net
>> Subject: Re: [clamav-users] Bytecode run timed out
>> 
>> Yes, I was able to find the file as well.  I've used the syntax in the
>> /var/lib/clamav/local.ign2 file recommended by Al Varnell:
>> 
>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
>> 
>> and that worked to block the warning. Now I will test each one in turn to see
>> which bytecode is causing the message.
>> 
>> --Mark
>> 
>> On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind  
>> wrote;
>>> 
>>> I have been noticing the same issue.  I found at least one file that was 
>>> causing the error, and was able to test with a single file, instead of 
>>> having to virus scan an entire directory tree to test.
>>> 
>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>>> 
>>> This worked for me:
>>> 
>>> # cat /var/lib/clamav/local.ign2
>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>>> 
>>> The problem file was the one listed under the JIT error messages, in my 
>>> case, it was a pdf file that caused it.
>>> 
>>> - Fred
>>> 
>>> On 7/22/2017 6:56 PM, Al Varnell wrote:
>>>> That's the correct place to put the file.
>>>> 
>>>> I suspect you'll want to try one at a time to nail down which signature is 
>>>> causing the problem.
>>>> 
>>>> Checking back I see there was a period rather than a space between the 
>>>> signature name and the brackets, so:
>>>> 
>>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
>>>> 
>>>> -Al-
>>>> 
>>>> 
>>>> On Jul 22, 2017, at 1:45 PM, Mark Foley  wrote:
>>>> 
>>>>> That didn't work. I'll try w/o the {}.
>>>>> 
>>>>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
>>>>> 
>>>>> --Mark
>>>>> 
>>>>> -Original Message-
>>>>> From: Mark Foley 
>>>>> Date: Sat, 22 Jul 2017 11:08:28 -0400
>>>>> To: clamav-users@lists.clamav.net
>>>>> 
>>>>> So, like this?
>>>>> 
>>>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
>>>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
>>>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
>>>>> 
>>>>> --Mark
>>>>> 
>>>>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell  wrote:
>>>>>> Yes, they can be added to a local .ign2 file, but the last time it was 
>>>>>> discussed here, the entry needed to be followed by {} for some unknown 
>>>>>> reason, to make it work.
&

Re: [clamav-users] Bytecode run timed out

2017-07-28 Thread Al Varnell
On Fri, Jul 28, 2017 at 01:35 AM, Mark Foley wrote:
> 
> It looks like this one that gives the "Bytecode run timed out" warning. I'm
> trying the other two as well.
> 
> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> 
> Plus, there's a new bytecode exploit that seems to be giving me a lot of
> positives: 
> 
> BC.Pdf.Exploit.CVE_2017_3032-6316401-6
> 
> I've put that (with the trailing '.{}') in the .ign2 file as well.
> 
> Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
> I've found no documentation on this and, if not, I might be getting false
> results.

That has not worked for me in the past.  If there is a way to comment out 
signature lines, I've not discovered it.

-Al-

> --Mark
> 
> -Original Message-----
> From: Mark Foley 
> Date: Thu, 27 Jul 2017 14:56:44 -0400
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] Bytecode run timed out
> 
> Yes, I was able to find the file as well.  I've used the syntax in the
> /var/lib/clamav/local.ign2 file recommended by Al Varnell:
> 
> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
> 
> and that worked to block the warning. Now I will test each one in turn to see
> which bytecode is causing the message.
> 
> --Mark
> 
> On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind  
> wrote;
>> 
>> I have been noticing the same issue.  I found at least one file that was 
>> causing the error, and was able to test with a single file, instead of 
>> having to virus scan an entire directory tree to test.
>> 
>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>> 
>> This worked for me:
>> 
>> # cat /var/lib/clamav/local.ign2
>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>> 
>> The problem file was the one listed under the JIT error messages, in my 
>> case, it was a pdf file that caused it.
>> 
>> - Fred
>> 
>> On 7/22/2017 6:56 PM, Al Varnell wrote:
>>> That's the correct place to put the file.
>>> 
>>> I suspect you'll want to try one at a time to nail down which signature is 
>>> causing the problem.
>>> 
>>> Checking back I see there was a period rather than a space between the 
>>> signature name and the brackets, so:
>>> 
>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
>>> 
>>> -Al-
>>> 
>>> 
>>> On Jul 22, 2017, at 1:45 PM, Mark Foley  wrote:
>>> 
>>>> That didn't work. I'll try w/o the {}.
>>>> 
>>>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
>>>> 
>>>> --Mark
>>>> 
>>>> -Original Message-
>>>> From: Mark Foley 
>>>> Date: Sat, 22 Jul 2017 11:08:28 -0400
>>>> To: clamav-users@lists.clamav.net
>>>> 
>>>> So, like this?
>>>> 
>>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
>>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
>>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
>>>> 
>>>> --Mark
>>>> 
>>>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell  wrote:
>>>>> Yes, they can be added to a local .ign2 file, but the last time it was 
>>>>> discussed here, the entry needed to be followed by {} for some unknown 
>>>>> reason, to make it work.
>>>>> 
>>>>> -Al-
>>>>> 
>>>>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
>>>>>> Are bytecodes individually blockable?
>>>>>> 
>>>>>> --Mark
>>>>>> 
>>>>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:
>>>>>>> FYI, the following were added by bytecode 306:
>>>>>>> 
>>>>>>>  * BC.Multios.Exploit.CVE_2017_2816-6329916-0
>>>>>>>  * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>>>>>>>  * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>>>>>>> 
>>>>>>> -Al-
>>>>>>> 
>>>>>>

Re: [clamav-users] Bytecode run timed out

2017-07-28 Thread Mark Foley
It looks like this one that gives the "Bytecode run timed out" warning. I'm
trying the other two as well.

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}

Plus, there's a new bytecode exploit that seems to be giving me a lot of
positives: 

BC.Pdf.Exploit.CVE_2017_3032-6316401-6

I've put that (with the trailing '.{}') in the .ign2 file as well.

Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
I've found no documentation on this and, if not, I might be getting false
results.

--Mark

-Original Message-
From: Mark Foley 
Date: Thu, 27 Jul 2017 14:56:44 -0400
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Bytecode run timed out

Yes, I was able to find the file as well.  I've used the syntax in the
/var/lib/clamav/local.ign2 file recommended by Al Varnell:

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}

and that worked to block the warning. Now I will test each one in turn to see
which bytecode is causing the message.

--Mark

On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind  
wrote;
>
> I have been noticing the same issue.  I found at least one file that was 
> causing the error, and was able to test with a single file, instead of 
> having to virus scan an entire directory tree to test.
>
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>
> This worked for me:
>
> # cat /var/lib/clamav/local.ign2
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>
> The problem file was the one listed under the JIT error messages, in my 
> case, it was a pdf file that caused it.
>
> - Fred
>
> On 7/22/2017 6:56 PM, Al Varnell wrote:
> > That's the correct place to put the file.
> >
> > I suspect you'll want to try one at a time to nail down which signature is 
> > causing the problem.
> >
> > Checking back I see there was a period rather than a space between the 
> > signature name and the brackets, so:
> >
> > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
> > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
> >
> > -Al-
> >
> >
> > On Jul 22, 2017, at 1:45 PM, Mark Foley  wrote:
> >
> >> That didn't work. I'll try w/o the {}.
> >>
> >> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
> >>
> >> --Mark
> >>
> >> -Original Message-
> >> From: Mark Foley 
> >> Date: Sat, 22 Jul 2017 11:08:28 -0400
> >> To: clamav-users@lists.clamav.net
> >>
> >> So, like this?
> >>
> >> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
> >>
> >> --Mark
> >>
> >> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell  wrote:
> >>> Yes, they can be added to a local .ign2 file, but the last time it was 
> >>> discussed here, the entry needed to be followed by {} for some unknown 
> >>> reason, to make it work.
> >>>
> >>> -Al-
> >>>
> >>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> >>>> Are bytecodes individually blockable?
> >>>>
> >>>> --Mark
> >>>>
> >>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:
> >>>>> FYI, the following were added by bytecode 306:
> >>>>>
> >>>>>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>>>>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>>>>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >>>>>
> >>>>> -Al-
> >>>>>
> >>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>>>>> I ran clamscan by hand on the files before and after the error, and 
> >>>>>> it's the file
> >>>>>> after the error.  I've bumped the --bytecode-timeout to 12, 18 
> >>>>>> and
> >>>>>> finally 60 (10 minutes) and it fails for all these values, even 
> >>>>>> though the
> >>>>>> file itself is not that big (1.2M).
> >>>>>>
> >>>>>> This is a pretty recent ph

Re: [clamav-users] Bytecode run timed out

2017-07-27 Thread Mark Foley
ri, 21 Jul 2017 16:51:33 -0700 Al Varnell  
> >>>>>> wrote:
> >>>>>>> It's almost certainly a file that follows S=12386 since that one is 
> >>>>>>> being reported as "OK". The file that failed might not even be 
> >>>>>>> listed, having failed the scan, although I suppose it's possible for 
> >>>>>>> it to be the next one shown.
> >>>>>>>
> >>>>>>> It's my understanding that not all files receive a bytecode signature 
> >>>>>>> scan, making it even more difficult to determine the problem file.
> >>>>>>>
> >>>>>>> -Al-
> >>>>>>>
> >>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>>>>>>> Here's the partial output from clamscan w/o the --infected option:
> >>>>>>>>
> >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>>>>>>  OK
> >>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout 
> >>>>>>>> flag set
> >>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime 
> >>>>>>>> error!
> >>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>>>>>>  OK
> >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>>>>>>  OK
> >>>>>>>>
> >>>>>>>> These are Maildir format files. The "S=12386" part is in fact the 
> >>>>>>>> file size.
> >>>>>>>> It's not apparent from where the Warning message is issues what file 
> >>>>>>>> is causing
> >>>>>>>> the warning. The 12,657 byte file couldn't have been it and why 
> >>>>>>>> would the
> >>>>>>>> 1,266,193 size file cause the warning and not the more that 
> >>>>>>>> twice-as-large file
> >>>>>>>> immediately following? Also there are much larger files in this 
> >>>>>>>> directory, up to
> >>>>>>>> 21M, but this is the only warning issued.
> >>>>>>>>
> >>>>>>>> --Mark
> >>>>>>>>
> >>>>>>>> -Original Message-
> >>>>>>>> From: Mark Foley 
> >>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
> >>>>>>>> To: clamav-users@lists.clamav.net
> >>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out
> >>>>>>>>
> >>>>>>>> OK, I'll turn that off and see what I get.
> >>>>>>>>
> >>>>>>>> --Mark
> >>>>>>>>
> >>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan 
> >>>>>>>>  wrote:
> >>>>>>>>> --infected suppresses the printing of clean file names.
> >>>>>>>>>
> >>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley 
> >>>>>>>>>  wrote:
> >>>>>>>>>
> >>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
> >>>>>>>>>> 
> >>>>>>>>>> wrote:
> >>>>>>>>>> My parameters are:
> >>>>>>>>>>
> >>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected 
> >>>>>>>>>> --recursive \
> >>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --Mark
> >>>>>>>>>>
> >>>>>>>>>>> The default is 6 milliseconds. What clamscan parameters are 
> >>>>>>>>>>> you
> >>>>>>>>>> using?
> >>>>>>>>>>> I am seeing file names by default.
> >>>>>>>>>>>
> >>>>>>>>>>> Steve
> >>>>>>>>>>>
> >>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley 
> >>>>>>>>>>> 
> >>>>>>>>>> wrote:
> >>>>>>>>>>>> It doesn't give any file names, even in the logfiles.  It 
> >>>>>>>>>>>> happens when
> >>>>>>>>>> I'm
> >>>>>>>>>>>> running clamscan.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
> >>>>>>>>>> files).
> >>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again 
> >>>>>>>>>>>> I'll
> >>>>>>>>>>>> increase it.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks, --Mark
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> >>>>>>>>>> smor...@sourcefire.com>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit 
> >>>>>>>>>>>>> the
> >>>>>>>>>> amount
> >>>>>>>>>>>>> of processing.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the
> >>>>>>>>>> bytecode
> >>>>>>>>>>>>> signature may require attention.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
> >>>>>>>>>> clamscan
> >>>>>>>>>>>>> and BytecodeTimeout for clamd.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Steve
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley 
> >>>>>>>>>>>>> 
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>> What is this? I just started happening.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, 
> >>>>>>>>>>>>>> timeout
> >>>>>>>>>>>> flag set
> >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted 
> >>>>>>>>>>>>>> runtime
> >>>>>>>>>>>> error!
> >>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Thanks, Mark
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Bytecode run timed out

2017-07-27 Thread Fred Wittekind
I have been noticing the same issue.  I found at least one file that was 
causing the error, and was able to test with a single file, instead of 
having to virus scan an entire directory tree to test.


LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 64 failed to run: Time limit reached

This worked for me:

# cat /var/lib/clamav/local.ign2
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}

The problem file was the one listed under the JIT error messages, in my 
case, it was a pdf file that caused it.


- Fred

On 7/22/2017 6:56 PM, Al Varnell wrote:

That's the correct place to put the file.

I suspect you'll want to try one at a time to nail down which signature is 
causing the problem.

Checking back I see there was a period rather than a space between the 
signature name and the brackets, so:

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}

-Al-


On Jul 22, 2017, at 1:45 PM, Mark Foley  wrote:


That didn't work. I'll try w/o the {}.

Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?

--Mark

-Original Message-
From: Mark Foley 
Date: Sat, 22 Jul 2017 11:08:28 -0400
To: clamav-users@lists.clamav.net

So, like this?

BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}

--Mark

On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell  wrote:

Yes, they can be added to a local .ign2 file, but the last time it was 
discussed here, the entry needed to be followed by {} for some unknown reason, 
to make it work.

-Al-

On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:

Are bytecodes individually blockable?

--Mark

On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:

FYI, the following were added by bytecode 306:

  * BC.Multios.Exploit.CVE_2017_2816-6329916-0
  * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
  * BC.Pdf.Exploit.CVE_2017_2862-6331914-0

-Al-

On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:

I ran clamscan by hand on the files before and after the error, and it's the 
file
after the error.  I've bumped the --bytecode-timeout to 12, 18 and
finally 60 (10 minutes) and it fails for all these values, even though the
file itself is not that big (1.2M).

This is a pretty recent phenomenon.  Perhaps something introduced in a recent
update.  I received bytecode.cld version 306 in freshclam starting on July 16,
2017; which is exactly when I started seeing this warning.  I did not get the
warning with version 305.

Is this a bug?

For now, I guess I'll just have to live with it.

Thanks, --Mark

On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:

It's almost certainly a file that follows S=12386 since that one is being reported as 
"OK". The file that failed might not even be listed, having failed the scan, 
although I suppose it's possible for it to be the next one shown.

It's my understanding that not all files receive a bytecode signature scan, 
making it even more difficult to determine the problem file.

-Al-

On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:

Here's the partial output from clamscan w/o the --infected option:

/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
 OK
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
 OK
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
 OK

These are Maildir format files. The "S=12386" part is in fact the file size.
It's not apparent from where the Warning message is issues what file is causing
the warning. The 12,657 byte file couldn't have been it and why would the
1,266,193 size file cause the warning and not the more that twice-as-large file
immediately following? Also there are much larger files in this directory, up to
21M, but this is the only warning issued.

--Mark

-Original Message-
From: Mark Foley 
Date: Thu, 20 Jul 2017 21:51:38 -0400
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Bytecode run timed out

OK, I'll turn that off and see what I get.

--Mark

On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  wrote:

--infected suppresses the printing of clean file names.

On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  wrote:


On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
wrote:
My parameters are:

clamscan -a --detec

Re: [clamav-users] Bytecode run timed out

2017-07-22 Thread Al Varnell
That's the correct place to put the file.

I suspect you'll want to try one at a time to nail down which signature is 
causing the problem.

Checking back I see there was a period rather than a space between the 
signature name and the brackets, so:

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}

-Al-


On Jul 22, 2017, at 1:45 PM, Mark Foley  wrote:

> That didn't work. I'll try w/o the {}. 
> 
> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
> 
> --Mark
> 
> -Original Message-
> From: Mark Foley 
> Date: Sat, 22 Jul 2017 11:08:28 -0400
> To: clamav-users@lists.clamav.net
> 
> So, like this?
> 
> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
> 
> --Mark
> 
> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell  wrote:
>> Yes, they can be added to a local .ign2 file, but the last time it was 
>> discussed here, the entry needed to be followed by {} for some unknown 
>> reason, to make it work.
>> 
>> -Al-
>> 
>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
>>> 
>>> Are bytecodes individually blockable?
>>> 
>>> --Mark
>>> 
>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:
>>>> 
>>>> FYI, the following were added by bytecode 306:
>>>> 
>>>>  * BC.Multios.Exploit.CVE_2017_2816-6329916-0
>>>>  * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>>>>  * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>>>> 
>>>> -Al-
>>>> 
>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
>>>>> 
>>>>> I ran clamscan by hand on the files before and after the error, and it's 
>>>>> the file
>>>>> after the error.  I've bumped the --bytecode-timeout to 12, 18 and
>>>>> finally 60 (10 minutes) and it fails for all these values, even 
>>>>> though the
>>>>> file itself is not that big (1.2M). 
>>>>> 
>>>>> This is a pretty recent phenomenon.  Perhaps something introduced in a 
>>>>> recent
>>>>> update.  I received bytecode.cld version 306 in freshclam starting on 
>>>>> July 16,
>>>>> 2017; which is exactly when I started seeing this warning.  I did not get 
>>>>> the
>>>>> warning with version 305. 
>>>>> 
>>>>> Is this a bug?
>>>>> 
>>>>> For now, I guess I'll just have to live with it.
>>>>> 
>>>>> Thanks, --Mark
>>>>> 
>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:
>>>>>> 
>>>>>> It's almost certainly a file that follows S=12386 since that one is 
>>>>>> being reported as "OK". The file that failed might not even be listed, 
>>>>>> having failed the scan, although I suppose it's possible for it to be 
>>>>>> the next one shown.
>>>>>> 
>>>>>> It's my understanding that not all files receive a bytecode signature 
>>>>>> scan, making it even more difficult to determine the problem file.
>>>>>> 
>>>>>> -Al-
>>>>>> 
>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
>>>>>>> 
>>>>>>> Here's the partial output from clamscan w/o the --infected option:
>>>>>>> 
>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
>>>>>>>  OK
>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
>>>>>>> set
>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
>>>>>>>  OK
>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
>>>>>>>  OK
>>>>>>> 
>>>>>>> These are Maildir for

Re: [clamav-users] Bytecode run timed out

2017-07-22 Thread Mark Foley
That didn't work. I'll try w/o the {}. 

Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?

--Mark

-Original Message-
From: Mark Foley 
Date: Sat, 22 Jul 2017 11:08:28 -0400
To: clamav-users@lists.clamav.net

So, like this?

BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}

--Mark

On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell  wrote:
> Yes, they can be added to a local .ign2 file, but the last time it was 
> discussed here, the entry needed to be followed by {} for some unknown 
> reason, to make it work.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> > 
> > Are bytecodes individually blockable?
> > 
> > --Mark
> > 
> > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:
> >> 
> >> FYI, the following were added by bytecode 306:
> >> 
> >>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >> 
> >> -Al-
> >> 
> >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>> 
> >>> I ran clamscan by hand on the files before and after the error, and it's 
> >>> the file
> >>> after the error.  I've bumped the --bytecode-timeout to 12, 18 and
> >>> finally 60 (10 minutes) and it fails for all these values, even 
> >>> though the
> >>> file itself is not that big (1.2M). 
> >>> 
> >>> This is a pretty recent phenomenon.  Perhaps something introduced in a 
> >>> recent
> >>> update.  I received bytecode.cld version 306 in freshclam starting on 
> >>> July 16,
> >>> 2017; which is exactly when I started seeing this warning.  I did not get 
> >>> the
> >>> warning with version 305. 
> >>> 
> >>> Is this a bug?
> >>> 
> >>> For now, I guess I'll just have to live with it.
> >>> 
> >>> Thanks, --Mark
> >>> 
> >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:
> >>>> 
> >>>> It's almost certainly a file that follows S=12386 since that one is 
> >>>> being reported as "OK". The file that failed might not even be listed, 
> >>>> having failed the scan, although I suppose it's possible for it to be 
> >>>> the next one shown.
> >>>> 
> >>>> It's my understanding that not all files receive a bytecode signature 
> >>>> scan, making it even more difficult to determine the problem file.
> >>>> 
> >>>> -Al-
> >>>> 
> >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>>>> 
> >>>>> Here's the partial output from clamscan w/o the --infected option:
> >>>>> 
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>>>  OK
> >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
> >>>>> set
> >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>>>  OK
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>>>  OK
> >>>>> 
> >>>>> These are Maildir format files. The "S=12386" part is in fact the file 
> >>>>> size.
> >>>>> It's not apparent from where the Warning message is issues what file is 
> >>>>> causing
> >>>>> the warning. The 12,657 byte file couldn't have been it and why would 
> >>>>> the
> >>>>> 1,266,193 size file cause the warning and not the more that 
> >>>>> twice-as-large file
> >>>>> immediately following? Also there are much larger files in this 
> >>>>> directory, up to
> >>>>> 21M, but this is the only warning issued.
> >>>>> 
> >>>>> --Mark
> >>>>

Re: [clamav-users] Bytecode run timed out

2017-07-22 Thread Mark Foley
So, like this?

BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}

--Mark

On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell  wrote:
> Yes, they can be added to a local .ign2 file, but the last time it was 
> discussed here, the entry needed to be followed by {} for some unknown 
> reason, to make it work.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> > 
> > Are bytecodes individually blockable?
> > 
> > --Mark
> > 
> > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:
> >> 
> >> FYI, the following were added by bytecode 306:
> >> 
> >>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >> 
> >> -Al-
> >> 
> >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>> 
> >>> I ran clamscan by hand on the files before and after the error, and it's 
> >>> the file
> >>> after the error.  I've bumped the --bytecode-timeout to 12, 18 and
> >>> finally 60 (10 minutes) and it fails for all these values, even 
> >>> though the
> >>> file itself is not that big (1.2M). 
> >>> 
> >>> This is a pretty recent phenomenon.  Perhaps something introduced in a 
> >>> recent
> >>> update.  I received bytecode.cld version 306 in freshclam starting on 
> >>> July 16,
> >>> 2017; which is exactly when I started seeing this warning.  I did not get 
> >>> the
> >>> warning with version 305. 
> >>> 
> >>> Is this a bug?
> >>> 
> >>> For now, I guess I'll just have to live with it.
> >>> 
> >>> Thanks, --Mark
> >>> 
> >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:
> >>>> 
> >>>> It's almost certainly a file that follows S=12386 since that one is 
> >>>> being reported as "OK". The file that failed might not even be listed, 
> >>>> having failed the scan, although I suppose it's possible for it to be 
> >>>> the next one shown.
> >>>> 
> >>>> It's my understanding that not all files receive a bytecode signature 
> >>>> scan, making it even more difficult to determine the problem file.
> >>>> 
> >>>> -Al-
> >>>> 
> >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>>>> 
> >>>>> Here's the partial output from clamscan w/o the --infected option:
> >>>>> 
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>>>  OK
> >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
> >>>>> set
> >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>>>  OK
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>>>  OK
> >>>>> 
> >>>>> These are Maildir format files. The "S=12386" part is in fact the file 
> >>>>> size.
> >>>>> It's not apparent from where the Warning message is issues what file is 
> >>>>> causing
> >>>>> the warning. The 12,657 byte file couldn't have been it and why would 
> >>>>> the
> >>>>> 1,266,193 size file cause the warning and not the more that 
> >>>>> twice-as-large file
> >>>>> immediately following? Also there are much larger files in this 
> >>>>> directory, up to
> >>>>> 21M, but this is the only warning issued.
> >>>>> 
> >>>>> --Mark
> >>>>> 
> >>>>> -Original Message-
> >>>>> From: Mark Foley 
> >>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
> >>>>> To: clamav-users@lists.clamav.net
&

Re: [clamav-users] Bytecode run timed out

2017-07-21 Thread Al Varnell
Yes, they can be added to a local .ign2 file, but the last time it was 
discussed here, the entry needed to be followed by {} for some unknown reason, 
to make it work.

-Al-

On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> 
> Are bytecodes individually blockable?
> 
> --Mark
> 
> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:
>> 
>> FYI, the following were added by bytecode 306:
>> 
>>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
>>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>> 
>> -Al-
>> 
>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
>>> 
>>> I ran clamscan by hand on the files before and after the error, and it's 
>>> the file
>>> after the error.  I've bumped the --bytecode-timeout to 12, 18 and
>>> finally 60 (10 minutes) and it fails for all these values, even though 
>>> the
>>> file itself is not that big (1.2M). 
>>> 
>>> This is a pretty recent phenomenon.  Perhaps something introduced in a 
>>> recent
>>> update.  I received bytecode.cld version 306 in freshclam starting on July 
>>> 16,
>>> 2017; which is exactly when I started seeing this warning.  I did not get 
>>> the
>>> warning with version 305. 
>>> 
>>> Is this a bug?
>>> 
>>> For now, I guess I'll just have to live with it.
>>> 
>>> Thanks, --Mark
>>> 
>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:
>>>> 
>>>> It's almost certainly a file that follows S=12386 since that one is being 
>>>> reported as "OK". The file that failed might not even be listed, having 
>>>> failed the scan, although I suppose it's possible for it to be the next 
>>>> one shown.
>>>> 
>>>> It's my understanding that not all files receive a bytecode signature 
>>>> scan, making it even more difficult to determine the problem file.
>>>> 
>>>> -Al-
>>>> 
>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
>>>>> 
>>>>> Here's the partial output from clamscan w/o the --infected option:
>>>>> 
>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
>>>>>  OK
>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
>>>>> set
>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
>>>>>  OK
>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
>>>>>  OK
>>>>> 
>>>>> These are Maildir format files. The "S=12386" part is in fact the file 
>>>>> size.
>>>>> It's not apparent from where the Warning message is issues what file is 
>>>>> causing
>>>>> the warning. The 12,657 byte file couldn't have been it and why would the
>>>>> 1,266,193 size file cause the warning and not the more that 
>>>>> twice-as-large file
>>>>> immediately following? Also there are much larger files in this 
>>>>> directory, up to
>>>>> 21M, but this is the only warning issued.
>>>>> 
>>>>> --Mark
>>>>> 
>>>>> -Original Message-
>>>>> From: Mark Foley 
>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
>>>>> To: clamav-users@lists.clamav.net
>>>>> Subject: Re: [clamav-users] Bytecode run timed out
>>>>> 
>>>>> OK, I'll turn that off and see what I get.
>>>>> 
>>>>> --Mark
>>>>> 
>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  
>>>>> wrote:
>>>>>> 
>>>>>> --infected suppresses the printing of clean file names.
>>>>>> 
>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  
>>>>>> wrote:
>>>>>> 
>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
>>>>>

Re: [clamav-users] Bytecode run timed out

2017-07-21 Thread Mark Foley
Are bytecodes individually blockable?

--Mark

On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell  wrote:
>
> FYI, the following were added by bytecode 306:
>
>* BC.Multios.Exploit.CVE_2017_2816-6329916-0
>* BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>* BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>
> -Al-
>
> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> > 
> > I ran clamscan by hand on the files before and after the error, and it's 
> > the file
> > after the error.  I've bumped the --bytecode-timeout to 12, 18 and
> > finally 60 (10 minutes) and it fails for all these values, even though 
> > the
> > file itself is not that big (1.2M). 
> > 
> > This is a pretty recent phenomenon.  Perhaps something introduced in a 
> > recent
> > update.  I received bytecode.cld version 306 in freshclam starting on July 
> > 16,
> > 2017; which is exactly when I started seeing this warning.  I did not get 
> > the
> > warning with version 305. 
> > 
> > Is this a bug?
> > 
> > For now, I guess I'll just have to live with it.
> > 
> > Thanks, --Mark
> > 
> > On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:
> >> 
> >> It's almost certainly a file that follows S=12386 since that one is being 
> >> reported as "OK". The file that failed might not even be listed, having 
> >> failed the scan, although I suppose it's possible for it to be the next 
> >> one shown.
> >> 
> >> It's my understanding that not all files receive a bytecode signature 
> >> scan, making it even more difficult to determine the problem file.
> >> 
> >> -Al-
> >> 
> >> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>> 
> >>> Here's the partial output from clamscan w/o the --infected option:
> >>> 
> >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>  OK
> >>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
> >>> set
> >>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> >>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>  OK
> >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>  OK
> >>> 
> >>> These are Maildir format files. The "S=12386" part is in fact the file 
> >>> size.
> >>> It's not apparent from where the Warning message is issues what file is 
> >>> causing
> >>> the warning. The 12,657 byte file couldn't have been it and why would the
> >>> 1,266,193 size file cause the warning and not the more that 
> >>> twice-as-large file
> >>> immediately following? Also there are much larger files in this 
> >>> directory, up to
> >>> 21M, but this is the only warning issued.
> >>> 
> >>> --Mark
> >>> 
> >>> -Original Message-
> >>> From: Mark Foley 
> >>> Date: Thu, 20 Jul 2017 21:51:38 -0400
> >>> To: clamav-users@lists.clamav.net
> >>> Subject: Re: [clamav-users] Bytecode run timed out
> >>> 
> >>> OK, I'll turn that off and see what I get.
> >>> 
> >>> --Mark
> >>> 
> >>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  
> >>> wrote:
> >>>> 
> >>>> --infected suppresses the printing of clean file names.
> >>>> 
> >>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  
> >>>> wrote:
> >>>> 
> >>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
> >>>>> 
> >>>>> wrote:
> >>>>> My parameters are:
> >>>>> 
> >>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected 
> >>>>> --recursive \
> >>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>>>> 
> >>>>> 
> >>>>> --Mark
> >>>>> 
> >>>>>> 
> >>>>>> The default is 6 milliseconds. What clamscan paramet

Re: [clamav-users] Bytecode run timed out

2017-07-21 Thread Al Varnell
FYI, the following were added by bytecode 306:

   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0

-Al-

On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> 
> I ran clamscan by hand on the files before and after the error, and it's the 
> file
> after the error.  I've bumped the --bytecode-timeout to 12, 18 and
> finally 60 (10 minutes) and it fails for all these values, even though the
> file itself is not that big (1.2M). 
> 
> This is a pretty recent phenomenon.  Perhaps something introduced in a recent
> update.  I received bytecode.cld version 306 in freshclam starting on July 16,
> 2017; which is exactly when I started seeing this warning.  I did not get the
> warning with version 305. 
> 
> Is this a bug?
> 
> For now, I guess I'll just have to live with it.
> 
> Thanks, --Mark
> 
> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:
>> 
>> It's almost certainly a file that follows S=12386 since that one is being 
>> reported as "OK". The file that failed might not even be listed, having 
>> failed the scan, although I suppose it's possible for it to be the next one 
>> shown.
>> 
>> It's my understanding that not all files receive a bytecode signature scan, 
>> making it even more difficult to determine the problem file.
>> 
>> -Al-
>> 
>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
>>> 
>>> Here's the partial output from clamscan w/o the --infected option:
>>> 
>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
>>>  OK
>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
>>>  OK
>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
>>>  OK
>>> 
>>> These are Maildir format files. The "S=12386" part is in fact the file size.
>>> It's not apparent from where the Warning message is issues what file is 
>>> causing
>>> the warning. The 12,657 byte file couldn't have been it and why would the
>>> 1,266,193 size file cause the warning and not the more that twice-as-large 
>>> file
>>> immediately following? Also there are much larger files in this directory, 
>>> up to
>>> 21M, but this is the only warning issued.
>>> 
>>> --Mark
>>> 
>>> -Original Message-
>>> From: Mark Foley 
>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
>>> To: clamav-users@lists.clamav.net
>>> Subject: Re: [clamav-users] Bytecode run timed out
>>> 
>>> OK, I'll turn that off and see what I get.
>>> 
>>> --Mark
>>> 
>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  
>>> wrote:
>>>> 
>>>> --infected suppresses the printing of clean file names.
>>>> 
>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  wrote:
>>>> 
>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
>>>>> wrote:
>>>>> My parameters are:
>>>>> 
>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive 
>>>>> \
>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>>>>> 
>>>>> 
>>>>> --Mark
>>>>> 
>>>>>> 
>>>>>> The default is 6 milliseconds. What clamscan parameters are you
>>>>> using?
>>>>>> I am seeing file names by default.
>>>>>> 
>>>>>> Steve
>>>>>> 
>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley 
>>>>> wrote:
>>>>>> 
>>>>>>> It doesn't give any file names, even in the logfiles.  It happens when
>>>>> I'm
>>>>>>> running clamscan.
>>>>>>> 
>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
>>>>> files).
>>>>>>> 
>>>>>>> What is th

Re: [clamav-users] Bytecode run timed out

2017-07-21 Thread Mark Foley
I ran clamscan by hand on the files before and after the error, and it's the 
file
after the error.  I've bumped the --bytecode-timeout to 12, 18 and
finally 60 (10 minutes) and it fails for all these values, even though the
file itself is not that big (1.2M). 

This is a pretty recent phenomenon.  Perhaps something introduced in a recent
update.  I received bytecode.cld version 306 in freshclam starting on July 16,
2017; which is exactly when I started seeing this warning.  I did not get the
warning with version 305. 

Is this a bug?

For now, I guess I'll just have to live with it.

Thanks, --Mark

On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell  wrote:
>
> It's almost certainly a file that follows S=12386 since that one is being 
> reported as "OK". The file that failed might not even be listed, having 
> failed the scan, although I suppose it's possible for it to be the next one 
> shown.
>
> It's my understanding that not all files receive a bytecode signature scan, 
> making it even more difficult to determine the problem file.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> > 
> > Here's the partial output from clamscan w/o the --infected option:
> > 
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >  OK
> > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >  OK
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >  OK
> > 
> > These are Maildir format files. The "S=12386" part is in fact the file size.
> > It's not apparent from where the Warning message is issues what file is 
> > causing
> > the warning. The 12,657 byte file couldn't have been it and why would the
> > 1,266,193 size file cause the warning and not the more that twice-as-large 
> > file
> > immediately following? Also there are much larger files in this directory, 
> > up to
> > 21M, but this is the only warning issued.
> > 
> > --Mark
> > 
> > -Original Message-
> > From: Mark Foley 
> > Date: Thu, 20 Jul 2017 21:51:38 -0400
> > To: clamav-users@lists.clamav.net
> > Subject: Re: [clamav-users] Bytecode run timed out
> > 
> > OK, I'll turn that off and see what I get.
> > 
> > --Mark
> > 
> > On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  
> > wrote:
> >> 
> >> --infected suppresses the printing of clean file names.
> >> 
> >> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  wrote:
> >> 
> >>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
> >>> wrote:
> >>> My parameters are:
> >>> 
> >>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive 
> >>> \
> >>>  --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>> 
> >>> 
> >>> --Mark
> >>> 
> >>>> 
> >>>> The default is 6 milliseconds. What clamscan parameters are you
> >>> using?
> >>>> I am seeing file names by default.
> >>>> 
> >>>> Steve
> >>>> 
> >>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley 
> >>> wrote:
> >>>> 
> >>>>> It doesn't give any file names, even in the logfiles.  It happens when
> >>> I'm
> >>>>> running clamscan.
> >>>>> 
> >>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
> >>> files).
> >>>>> 
> >>>>> What is the default for --bytecode-timeout? If I get it again I'll
> >>>>> increase it.
> >>>>> 
> >>>>> Thanks, --Mark
> >>>>> 
> >>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> >>> smor...@sourcefire.com>
> >>>>> wrote:
> >>>>>> 
> >>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
> >>> amount
> >>>>>> of processing.
> >>>>>> 
> >>>>>

Re: [clamav-users] Bytecode run timed out

2017-07-21 Thread Al Varnell
It's almost certainly a file that follows S=12386 since that one is being 
reported as "OK". The file that failed might not even be listed, having failed 
the scan, although I suppose it's possible for it to be the next one shown.

It's my understanding that not all files receive a bytecode signature scan, 
making it even more difficult to determine the problem file.

-Al-

On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> 
> Here's the partial output from clamscan w/o the --infected option:
> 
> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
>  OK
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
>  OK
> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
>  OK
> 
> These are Maildir format files. The "S=12386" part is in fact the file size.
> It's not apparent from where the Warning message is issues what file is 
> causing
> the warning. The 12,657 byte file couldn't have been it and why would the
> 1,266,193 size file cause the warning and not the more that twice-as-large 
> file
> immediately following? Also there are much larger files in this directory, up 
> to
> 21M, but this is the only warning issued.
> 
> --Mark
> 
> -----Original Message-
> From: Mark Foley 
> Date: Thu, 20 Jul 2017 21:51:38 -0400
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] Bytecode run timed out
> 
> OK, I'll turn that off and see what I get.
> 
> --Mark
> 
> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  
> wrote:
>> 
>> --infected suppresses the printing of clean file names.
>> 
>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  wrote:
>> 
>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
>>> wrote:
>>> My parameters are:
>>> 
>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
>>>  --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>>> 
>>> 
>>> --Mark
>>> 
>>>> 
>>>> The default is 6 milliseconds. What clamscan parameters are you
>>> using?
>>>> I am seeing file names by default.
>>>> 
>>>> Steve
>>>> 
>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley 
>>> wrote:
>>>> 
>>>>> It doesn't give any file names, even in the logfiles.  It happens when
>>> I'm
>>>>> running clamscan.
>>>>> 
>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
>>> files).
>>>>> 
>>>>> What is the default for --bytecode-timeout? If I get it again I'll
>>>>> increase it.
>>>>> 
>>>>> Thanks, --Mark
>>>>> 
>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
>>> smor...@sourcefire.com>
>>>>> wrote:
>>>>>> 
>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
>>> amount
>>>>>> of processing.
>>>>>> 
>>>>>> Are you seeing it on a lot of files? If that is the case, the
>>> bytecode
>>>>>> signature may require attention.
>>>>>> 
>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
>>> clamscan
>>>>>> and BytecodeTimeout for clamd.
>>>>>> 
>>>>>> Steve
>>>>>> 
>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley 
>>>>> wrote:
>>>>>> 
>>>>>>> What is this? I just started happening.
>>>>>>> 
>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
>>>>> flag set
>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>>>>> error!
>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>> 
>>>>>>> Thanks, Mark


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode run timed out

2017-07-21 Thread Mark Foley
Here's the partial output from clamscan w/o the --infected option:

/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
 OK
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
 OK
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
 OK

These are Maildir format files. The "S=12386" part is in fact the file size.
It's not apparent from where the Warning message is issues what file is causing
the warning. The 12,657 byte file couldn't have been it and why would the
1,266,193 size file cause the warning and not the more that twice-as-large file
immediately following? Also there are much larger files in this directory, up to
21M, but this is the only warning issued.

--Mark

-Original Message-
From: Mark Foley 
Date: Thu, 20 Jul 2017 21:51:38 -0400
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Bytecode run timed out

OK, I'll turn that off and see what I get.

--Mark

On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  wrote:
>
> --infected suppresses the printing of clean file names.
>
> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  wrote:
>
> > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
> > wrote:
> > My parameters are:
> >
> > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
> >   --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >
> >
> > --Mark
> >
> > >
> > > The default is 6 milliseconds. What clamscan parameters are you
> > using?
> > > I am seeing file names by default.
> > >
> > > Steve
> > >
> > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley 
> > wrote:
> > >
> > > > It doesn't give any file names, even in the logfiles.  It happens when
> > I'm
> > > > running clamscan.
> > > >
> > > > I am running it on lots of files, 124,681 to be exact (IMAP mail
> > files).
> > > >
> > > > What is the default for --bytecode-timeout? If I get it again I'll
> > > > increase it.
> > > >
> > > > Thanks, --Mark
> > > >
> > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> > smor...@sourcefire.com>
> > > > wrote:
> > > > >
> > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the
> > amount
> > > > > of processing.
> > > > >
> > > > > Are you seeing it on a lot of files? If that is the case, the
> > bytecode
> > > > > signature may require attention.
> > > > >
> > > > > You can try increasing the timeout limit. --bytecode-timeout for
> > clamscan
> > > > > and BytecodeTimeout for clamd.
> > > > >
> > > > > Steve
> > > > >
> > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley 
> > > > wrote:
> > > > >
> > > > > > What is this? I just started happening.
> > > > > >
> > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> > > > flag set
> > > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> > > > error!
> > > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > > > > >
> > > > > > Thanks, Mark
> > > > > > ___
> > > > > > clamav-users mailing list
> > > > > > clamav-users@lists.clamav.net
> > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > > > >
> > > > > >
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > ___
> > > > > clamav-users mailing list
> >

Re: [clamav-users] Bytecode run timed out

2017-07-20 Thread Mark Foley
OK, I'll turn that off and see what I get.

--Mark

On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan  wrote:
>
> --infected suppresses the printing of clean file names.
>
> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  wrote:
>
> > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
> > wrote:
> > My parameters are:
> >
> > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
> >   --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >
> >
> > --Mark
> >
> > >
> > > The default is 6 milliseconds. What clamscan parameters are you
> > using?
> > > I am seeing file names by default.
> > >
> > > Steve
> > >
> > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley 
> > wrote:
> > >
> > > > It doesn't give any file names, even in the logfiles.  It happens when
> > I'm
> > > > running clamscan.
> > > >
> > > > I am running it on lots of files, 124,681 to be exact (IMAP mail
> > files).
> > > >
> > > > What is the default for --bytecode-timeout? If I get it again I'll
> > > > increase it.
> > > >
> > > > Thanks, --Mark
> > > >
> > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> > smor...@sourcefire.com>
> > > > wrote:
> > > > >
> > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the
> > amount
> > > > > of processing.
> > > > >
> > > > > Are you seeing it on a lot of files? If that is the case, the
> > bytecode
> > > > > signature may require attention.
> > > > >
> > > > > You can try increasing the timeout limit. --bytecode-timeout for
> > clamscan
> > > > > and BytecodeTimeout for clamd.
> > > > >
> > > > > Steve
> > > > >
> > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley 
> > > > wrote:
> > > > >
> > > > > > What is this? I just started happening.
> > > > > >
> > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> > > > flag set
> > > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> > > > error!
> > > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > > > > >
> > > > > > Thanks, Mark
> > > > > > ___
> > > > > > clamav-users mailing list
> > > > > > clamav-users@lists.clamav.net
> > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > > > >
> > > > > >
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > ___
> > > > > clamav-users mailing list
> > > > > clamav-users@lists.clamav.net
> > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > > >
> > > > >
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > ___
> > > > clamav-users mailing list
> > > > clamav-users@lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Bytecode run timed out

2017-07-20 Thread Steven Morgan
--infected suppresses the printing of clean file names.

On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley  wrote:

> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
> wrote:
> My parameters are:
>
> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
>   --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>
>
> --Mark
>
> >
> > The default is 6 milliseconds. What clamscan parameters are you
> using?
> > I am seeing file names by default.
> >
> > Steve
> >
> > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley 
> wrote:
> >
> > > It doesn't give any file names, even in the logfiles.  It happens when
> I'm
> > > running clamscan.
> > >
> > > I am running it on lots of files, 124,681 to be exact (IMAP mail
> files).
> > >
> > > What is the default for --bytecode-timeout? If I get it again I'll
> > > increase it.
> > >
> > > Thanks, --Mark
> > >
> > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> smor...@sourcefire.com>
> > > wrote:
> > > >
> > > > When ClamAV runs bytecode signatures, it uses a timer to limit the
> amount
> > > > of processing.
> > > >
> > > > Are you seeing it on a lot of files? If that is the case, the
> bytecode
> > > > signature may require attention.
> > > >
> > > > You can try increasing the timeout limit. --bytecode-timeout for
> clamscan
> > > > and BytecodeTimeout for clamd.
> > > >
> > > > Steve
> > > >
> > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley 
> > > wrote:
> > > >
> > > > > What is this? I just started happening.
> > > > >
> > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> > > flag set
> > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> > > error!
> > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > > > >
> > > > > Thanks, Mark
> > > > > ___
> > > > > clamav-users mailing list
> > > > > clamav-users@lists.clamav.net
> > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > > >
> > > > >
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > ___
> > > > clamav-users mailing list
> > > > clamav-users@lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Bytecode run timed out

2017-07-20 Thread Mark Foley
On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan  wrote:
My parameters are:

clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
  --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1


--Mark

>
> The default is 6 milliseconds. What clamscan parameters are you using?
> I am seeing file names by default.
>
> Steve
>
> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley  wrote:
>
> > It doesn't give any file names, even in the logfiles.  It happens when I'm
> > running clamscan.
> >
> > I am running it on lots of files, 124,681 to be exact (IMAP mail files).
> >
> > What is the default for --bytecode-timeout? If I get it again I'll
> > increase it.
> >
> > Thanks, --Mark
> >
> > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan 
> > wrote:
> > >
> > > When ClamAV runs bytecode signatures, it uses a timer to limit the amount
> > > of processing.
> > >
> > > Are you seeing it on a lot of files? If that is the case, the bytecode
> > > signature may require attention.
> > >
> > > You can try increasing the timeout limit. --bytecode-timeout for clamscan
> > > and BytecodeTimeout for clamd.
> > >
> > > Steve
> > >
> > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley 
> > wrote:
> > >
> > > > What is this? I just started happening.
> > > >
> > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> > flag set
> > > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> > error!
> > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > > >
> > > > Thanks, Mark
> > > > ___
> > > > clamav-users mailing list
> > > > clamav-users@lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Bytecode run timed out

2017-07-20 Thread Steven Morgan
The default is 6 milliseconds. What clamscan parameters are you using?
I am seeing file names by default.

Steve

On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley  wrote:

> It doesn't give any file names, even in the logfiles.  It happens when I'm
> running clamscan.
>
> I am running it on lots of files, 124,681 to be exact (IMAP mail files).
>
> What is the default for --bytecode-timeout? If I get it again I'll
> increase it.
>
> Thanks, --Mark
>
> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan 
> wrote:
> >
> > When ClamAV runs bytecode signatures, it uses a timer to limit the amount
> > of processing.
> >
> > Are you seeing it on a lot of files? If that is the case, the bytecode
> > signature may require attention.
> >
> > You can try increasing the timeout limit. --bytecode-timeout for clamscan
> > and BytecodeTimeout for clamd.
> >
> > Steve
> >
> > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley 
> wrote:
> >
> > > What is this? I just started happening.
> > >
> > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> flag set
> > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> error!
> > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > >
> > > Thanks, Mark
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Bytecode run timed out

2017-07-20 Thread Mark Foley
It doesn't give any file names, even in the logfiles.  It happens when I'm
running clamscan. 

I am running it on lots of files, 124,681 to be exact (IMAP mail files).

What is the default for --bytecode-timeout? If I get it again I'll increase it.

Thanks, --Mark

On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan  wrote:
>
> When ClamAV runs bytecode signatures, it uses a timer to limit the amount
> of processing.
>
> Are you seeing it on a lot of files? If that is the case, the bytecode
> signature may require attention.
>
> You can try increasing the timeout limit. --bytecode-timeout for clamscan
> and BytecodeTimeout for clamd.
>
> Steve
>
> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley  wrote:
>
> > What is this? I just started happening.
> >
> > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >
> > Thanks, Mark
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Bytecode run timed out

2017-07-20 Thread Steven Morgan
When ClamAV runs bytecode signatures, it uses a timer to limit the amount
of processing.

Are you seeing it on a lot of files? If that is the case, the bytecode
signature may require attention.

You can try increasing the timeout limit. --bytecode-timeout for clamscan
and BytecodeTimeout for clamd.

Steve

On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley  wrote:

> What is this? I just started happening.
>
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>
> Thanks, Mark
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Bytecode run timed out

2012-03-08 Thread Ben Stuyts
Hi,

On 6 mrt. 2012, at 13:41, Török Edwin wrote:

> On 03/06/2012 01:18 PM, Ben Stuyts wrote:
>> 
>> On 6 mrt. 2012, at 11:47, Török Edwin wrote:
>> 
>>> There were no updates to bytecode recently. Maybe the file that caused the 
>>> problem is gone already?
>> 
>> I doubt it as I got many of those errors during a single run, so I assume 
>> there where multiple files.
> 
> Lets try something else then.
> 
> It says here that bytecode 3 failed to run:
>>> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code
> 
> Run this to find out what is the name of bytecode 3:
> $ clamscan --debug /dev/null 2>&1|grep 'cbc(3)'
> 
> For me it says (but it might depend if you have cvd or cld):
> LibClamAV debug: Bytecode 814800.cbc(3) has logical signature: 
> BC.Exploit.CVE_2010_1885;Engine:52-255,Target:3;0;6863703a2f2f{25-700}736372697074{1-3}6465666572

I get:

LibClamAV debug: Bytecode 817795.cbc(3) has logical signature: 
BC.Exploit.CVE_2010_0815.{Exploit.CVE_2010_0815};Engine:52-255,Target:0;0;0:d0cf11e0a1b11ae1

> @Alain: I see we also have BC.Exploit.CVE_2010_1885-2 published, can we just 
> drop BC.Exploit.CVE_2010_1885?
> 
> Best regards,
> --Edwin

Kind regards,
Ben

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [clamav-users] Bytecode run timed out

2012-03-06 Thread Török Edwin
On 03/06/2012 01:18 PM, Ben Stuyts wrote:
> 
> On 6 mrt. 2012, at 11:47, Török Edwin wrote:
> 
>> There were no updates to bytecode recently. Maybe the file that caused the 
>> problem is gone already?
> 
> I doubt it as I got many of those errors during a single run, so I assume 
> there where multiple files.

Lets try something else then.

It says here that bytecode 3 failed to run:
>> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code

Run this to find out what is the name of bytecode 3:
$ clamscan --debug /dev/null 2>&1|grep 'cbc(3)'

For me it says (but it might depend if you have cvd or cld):
LibClamAV debug: Bytecode 814800.cbc(3) has logical signature: 
BC.Exploit.CVE_2010_1885;Engine:52-255,Target:3;0;6863703a2f2f{25-700}736372697074{1-3}6465666572

@Alain: I see we also have BC.Exploit.CVE_2010_1885-2 published, can we just 
drop BC.Exploit.CVE_2010_1885?

Best regards,
--Edwin


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [clamav-users] Bytecode run timed out

2012-03-06 Thread Ben Stuyts

On 6 mrt. 2012, at 11:47, Török Edwin wrote:

> On 03/06/2012 12:46 PM, Ben Stuyts wrote:
>> 
>> On 5 mrt. 2012, at 15:42, Ben Stuyts wrote:
>> 
>>> On 5 mrt. 2012, at 11:07, Török Edwin wrote:
>>> 
 On 03/05/2012 11:33 AM, Ben Stuyts wrote:
> Hi,
> 
> Since two days, I'm getting lots of these messages while scanning one of 
> the servers here:
> 
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
> set
> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code
> 
> This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar  5 01:34:31 2012.
> 
> This brings scanning this server to a crawl, unfortunately, so I had to 
> kill the nightly scans. Does this indicate a problem in the signatures, 
> or is there a problem with the local scanner?
> 
 
 Can you find out which file is causing this? (run clamscan -v to see what 
 file it is scanning)
 Then please open a bug and attach the file.
 
 Meanwhile you can try setting the timeout lower, using 
 --bytecode-timeout/BytecodeTimeout (it is 6 ms by default).
>>> 
>>> I will do this for the next daily run and get back to you tomorrow.
>> 
>> I ran:
>> /usr/local/bin/clamscan -rv --bytecode-timeout=1 /home
>> 
>> It didn't produce any errors this time. Maybe a recent update of the 
>> signature database fixed this?
> 
> There were no updates to bytecode recently. Maybe the file that caused the 
> problem is gone already?

I doubt it as I got many of those errors during a single run, so I assume there 
where multiple files.

Kind regards,
Ben

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [clamav-users] Bytecode run timed out

2012-03-06 Thread Török Edwin
On 03/06/2012 12:46 PM, Ben Stuyts wrote:
> 
> On 5 mrt. 2012, at 15:42, Ben Stuyts wrote:
> 
>>
>> On 5 mrt. 2012, at 11:07, Török Edwin wrote:
>>
>>> On 03/05/2012 11:33 AM, Ben Stuyts wrote:
 Hi,

 Since two days, I'm getting lots of these messages while scanning one of 
 the servers here:

 LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
 LibClamAV Warning: Bytcode 3 failed to run: Unknown error code

 This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar  5 01:34:31 2012.

 This brings scanning this server to a crawl, unfortunately, so I had to 
 kill the nightly scans. Does this indicate a problem in the signatures, or 
 is there a problem with the local scanner?

>>>
>>> Can you find out which file is causing this? (run clamscan -v to see what 
>>> file it is scanning)
>>> Then please open a bug and attach the file.
>>>
>>> Meanwhile you can try setting the timeout lower, using 
>>> --bytecode-timeout/BytecodeTimeout (it is 6 ms by default).
>>
>> I will do this for the next daily run and get back to you tomorrow.
> 
> I ran:
> /usr/local/bin/clamscan -rv --bytecode-timeout=1 /home
> 
> It didn't produce any errors this time. Maybe a recent update of the 
> signature database fixed this?
> 

There were no updates to bytecode recently. Maybe the file that caused the 
problem is gone already?

--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [clamav-users] Bytecode run timed out

2012-03-06 Thread Ben Stuyts

On 5 mrt. 2012, at 15:42, Ben Stuyts wrote:

> 
> On 5 mrt. 2012, at 11:07, Török Edwin wrote:
> 
>> On 03/05/2012 11:33 AM, Ben Stuyts wrote:
>>> Hi,
>>> 
>>> Since two days, I'm getting lots of these messages while scanning one of 
>>> the servers here:
>>> 
>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code
>>> 
>>> This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar  5 01:34:31 2012.
>>> 
>>> This brings scanning this server to a crawl, unfortunately, so I had to 
>>> kill the nightly scans. Does this indicate a problem in the signatures, or 
>>> is there a problem with the local scanner?
>>> 
>> 
>> Can you find out which file is causing this? (run clamscan -v to see what 
>> file it is scanning)
>> Then please open a bug and attach the file.
>> 
>> Meanwhile you can try setting the timeout lower, using 
>> --bytecode-timeout/BytecodeTimeout (it is 6 ms by default).
> 
> I will do this for the next daily run and get back to you tomorrow.

I ran:
/usr/local/bin/clamscan -rv --bytecode-timeout=1 /home

It didn't produce any errors this time. Maybe a recent update of the signature 
database fixed this?

Kind regards,
Ben

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [clamav-users] Bytecode run timed out

2012-03-05 Thread Ben Stuyts

On 5 mrt. 2012, at 11:07, Török Edwin wrote:

> On 03/05/2012 11:33 AM, Ben Stuyts wrote:
>> Hi,
>> 
>> Since two days, I'm getting lots of these messages while scanning one of the 
>> servers here:
>> 
>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code
>> 
>> This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar  5 01:34:31 2012.
>> 
>> This brings scanning this server to a crawl, unfortunately, so I had to kill 
>> the nightly scans. Does this indicate a problem in the signatures, or is 
>> there a problem with the local scanner?
>> 
> 
> Can you find out which file is causing this? (run clamscan -v to see what 
> file it is scanning)
> Then please open a bug and attach the file.
> 
> Meanwhile you can try setting the timeout lower, using 
> --bytecode-timeout/BytecodeTimeout (it is 6 ms by default).

I will do this for the next daily run and get back to you tomorrow.

Kind regards,
Ben

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [clamav-users] Bytecode run timed out

2012-03-05 Thread Török Edwin
On 03/05/2012 11:33 AM, Ben Stuyts wrote:
> Hi,
> 
> Since two days, I'm getting lots of these messages while scanning one of the 
> servers here:
> 
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code
> 
> This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar  5 01:34:31 2012.
> 
> This brings scanning this server to a crawl, unfortunately, so I had to kill 
> the nightly scans. Does this indicate a problem in the signatures, or is 
> there a problem with the local scanner?
> 

Can you find out which file is causing this? (run clamscan -v to see what file 
it is scanning)
Then please open a bug and attach the file.

Meanwhile you can try setting the timeout lower, using 
--bytecode-timeout/BytecodeTimeout (it is 6 ms by default).

Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml