Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes
* Micah Snyder (micasnyd) : > There are 3 bytecode rules for detecting CVE's that seem to take a > rather long time to run, particularly as the file grows in size. I'm > discussing with our threat research team if we can remove them as > CVE's are old enough that no one should reasonably still be affected > by the vulnerabilities. > > I am curious though - what are your MaxFileSize / MaxScanSize > settings? I wonder if you're seeing timeouts with the default settings > or if you increased them. MaxFileSize 100M MaxScanSize 200M MaxScanTime 12 -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes
Hi Ralf, There are 3 bytecode rules for detecting CVE's that seem to take a rather long time to run, particularly as the file grows in size. I'm discussing with our threat research team if we can remove them as CVE's are old enough that no one should reasonably still be affected by the vulnerabilities. I am curious though - what are your MaxFileSize / MaxScanSize settings? I wonder if you're seeing timeouts with the default settings or if you increased them. Regards, Micah Micah Snyder (they/them) ClamAV Development Talos Cisco Systems, Inc. From: clamav-users on behalf of Ralf Hildebrandt via clamav-users Sent: Tuesday, February 20, 2024 9:36 AM To: clamav-users@lists.clamav.net Cc: Ralf Hildebrandt Subject: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes In yesterdays logs I found this: Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode 'BC.Img.Exploit.CVE-2017-16386-6404655-1.{}' (id: 77) failed to run: Exceeded time limit is this a bad Bytecode rule? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Bytecode run timed out
Note that the bytecode - 308 update just dropped the following: > Dropped Detection Signatures: > >* BC.Win.Packer.LizardNest-5588995-3 > >* BC.Pdf.Exploit.CVE_2017_2818-6331913-0 > >* BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > >* BC.Pdf.Exploit.CVE_2017_3032-6316401-6 -Al- On Fri, Jul 28, 2017 at 01:38 AM, Al Varnell wrote: > > On Fri, Jul 28, 2017 at 01:35 AM, Mark Foley wrote: >> >> It looks like this one that gives the "Bytecode run timed out" warning. I'm >> trying the other two as well. >> >> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} >> >> Plus, there's a new bytecode exploit that seems to be giving me a lot of >> positives: >> >> BC.Pdf.Exploit.CVE_2017_3032-6316401-6 >> >> I've put that (with the trailing '.{}') in the .ign2 file as well. >> >> Can I use a '#' at the beginning of the lines in the .ign2 file as a comment? >> I've found no documentation on this and, if not, I might be getting false >> results. > > That has not worked for me in the past. If there is a way to comment out > signature lines, I've not discovered it. > > -Al- > >> --Mark >> >> -Original Message- >> From: Mark Foley >> Date: Thu, 27 Jul 2017 14:56:44 -0400 >> To: clamav-users@lists.clamav.net >> Subject: Re: [clamav-users] Bytecode run timed out >> >> Yes, I was able to find the file as well. I've used the syntax in the >> /var/lib/clamav/local.ign2 file recommended by Al Varnell: >> >> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} >> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} >> >> and that worked to block the warning. Now I will test each one in turn to see >> which bytecode is causing the message. >> >> --Mark >> >> On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind >> wrote; >>> >>> I have been noticing the same issue. I found at least one file that was >>> causing the error, and was able to test with a single file, instead of >>> having to virus scan an entire directory tree to test. >>> >>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set >>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! >>> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached >>> >>> This worked for me: >>> >>> # cat /var/lib/clamav/local.ign2 >>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} >>> >>> The problem file was the one listed under the JIT error messages, in my >>> case, it was a pdf file that caused it. >>> >>> - Fred >>> >>> On 7/22/2017 6:56 PM, Al Varnell wrote: >>>> That's the correct place to put the file. >>>> >>>> I suspect you'll want to try one at a time to nail down which signature is >>>> causing the problem. >>>> >>>> Checking back I see there was a period rather than a space between the >>>> signature name and the brackets, so: >>>> >>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} >>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} >>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} >>>> >>>> -Al- >>>> >>>> >>>> On Jul 22, 2017, at 1:45 PM, Mark Foley wrote: >>>> >>>>> That didn't work. I'll try w/o the {}. >>>>> >>>>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? >>>>> >>>>> --Mark >>>>> >>>>> -Original Message- >>>>> From: Mark Foley >>>>> Date: Sat, 22 Jul 2017 11:08:28 -0400 >>>>> To: clamav-users@lists.clamav.net >>>>> >>>>> So, like this? >>>>> >>>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} >>>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} >>>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} >>>>> >>>>> --Mark >>>>> >>>>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell wrote: >>>>>> Yes, they can be added to a local .ign2 file, but the last time it was >>>>>> discussed here, the entry needed to be followed by {} for some unknown >>>>>> reason, to make it work. &
Re: [clamav-users] Bytecode run timed out
On Fri, Jul 28, 2017 at 01:35 AM, Mark Foley wrote: > > It looks like this one that gives the "Bytecode run timed out" warning. I'm > trying the other two as well. > > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} > > Plus, there's a new bytecode exploit that seems to be giving me a lot of > positives: > > BC.Pdf.Exploit.CVE_2017_3032-6316401-6 > > I've put that (with the trailing '.{}') in the .ign2 file as well. > > Can I use a '#' at the beginning of the lines in the .ign2 file as a comment? > I've found no documentation on this and, if not, I might be getting false > results. That has not worked for me in the past. If there is a way to comment out signature lines, I've not discovered it. -Al- > --Mark > > -Original Message----- > From: Mark Foley > Date: Thu, 27 Jul 2017 14:56:44 -0400 > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Bytecode run timed out > > Yes, I was able to find the file as well. I've used the syntax in the > /var/lib/clamav/local.ign2 file recommended by Al Varnell: > > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} > > and that worked to block the warning. Now I will test each one in turn to see > which bytecode is causing the message. > > --Mark > > On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind > wrote; >> >> I have been noticing the same issue. I found at least one file that was >> causing the error, and was able to test with a single file, instead of >> having to virus scan an entire directory tree to test. >> >> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set >> LibClamAV Warning: [Bytecode JIT]: recovered from error >> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! >> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached >> >> This worked for me: >> >> # cat /var/lib/clamav/local.ign2 >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} >> >> The problem file was the one listed under the JIT error messages, in my >> case, it was a pdf file that caused it. >> >> - Fred >> >> On 7/22/2017 6:56 PM, Al Varnell wrote: >>> That's the correct place to put the file. >>> >>> I suspect you'll want to try one at a time to nail down which signature is >>> causing the problem. >>> >>> Checking back I see there was a period rather than a space between the >>> signature name and the brackets, so: >>> >>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} >>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} >>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} >>> >>> -Al- >>> >>> >>> On Jul 22, 2017, at 1:45 PM, Mark Foley wrote: >>> >>>> That didn't work. I'll try w/o the {}. >>>> >>>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? >>>> >>>> --Mark >>>> >>>> -Original Message- >>>> From: Mark Foley >>>> Date: Sat, 22 Jul 2017 11:08:28 -0400 >>>> To: clamav-users@lists.clamav.net >>>> >>>> So, like this? >>>> >>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} >>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} >>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} >>>> >>>> --Mark >>>> >>>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell wrote: >>>>> Yes, they can be added to a local .ign2 file, but the last time it was >>>>> discussed here, the entry needed to be followed by {} for some unknown >>>>> reason, to make it work. >>>>> >>>>> -Al- >>>>> >>>>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: >>>>>> Are bytecodes individually blockable? >>>>>> >>>>>> --Mark >>>>>> >>>>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: >>>>>>> FYI, the following were added by bytecode 306: >>>>>>> >>>>>>> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 >>>>>>> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 >>>>>>> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 >>>>>>> >>>>>>> -Al- >>>>>>> >>>>>>
Re: [clamav-users] Bytecode run timed out
It looks like this one that gives the "Bytecode run timed out" warning. I'm trying the other two as well. BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} Plus, there's a new bytecode exploit that seems to be giving me a lot of positives: BC.Pdf.Exploit.CVE_2017_3032-6316401-6 I've put that (with the trailing '.{}') in the .ign2 file as well. Can I use a '#' at the beginning of the lines in the .ign2 file as a comment? I've found no documentation on this and, if not, I might be getting false results. --Mark -Original Message- From: Mark Foley Date: Thu, 27 Jul 2017 14:56:44 -0400 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Bytecode run timed out Yes, I was able to find the file as well. I've used the syntax in the /var/lib/clamav/local.ign2 file recommended by Al Varnell: BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} and that worked to block the warning. Now I will test each one in turn to see which bytecode is causing the message. --Mark On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind wrote; > > I have been noticing the same issue. I found at least one file that was > causing the error, and was able to test with a single file, instead of > having to virus scan an entire directory tree to test. > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set > LibClamAV Warning: [Bytecode JIT]: recovered from error > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > LibClamAV Warning: Bytcode 64 failed to run: Time limit reached > > This worked for me: > > # cat /var/lib/clamav/local.ign2 > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} > > The problem file was the one listed under the JIT error messages, in my > case, it was a pdf file that caused it. > > - Fred > > On 7/22/2017 6:56 PM, Al Varnell wrote: > > That's the correct place to put the file. > > > > I suspect you'll want to try one at a time to nail down which signature is > > causing the problem. > > > > Checking back I see there was a period rather than a space between the > > signature name and the brackets, so: > > > > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} > > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} > > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} > > > > -Al- > > > > > > On Jul 22, 2017, at 1:45 PM, Mark Foley wrote: > > > >> That didn't work. I'll try w/o the {}. > >> > >> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? > >> > >> --Mark > >> > >> -Original Message- > >> From: Mark Foley > >> Date: Sat, 22 Jul 2017 11:08:28 -0400 > >> To: clamav-users@lists.clamav.net > >> > >> So, like this? > >> > >> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} > >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} > >> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} > >> > >> --Mark > >> > >> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell wrote: > >>> Yes, they can be added to a local .ign2 file, but the last time it was > >>> discussed here, the entry needed to be followed by {} for some unknown > >>> reason, to make it work. > >>> > >>> -Al- > >>> > >>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > >>>> Are bytecodes individually blockable? > >>>> > >>>> --Mark > >>>> > >>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: > >>>>> FYI, the following were added by bytecode 306: > >>>>> > >>>>> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 > >>>>> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 > >>>>> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > >>>>> > >>>>> -Al- > >>>>> > >>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > >>>>>> I ran clamscan by hand on the files before and after the error, and > >>>>>> it's the file > >>>>>> after the error. I've bumped the --bytecode-timeout to 12, 18 > >>>>>> and > >>>>>> finally 60 (10 minutes) and it fails for all these values, even > >>>>>> though the > >>>>>> file itself is not that big (1.2M). > >>>>>> > >>>>>> This is a pretty recent ph
Re: [clamav-users] Bytecode run timed out
ri, 21 Jul 2017 16:51:33 -0700 Al Varnell > >>>>>> wrote: > >>>>>>> It's almost certainly a file that follows S=12386 since that one is > >>>>>>> being reported as "OK". The file that failed might not even be > >>>>>>> listed, having failed the scan, although I suppose it's possible for > >>>>>>> it to be the next one shown. > >>>>>>> > >>>>>>> It's my understanding that not all files receive a bytecode signature > >>>>>>> scan, making it even more difficult to determine the problem file. > >>>>>>> > >>>>>>> -Al- > >>>>>>> > >>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > >>>>>>>> Here's the partial output from clamscan w/o the --infected option: > >>>>>>>> > >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > >>>>>>>> OK > >>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>>>>> flag set > >>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>>>>> error! > >>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > >>>>>>>> OK > >>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > >>>>>>>> OK > >>>>>>>> > >>>>>>>> These are Maildir format files. The "S=12386" part is in fact the > >>>>>>>> file size. > >>>>>>>> It's not apparent from where the Warning message is issues what file > >>>>>>>> is causing > >>>>>>>> the warning. The 12,657 byte file couldn't have been it and why > >>>>>>>> would the > >>>>>>>> 1,266,193 size file cause the warning and not the more that > >>>>>>>> twice-as-large file > >>>>>>>> immediately following? Also there are much larger files in this > >>>>>>>> directory, up to > >>>>>>>> 21M, but this is the only warning issued. > >>>>>>>> > >>>>>>>> --Mark > >>>>>>>> > >>>>>>>> -Original Message- > >>>>>>>> From: Mark Foley > >>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400 > >>>>>>>> To: clamav-users@lists.clamav.net > >>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out > >>>>>>>> > >>>>>>>> OK, I'll turn that off and see what I get. > >>>>>>>> > >>>>>>>> --Mark > >>>>>>>> > >>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan > >>>>>>>> wrote: > >>>>>>>>> --infected suppresses the printing of clean file names. > >>>>>>>>> > >>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > >>>>>>>>>> > >>>>>>>>>> wrote: > >>>>>>>>>> My parameters are: > >>>>>>>>>> > >>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected > >>>>>>>>>> --recursive \ > >>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> --Mark > >>>>>>>>>> > >>>>>>>>>>> The default is 6 milliseconds. What clamscan parameters are > >>>>>>>>>>> you > >>>>>>>>>> using? > >>>>>>>>>>> I am seeing file names by default. > >>>>>>>>>>> > >>>>>>>>>>> Steve > >>>>>>>>>>> > >>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley > >>>>>>>>>>> > >>>>>>>>>> wrote: > >>>>>>>>>>>> It doesn't give any file names, even in the logfiles. It > >>>>>>>>>>>> happens when > >>>>>>>>>> I'm > >>>>>>>>>>>> running clamscan. > >>>>>>>>>>>> > >>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail > >>>>>>>>>> files). > >>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again > >>>>>>>>>>>> I'll > >>>>>>>>>>>> increase it. > >>>>>>>>>>>> > >>>>>>>>>>>> Thanks, --Mark > >>>>>>>>>>>> > >>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > >>>>>>>>>> smor...@sourcefire.com> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit > >>>>>>>>>>>>> the > >>>>>>>>>> amount > >>>>>>>>>>>>> of processing. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the > >>>>>>>>>> bytecode > >>>>>>>>>>>>> signature may require attention. > >>>>>>>>>>>>> > >>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for > >>>>>>>>>> clamscan > >>>>>>>>>>>>> and BytecodeTimeout for clamd. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Steve > >>>>>>>>>>>>> > >>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > >>>>>>>>>>>>> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>>>> What is this? I just started happening. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, > >>>>>>>>>>>>>> timeout > >>>>>>>>>>>> flag set > >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted > >>>>>>>>>>>>>> runtime > >>>>>>>>>>>> error! > >>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks, Mark > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
I have been noticing the same issue. I found at least one file that was causing the error, and was able to test with a single file, instead of having to virus scan an entire directory tree to test. LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 64 failed to run: Time limit reached This worked for me: # cat /var/lib/clamav/local.ign2 BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} The problem file was the one listed under the JIT error messages, in my case, it was a pdf file that caused it. - Fred On 7/22/2017 6:56 PM, Al Varnell wrote: That's the correct place to put the file. I suspect you'll want to try one at a time to nail down which signature is causing the problem. Checking back I see there was a period rather than a space between the signature name and the brackets, so: BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} -Al- On Jul 22, 2017, at 1:45 PM, Mark Foley wrote: That didn't work. I'll try w/o the {}. Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? --Mark -Original Message- From: Mark Foley Date: Sat, 22 Jul 2017 11:08:28 -0400 To: clamav-users@lists.clamav.net So, like this? BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} --Mark On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell wrote: Yes, they can be added to a local .ign2 file, but the last time it was discussed here, the entry needed to be followed by {} for some unknown reason, to make it work. -Al- On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: Are bytecodes individually blockable? --Mark On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: FYI, the following were added by bytecode 306: * BC.Multios.Exploit.CVE_2017_2816-6329916-0 * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 -Al- On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: I ran clamscan by hand on the files before and after the error, and it's the file after the error. I've bumped the --bytecode-timeout to 12, 18 and finally 60 (10 minutes) and it fails for all these values, even though the file itself is not that big (1.2M). This is a pretty recent phenomenon. Perhaps something introduced in a recent update. I received bytecode.cld version 306 in freshclam starting on July 16, 2017; which is exactly when I started seeing this warning. I did not get the warning with version 305. Is this a bug? For now, I guess I'll just have to live with it. Thanks, --Mark On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown. It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file. -Al- On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: Here's the partial output from clamscan w/o the --infected option: /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 5 failed to run: Time limit reached /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK These are Maildir format files. The "S=12386" part is in fact the file size. It's not apparent from where the Warning message is issues what file is causing the warning. The 12,657 byte file couldn't have been it and why would the 1,266,193 size file cause the warning and not the more that twice-as-large file immediately following? Also there are much larger files in this directory, up to 21M, but this is the only warning issued. --Mark -Original Message- From: Mark Foley Date: Thu, 20 Jul 2017 21:51:38 -0400 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Bytecode run timed out OK, I'll turn that off and see what I get. --Mark On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan wrote: --infected suppresses the printing of clean file names. On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan wrote: My parameters are: clamscan -a --detec
Re: [clamav-users] Bytecode run timed out
That's the correct place to put the file. I suspect you'll want to try one at a time to nail down which signature is causing the problem. Checking back I see there was a period rather than a space between the signature name and the brackets, so: BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} -Al- On Jul 22, 2017, at 1:45 PM, Mark Foley wrote: > That didn't work. I'll try w/o the {}. > > Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? > > --Mark > > -Original Message- > From: Mark Foley > Date: Sat, 22 Jul 2017 11:08:28 -0400 > To: clamav-users@lists.clamav.net > > So, like this? > > BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} > BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} > BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} > > --Mark > > On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell wrote: >> Yes, they can be added to a local .ign2 file, but the last time it was >> discussed here, the entry needed to be followed by {} for some unknown >> reason, to make it work. >> >> -Al- >> >> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: >>> >>> Are bytecodes individually blockable? >>> >>> --Mark >>> >>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: >>>> >>>> FYI, the following were added by bytecode 306: >>>> >>>> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 >>>> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 >>>> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 >>>> >>>> -Al- >>>> >>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: >>>>> >>>>> I ran clamscan by hand on the files before and after the error, and it's >>>>> the file >>>>> after the error. I've bumped the --bytecode-timeout to 12, 18 and >>>>> finally 60 (10 minutes) and it fails for all these values, even >>>>> though the >>>>> file itself is not that big (1.2M). >>>>> >>>>> This is a pretty recent phenomenon. Perhaps something introduced in a >>>>> recent >>>>> update. I received bytecode.cld version 306 in freshclam starting on >>>>> July 16, >>>>> 2017; which is exactly when I started seeing this warning. I did not get >>>>> the >>>>> warning with version 305. >>>>> >>>>> Is this a bug? >>>>> >>>>> For now, I guess I'll just have to live with it. >>>>> >>>>> Thanks, --Mark >>>>> >>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: >>>>>> >>>>>> It's almost certainly a file that follows S=12386 since that one is >>>>>> being reported as "OK". The file that failed might not even be listed, >>>>>> having failed the scan, although I suppose it's possible for it to be >>>>>> the next one shown. >>>>>> >>>>>> It's my understanding that not all files receive a bytecode signature >>>>>> scan, making it even more difficult to determine the problem file. >>>>>> >>>>>> -Al- >>>>>> >>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: >>>>>>> >>>>>>> Here's the partial output from clamscan w/o the --infected option: >>>>>>> >>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: >>>>>>> OK >>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag >>>>>>> set >>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! >>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: >>>>>>> OK >>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: >>>>>>> OK >>>>>>> >>>>>>> These are Maildir for
Re: [clamav-users] Bytecode run timed out
That didn't work. I'll try w/o the {}. Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? --Mark -Original Message- From: Mark Foley Date: Sat, 22 Jul 2017 11:08:28 -0400 To: clamav-users@lists.clamav.net So, like this? BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} --Mark On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell wrote: > Yes, they can be added to a local .ign2 file, but the last time it was > discussed here, the entry needed to be followed by {} for some unknown > reason, to make it work. > > -Al- > > On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > > > > Are bytecodes individually blockable? > > > > --Mark > > > > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: > >> > >> FYI, the following were added by bytecode 306: > >> > >> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 > >> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 > >> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > >> > >> -Al- > >> > >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > >>> > >>> I ran clamscan by hand on the files before and after the error, and it's > >>> the file > >>> after the error. I've bumped the --bytecode-timeout to 12, 18 and > >>> finally 60 (10 minutes) and it fails for all these values, even > >>> though the > >>> file itself is not that big (1.2M). > >>> > >>> This is a pretty recent phenomenon. Perhaps something introduced in a > >>> recent > >>> update. I received bytecode.cld version 306 in freshclam starting on > >>> July 16, > >>> 2017; which is exactly when I started seeing this warning. I did not get > >>> the > >>> warning with version 305. > >>> > >>> Is this a bug? > >>> > >>> For now, I guess I'll just have to live with it. > >>> > >>> Thanks, --Mark > >>> > >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: > >>>> > >>>> It's almost certainly a file that follows S=12386 since that one is > >>>> being reported as "OK". The file that failed might not even be listed, > >>>> having failed the scan, although I suppose it's possible for it to be > >>>> the next one shown. > >>>> > >>>> It's my understanding that not all files receive a bytecode signature > >>>> scan, making it even more difficult to determine the problem file. > >>>> > >>>> -Al- > >>>> > >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > >>>>> > >>>>> Here's the partial output from clamscan w/o the --infected option: > >>>>> > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > >>>>> OK > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag > >>>>> set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > >>>>> OK > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > >>>>> OK > >>>>> > >>>>> These are Maildir format files. The "S=12386" part is in fact the file > >>>>> size. > >>>>> It's not apparent from where the Warning message is issues what file is > >>>>> causing > >>>>> the warning. The 12,657 byte file couldn't have been it and why would > >>>>> the > >>>>> 1,266,193 size file cause the warning and not the more that > >>>>> twice-as-large file > >>>>> immediately following? Also there are much larger files in this > >>>>> directory, up to > >>>>> 21M, but this is the only warning issued. > >>>>> > >>>>> --Mark > >>>>
Re: [clamav-users] Bytecode run timed out
So, like this? BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} --Mark On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell wrote: > Yes, they can be added to a local .ign2 file, but the last time it was > discussed here, the entry needed to be followed by {} for some unknown > reason, to make it work. > > -Al- > > On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > > > > Are bytecodes individually blockable? > > > > --Mark > > > > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: > >> > >> FYI, the following were added by bytecode 306: > >> > >> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 > >> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 > >> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > >> > >> -Al- > >> > >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > >>> > >>> I ran clamscan by hand on the files before and after the error, and it's > >>> the file > >>> after the error. I've bumped the --bytecode-timeout to 12, 18 and > >>> finally 60 (10 minutes) and it fails for all these values, even > >>> though the > >>> file itself is not that big (1.2M). > >>> > >>> This is a pretty recent phenomenon. Perhaps something introduced in a > >>> recent > >>> update. I received bytecode.cld version 306 in freshclam starting on > >>> July 16, > >>> 2017; which is exactly when I started seeing this warning. I did not get > >>> the > >>> warning with version 305. > >>> > >>> Is this a bug? > >>> > >>> For now, I guess I'll just have to live with it. > >>> > >>> Thanks, --Mark > >>> > >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: > >>>> > >>>> It's almost certainly a file that follows S=12386 since that one is > >>>> being reported as "OK". The file that failed might not even be listed, > >>>> having failed the scan, although I suppose it's possible for it to be > >>>> the next one shown. > >>>> > >>>> It's my understanding that not all files receive a bytecode signature > >>>> scan, making it even more difficult to determine the problem file. > >>>> > >>>> -Al- > >>>> > >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > >>>>> > >>>>> Here's the partial output from clamscan w/o the --infected option: > >>>>> > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > >>>>> OK > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag > >>>>> set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > >>>>> OK > >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > >>>>> OK > >>>>> > >>>>> These are Maildir format files. The "S=12386" part is in fact the file > >>>>> size. > >>>>> It's not apparent from where the Warning message is issues what file is > >>>>> causing > >>>>> the warning. The 12,657 byte file couldn't have been it and why would > >>>>> the > >>>>> 1,266,193 size file cause the warning and not the more that > >>>>> twice-as-large file > >>>>> immediately following? Also there are much larger files in this > >>>>> directory, up to > >>>>> 21M, but this is the only warning issued. > >>>>> > >>>>> --Mark > >>>>> > >>>>> -Original Message- > >>>>> From: Mark Foley > >>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400 > >>>>> To: clamav-users@lists.clamav.net &
Re: [clamav-users] Bytecode run timed out
Yes, they can be added to a local .ign2 file, but the last time it was discussed here, the entry needed to be followed by {} for some unknown reason, to make it work. -Al- On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > > Are bytecodes individually blockable? > > --Mark > > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: >> >> FYI, the following were added by bytecode 306: >> >> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 >> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 >> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 >> >> -Al- >> >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: >>> >>> I ran clamscan by hand on the files before and after the error, and it's >>> the file >>> after the error. I've bumped the --bytecode-timeout to 12, 18 and >>> finally 60 (10 minutes) and it fails for all these values, even though >>> the >>> file itself is not that big (1.2M). >>> >>> This is a pretty recent phenomenon. Perhaps something introduced in a >>> recent >>> update. I received bytecode.cld version 306 in freshclam starting on July >>> 16, >>> 2017; which is exactly when I started seeing this warning. I did not get >>> the >>> warning with version 305. >>> >>> Is this a bug? >>> >>> For now, I guess I'll just have to live with it. >>> >>> Thanks, --Mark >>> >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: >>>> >>>> It's almost certainly a file that follows S=12386 since that one is being >>>> reported as "OK". The file that failed might not even be listed, having >>>> failed the scan, although I suppose it's possible for it to be the next >>>> one shown. >>>> >>>> It's my understanding that not all files receive a bytecode signature >>>> scan, making it even more difficult to determine the problem file. >>>> >>>> -Al- >>>> >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: >>>>> >>>>> Here's the partial output from clamscan w/o the --infected option: >>>>> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: >>>>> OK >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag >>>>> set >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: >>>>> OK >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: >>>>> OK >>>>> >>>>> These are Maildir format files. The "S=12386" part is in fact the file >>>>> size. >>>>> It's not apparent from where the Warning message is issues what file is >>>>> causing >>>>> the warning. The 12,657 byte file couldn't have been it and why would the >>>>> 1,266,193 size file cause the warning and not the more that >>>>> twice-as-large file >>>>> immediately following? Also there are much larger files in this >>>>> directory, up to >>>>> 21M, but this is the only warning issued. >>>>> >>>>> --Mark >>>>> >>>>> -Original Message- >>>>> From: Mark Foley >>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400 >>>>> To: clamav-users@lists.clamav.net >>>>> Subject: Re: [clamav-users] Bytecode run timed out >>>>> >>>>> OK, I'll turn that off and see what I get. >>>>> >>>>> --Mark >>>>> >>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan >>>>> wrote: >>>>>> >>>>>> --infected suppresses the printing of clean file names. >>>>>> >>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley >>>>>> wrote: >>>>>> >>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan >>>>>
Re: [clamav-users] Bytecode run timed out
Are bytecodes individually blockable? --Mark On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell wrote: > > FYI, the following were added by bytecode 306: > >* BC.Multios.Exploit.CVE_2017_2816-6329916-0 >* BC.Pdf.Exploit.CVE_2017_2818-6331913-0 >* BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > > -Al- > > On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > > > > I ran clamscan by hand on the files before and after the error, and it's > > the file > > after the error. I've bumped the --bytecode-timeout to 12, 18 and > > finally 60 (10 minutes) and it fails for all these values, even though > > the > > file itself is not that big (1.2M). > > > > This is a pretty recent phenomenon. Perhaps something introduced in a > > recent > > update. I received bytecode.cld version 306 in freshclam starting on July > > 16, > > 2017; which is exactly when I started seeing this warning. I did not get > > the > > warning with version 305. > > > > Is this a bug? > > > > For now, I guess I'll just have to live with it. > > > > Thanks, --Mark > > > > On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: > >> > >> It's almost certainly a file that follows S=12386 since that one is being > >> reported as "OK". The file that failed might not even be listed, having > >> failed the scan, although I suppose it's possible for it to be the next > >> one shown. > >> > >> It's my understanding that not all files receive a bytecode signature > >> scan, making it even more difficult to determine the problem file. > >> > >> -Al- > >> > >> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > >>> > >>> Here's the partial output from clamscan w/o the --infected option: > >>> > >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > >>> OK > >>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag > >>> set > >>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > >>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > >>> OK > >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > >>> OK > >>> > >>> These are Maildir format files. The "S=12386" part is in fact the file > >>> size. > >>> It's not apparent from where the Warning message is issues what file is > >>> causing > >>> the warning. The 12,657 byte file couldn't have been it and why would the > >>> 1,266,193 size file cause the warning and not the more that > >>> twice-as-large file > >>> immediately following? Also there are much larger files in this > >>> directory, up to > >>> 21M, but this is the only warning issued. > >>> > >>> --Mark > >>> > >>> -Original Message- > >>> From: Mark Foley > >>> Date: Thu, 20 Jul 2017 21:51:38 -0400 > >>> To: clamav-users@lists.clamav.net > >>> Subject: Re: [clamav-users] Bytecode run timed out > >>> > >>> OK, I'll turn that off and see what I get. > >>> > >>> --Mark > >>> > >>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan > >>> wrote: > >>>> > >>>> --infected suppresses the printing of clean file names. > >>>> > >>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley > >>>> wrote: > >>>> > >>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > >>>>> > >>>>> wrote: > >>>>> My parameters are: > >>>>> > >>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected > >>>>> --recursive \ > >>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > >>>>> > >>>>> > >>>>> --Mark > >>>>> > >>>>>> > >>>>>> The default is 6 milliseconds. What clamscan paramet
Re: [clamav-users] Bytecode run timed out
FYI, the following were added by bytecode 306: * BC.Multios.Exploit.CVE_2017_2816-6329916-0 * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 -Al- On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > > I ran clamscan by hand on the files before and after the error, and it's the > file > after the error. I've bumped the --bytecode-timeout to 12, 18 and > finally 60 (10 minutes) and it fails for all these values, even though the > file itself is not that big (1.2M). > > This is a pretty recent phenomenon. Perhaps something introduced in a recent > update. I received bytecode.cld version 306 in freshclam starting on July 16, > 2017; which is exactly when I started seeing this warning. I did not get the > warning with version 305. > > Is this a bug? > > For now, I guess I'll just have to live with it. > > Thanks, --Mark > > On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: >> >> It's almost certainly a file that follows S=12386 since that one is being >> reported as "OK". The file that failed might not even be listed, having >> failed the scan, although I suppose it's possible for it to be the next one >> shown. >> >> It's my understanding that not all files receive a bytecode signature scan, >> making it even more difficult to determine the problem file. >> >> -Al- >> >> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: >>> >>> Here's the partial output from clamscan w/o the --infected option: >>> >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: >>> OK >>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set >>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! >>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: >>> OK >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: >>> OK >>> >>> These are Maildir format files. The "S=12386" part is in fact the file size. >>> It's not apparent from where the Warning message is issues what file is >>> causing >>> the warning. The 12,657 byte file couldn't have been it and why would the >>> 1,266,193 size file cause the warning and not the more that twice-as-large >>> file >>> immediately following? Also there are much larger files in this directory, >>> up to >>> 21M, but this is the only warning issued. >>> >>> --Mark >>> >>> -Original Message- >>> From: Mark Foley >>> Date: Thu, 20 Jul 2017 21:51:38 -0400 >>> To: clamav-users@lists.clamav.net >>> Subject: Re: [clamav-users] Bytecode run timed out >>> >>> OK, I'll turn that off and see what I get. >>> >>> --Mark >>> >>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan >>> wrote: >>>> >>>> --infected suppresses the printing of clean file names. >>>> >>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: >>>> >>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan >>>>> wrote: >>>>> My parameters are: >>>>> >>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive >>>>> \ >>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 >>>>> >>>>> >>>>> --Mark >>>>> >>>>>> >>>>>> The default is 6 milliseconds. What clamscan parameters are you >>>>> using? >>>>>> I am seeing file names by default. >>>>>> >>>>>> Steve >>>>>> >>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley >>>>> wrote: >>>>>> >>>>>>> It doesn't give any file names, even in the logfiles. It happens when >>>>> I'm >>>>>>> running clamscan. >>>>>>> >>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail >>>>> files). >>>>>>> >>>>>>> What is th
Re: [clamav-users] Bytecode run timed out
I ran clamscan by hand on the files before and after the error, and it's the file after the error. I've bumped the --bytecode-timeout to 12, 18 and finally 60 (10 minutes) and it fails for all these values, even though the file itself is not that big (1.2M). This is a pretty recent phenomenon. Perhaps something introduced in a recent update. I received bytecode.cld version 306 in freshclam starting on July 16, 2017; which is exactly when I started seeing this warning. I did not get the warning with version 305. Is this a bug? For now, I guess I'll just have to live with it. Thanks, --Mark On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell wrote: > > It's almost certainly a file that follows S=12386 since that one is being > reported as "OK". The file that failed might not even be listed, having > failed the scan, although I suppose it's possible for it to be the next one > shown. > > It's my understanding that not all files receive a bytecode signature scan, > making it even more difficult to determine the problem file. > > -Al- > > On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > > > > Here's the partial output from clamscan w/o the --infected option: > > > > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > > OK > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set > > LibClamAV Warning: [Bytecode JIT]: recovered from error > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > > OK > > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > > OK > > > > These are Maildir format files. The "S=12386" part is in fact the file size. > > It's not apparent from where the Warning message is issues what file is > > causing > > the warning. The 12,657 byte file couldn't have been it and why would the > > 1,266,193 size file cause the warning and not the more that twice-as-large > > file > > immediately following? Also there are much larger files in this directory, > > up to > > 21M, but this is the only warning issued. > > > > --Mark > > > > -Original Message- > > From: Mark Foley > > Date: Thu, 20 Jul 2017 21:51:38 -0400 > > To: clamav-users@lists.clamav.net > > Subject: Re: [clamav-users] Bytecode run timed out > > > > OK, I'll turn that off and see what I get. > > > > --Mark > > > > On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan > > wrote: > >> > >> --infected suppresses the printing of clean file names. > >> > >> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: > >> > >>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > >>> wrote: > >>> My parameters are: > >>> > >>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive > >>> \ > >>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > >>> > >>> > >>> --Mark > >>> > >>>> > >>>> The default is 6 milliseconds. What clamscan parameters are you > >>> using? > >>>> I am seeing file names by default. > >>>> > >>>> Steve > >>>> > >>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley > >>> wrote: > >>>> > >>>>> It doesn't give any file names, even in the logfiles. It happens when > >>> I'm > >>>>> running clamscan. > >>>>> > >>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail > >>> files). > >>>>> > >>>>> What is the default for --bytecode-timeout? If I get it again I'll > >>>>> increase it. > >>>>> > >>>>> Thanks, --Mark > >>>>> > >>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > >>> smor...@sourcefire.com> > >>>>> wrote: > >>>>>> > >>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the > >>> amount > >>>>>> of processing. > >>>>>> > >>>>>
Re: [clamav-users] Bytecode run timed out
It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown. It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file. -Al- On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > > Here's the partial output from clamscan w/o the --infected option: > > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > OK > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set > LibClamAV Warning: [Bytecode JIT]: recovered from error > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > OK > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > OK > > These are Maildir format files. The "S=12386" part is in fact the file size. > It's not apparent from where the Warning message is issues what file is > causing > the warning. The 12,657 byte file couldn't have been it and why would the > 1,266,193 size file cause the warning and not the more that twice-as-large > file > immediately following? Also there are much larger files in this directory, up > to > 21M, but this is the only warning issued. > > --Mark > > -----Original Message- > From: Mark Foley > Date: Thu, 20 Jul 2017 21:51:38 -0400 > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Bytecode run timed out > > OK, I'll turn that off and see what I get. > > --Mark > > On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan > wrote: >> >> --infected suppresses the printing of clean file names. >> >> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: >> >>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan >>> wrote: >>> My parameters are: >>> >>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \ >>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 >>> >>> >>> --Mark >>> >>>> >>>> The default is 6 milliseconds. What clamscan parameters are you >>> using? >>>> I am seeing file names by default. >>>> >>>> Steve >>>> >>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley >>> wrote: >>>> >>>>> It doesn't give any file names, even in the logfiles. It happens when >>> I'm >>>>> running clamscan. >>>>> >>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail >>> files). >>>>> >>>>> What is the default for --bytecode-timeout? If I get it again I'll >>>>> increase it. >>>>> >>>>> Thanks, --Mark >>>>> >>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < >>> smor...@sourcefire.com> >>>>> wrote: >>>>>> >>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the >>> amount >>>>>> of processing. >>>>>> >>>>>> Are you seeing it on a lot of files? If that is the case, the >>> bytecode >>>>>> signature may require attention. >>>>>> >>>>>> You can try increasing the timeout limit. --bytecode-timeout for >>> clamscan >>>>>> and BytecodeTimeout for clamd. >>>>>> >>>>>> Steve >>>>>> >>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley >>>>> wrote: >>>>>> >>>>>>> What is this? I just started happening. >>>>>>> >>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>> flag set >>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>> error! >>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>>>>>> >>>>>>> Thanks, Mark smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
Here's the partial output from clamscan w/o the --infected option: /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 5 failed to run: Time limit reached /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK These are Maildir format files. The "S=12386" part is in fact the file size. It's not apparent from where the Warning message is issues what file is causing the warning. The 12,657 byte file couldn't have been it and why would the 1,266,193 size file cause the warning and not the more that twice-as-large file immediately following? Also there are much larger files in this directory, up to 21M, but this is the only warning issued. --Mark -Original Message- From: Mark Foley Date: Thu, 20 Jul 2017 21:51:38 -0400 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Bytecode run timed out OK, I'll turn that off and see what I get. --Mark On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan wrote: > > --infected suppresses the printing of clean file names. > > On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: > > > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > > wrote: > > My parameters are: > > > > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \ > > --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > > > > > > --Mark > > > > > > > > The default is 6 milliseconds. What clamscan parameters are you > > using? > > > I am seeing file names by default. > > > > > > Steve > > > > > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley > > wrote: > > > > > > > It doesn't give any file names, even in the logfiles. It happens when > > I'm > > > > running clamscan. > > > > > > > > I am running it on lots of files, 124,681 to be exact (IMAP mail > > files). > > > > > > > > What is the default for --bytecode-timeout? If I get it again I'll > > > > increase it. > > > > > > > > Thanks, --Mark > > > > > > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > > smor...@sourcefire.com> > > > > wrote: > > > > > > > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the > > amount > > > > > of processing. > > > > > > > > > > Are you seeing it on a lot of files? If that is the case, the > > bytecode > > > > > signature may require attention. > > > > > > > > > > You can try increasing the timeout limit. --bytecode-timeout for > > clamscan > > > > > and BytecodeTimeout for clamd. > > > > > > > > > > Steve > > > > > > > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > > > > wrote: > > > > > > > > > > > What is this? I just started happening. > > > > > > > > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > > > > flag set > > > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error > > > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > > > > error! > > > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > > > > > > > > > > > Thanks, Mark > > > > > > ___ > > > > > > clamav-users mailing list > > > > > > clamav-users@lists.clamav.net > > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > > > ___ > > > > > clamav-users mailing list > >
Re: [clamav-users] Bytecode run timed out
OK, I'll turn that off and see what I get. --Mark On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan wrote: > > --infected suppresses the printing of clean file names. > > On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: > > > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > > wrote: > > My parameters are: > > > > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \ > > --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > > > > > > --Mark > > > > > > > > The default is 6 milliseconds. What clamscan parameters are you > > using? > > > I am seeing file names by default. > > > > > > Steve > > > > > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley > > wrote: > > > > > > > It doesn't give any file names, even in the logfiles. It happens when > > I'm > > > > running clamscan. > > > > > > > > I am running it on lots of files, 124,681 to be exact (IMAP mail > > files). > > > > > > > > What is the default for --bytecode-timeout? If I get it again I'll > > > > increase it. > > > > > > > > Thanks, --Mark > > > > > > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > > smor...@sourcefire.com> > > > > wrote: > > > > > > > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the > > amount > > > > > of processing. > > > > > > > > > > Are you seeing it on a lot of files? If that is the case, the > > bytecode > > > > > signature may require attention. > > > > > > > > > > You can try increasing the timeout limit. --bytecode-timeout for > > clamscan > > > > > and BytecodeTimeout for clamd. > > > > > > > > > > Steve > > > > > > > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > > > > wrote: > > > > > > > > > > > What is this? I just started happening. > > > > > > > > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > > > > flag set > > > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error > > > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > > > > error! > > > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > > > > > > > > > > > Thanks, Mark > > > > > > ___ > > > > > > clamav-users mailing list > > > > > > clamav-users@lists.clamav.net > > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > > > ___ > > > > > clamav-users mailing list > > > > > clamav-users@lists.clamav.net > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > ___ > > > > clamav-users mailing list > > > > clamav-users@lists.clamav.net > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > ___ > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
--infected suppresses the printing of clean file names. On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > wrote: > My parameters are: > > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \ > --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > > > --Mark > > > > > The default is 6 milliseconds. What clamscan parameters are you > using? > > I am seeing file names by default. > > > > Steve > > > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley > wrote: > > > > > It doesn't give any file names, even in the logfiles. It happens when > I'm > > > running clamscan. > > > > > > I am running it on lots of files, 124,681 to be exact (IMAP mail > files). > > > > > > What is the default for --bytecode-timeout? If I get it again I'll > > > increase it. > > > > > > Thanks, --Mark > > > > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > smor...@sourcefire.com> > > > wrote: > > > > > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the > amount > > > > of processing. > > > > > > > > Are you seeing it on a lot of files? If that is the case, the > bytecode > > > > signature may require attention. > > > > > > > > You can try increasing the timeout limit. --bytecode-timeout for > clamscan > > > > and BytecodeTimeout for clamd. > > > > > > > > Steve > > > > > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > > > wrote: > > > > > > > > > What is this? I just started happening. > > > > > > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > > > flag set > > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error > > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > > > error! > > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > > > > > > > > > Thanks, Mark > > > > > ___ > > > > > clamav-users mailing list > > > > > clamav-users@lists.clamav.net > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > ___ > > > > clamav-users mailing list > > > > clamav-users@lists.clamav.net > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > ___ > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan wrote: My parameters are: clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \ --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 --Mark > > The default is 6 milliseconds. What clamscan parameters are you using? > I am seeing file names by default. > > Steve > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley wrote: > > > It doesn't give any file names, even in the logfiles. It happens when I'm > > running clamscan. > > > > I am running it on lots of files, 124,681 to be exact (IMAP mail files). > > > > What is the default for --bytecode-timeout? If I get it again I'll > > increase it. > > > > Thanks, --Mark > > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan > > wrote: > > > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the amount > > > of processing. > > > > > > Are you seeing it on a lot of files? If that is the case, the bytecode > > > signature may require attention. > > > > > > You can try increasing the timeout limit. --bytecode-timeout for clamscan > > > and BytecodeTimeout for clamd. > > > > > > Steve > > > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > > wrote: > > > > > > > What is this? I just started happening. > > > > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > > flag set > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > > error! > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > > > > > > > Thanks, Mark > > > > ___ > > > > clamav-users mailing list > > > > clamav-users@lists.clamav.net > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > ___ > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
The default is 6 milliseconds. What clamscan parameters are you using? I am seeing file names by default. Steve On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley wrote: > It doesn't give any file names, even in the logfiles. It happens when I'm > running clamscan. > > I am running it on lots of files, 124,681 to be exact (IMAP mail files). > > What is the default for --bytecode-timeout? If I get it again I'll > increase it. > > Thanks, --Mark > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan > wrote: > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the amount > > of processing. > > > > Are you seeing it on a lot of files? If that is the case, the bytecode > > signature may require attention. > > > > You can try increasing the timeout limit. --bytecode-timeout for clamscan > > and BytecodeTimeout for clamd. > > > > Steve > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley > wrote: > > > > > What is this? I just started happening. > > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > flag set > > > LibClamAV Warning: [Bytecode JIT]: recovered from error > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > error! > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > > > > > Thanks, Mark > > > ___ > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
It doesn't give any file names, even in the logfiles. It happens when I'm running clamscan. I am running it on lots of files, 124,681 to be exact (IMAP mail files). What is the default for --bytecode-timeout? If I get it again I'll increase it. Thanks, --Mark On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan wrote: > > When ClamAV runs bytecode signatures, it uses a timer to limit the amount > of processing. > > Are you seeing it on a lot of files? If that is the case, the bytecode > signature may require attention. > > You can try increasing the timeout limit. --bytecode-timeout for clamscan > and BytecodeTimeout for clamd. > > Steve > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley wrote: > > > What is this? I just started happening. > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set > > LibClamAV Warning: [Bytecode JIT]: recovered from error > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > > > Thanks, Mark > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
When ClamAV runs bytecode signatures, it uses a timer to limit the amount of processing. Are you seeing it on a lot of files? If that is the case, the bytecode signature may require attention. You can try increasing the timeout limit. --bytecode-timeout for clamscan and BytecodeTimeout for clamd. Steve On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley wrote: > What is this? I just started happening. > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set > LibClamAV Warning: [Bytecode JIT]: recovered from error > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > > Thanks, Mark > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bytecode run timed out
Hi, On 6 mrt. 2012, at 13:41, Török Edwin wrote: > On 03/06/2012 01:18 PM, Ben Stuyts wrote: >> >> On 6 mrt. 2012, at 11:47, Török Edwin wrote: >> >>> There were no updates to bytecode recently. Maybe the file that caused the >>> problem is gone already? >> >> I doubt it as I got many of those errors during a single run, so I assume >> there where multiple files. > > Lets try something else then. > > It says here that bytecode 3 failed to run: >>> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code > > Run this to find out what is the name of bytecode 3: > $ clamscan --debug /dev/null 2>&1|grep 'cbc(3)' > > For me it says (but it might depend if you have cvd or cld): > LibClamAV debug: Bytecode 814800.cbc(3) has logical signature: > BC.Exploit.CVE_2010_1885;Engine:52-255,Target:3;0;6863703a2f2f{25-700}736372697074{1-3}6465666572 I get: LibClamAV debug: Bytecode 817795.cbc(3) has logical signature: BC.Exploit.CVE_2010_0815.{Exploit.CVE_2010_0815};Engine:52-255,Target:0;0;0:d0cf11e0a1b11ae1 > @Alain: I see we also have BC.Exploit.CVE_2010_1885-2 published, can we just > drop BC.Exploit.CVE_2010_1885? > > Best regards, > --Edwin Kind regards, Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 03/06/2012 01:18 PM, Ben Stuyts wrote: > > On 6 mrt. 2012, at 11:47, Török Edwin wrote: > >> There were no updates to bytecode recently. Maybe the file that caused the >> problem is gone already? > > I doubt it as I got many of those errors during a single run, so I assume > there where multiple files. Lets try something else then. It says here that bytecode 3 failed to run: >> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code Run this to find out what is the name of bytecode 3: $ clamscan --debug /dev/null 2>&1|grep 'cbc(3)' For me it says (but it might depend if you have cvd or cld): LibClamAV debug: Bytecode 814800.cbc(3) has logical signature: BC.Exploit.CVE_2010_1885;Engine:52-255,Target:3;0;6863703a2f2f{25-700}736372697074{1-3}6465666572 @Alain: I see we also have BC.Exploit.CVE_2010_1885-2 published, can we just drop BC.Exploit.CVE_2010_1885? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 6 mrt. 2012, at 11:47, Török Edwin wrote: > On 03/06/2012 12:46 PM, Ben Stuyts wrote: >> >> On 5 mrt. 2012, at 15:42, Ben Stuyts wrote: >> >>> On 5 mrt. 2012, at 11:07, Török Edwin wrote: >>> On 03/05/2012 11:33 AM, Ben Stuyts wrote: > Hi, > > Since two days, I'm getting lots of these messages while scanning one of > the servers here: > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag > set > LibClamAV Warning: Bytcode 3 failed to run: Unknown error code > > This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar 5 01:34:31 2012. > > This brings scanning this server to a crawl, unfortunately, so I had to > kill the nightly scans. Does this indicate a problem in the signatures, > or is there a problem with the local scanner? > Can you find out which file is causing this? (run clamscan -v to see what file it is scanning) Then please open a bug and attach the file. Meanwhile you can try setting the timeout lower, using --bytecode-timeout/BytecodeTimeout (it is 6 ms by default). >>> >>> I will do this for the next daily run and get back to you tomorrow. >> >> I ran: >> /usr/local/bin/clamscan -rv --bytecode-timeout=1 /home >> >> It didn't produce any errors this time. Maybe a recent update of the >> signature database fixed this? > > There were no updates to bytecode recently. Maybe the file that caused the > problem is gone already? I doubt it as I got many of those errors during a single run, so I assume there where multiple files. Kind regards, Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 03/06/2012 12:46 PM, Ben Stuyts wrote: > > On 5 mrt. 2012, at 15:42, Ben Stuyts wrote: > >> >> On 5 mrt. 2012, at 11:07, Török Edwin wrote: >> >>> On 03/05/2012 11:33 AM, Ben Stuyts wrote: Hi, Since two days, I'm getting lots of these messages while scanning one of the servers here: LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: Bytcode 3 failed to run: Unknown error code This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar 5 01:34:31 2012. This brings scanning this server to a crawl, unfortunately, so I had to kill the nightly scans. Does this indicate a problem in the signatures, or is there a problem with the local scanner? >>> >>> Can you find out which file is causing this? (run clamscan -v to see what >>> file it is scanning) >>> Then please open a bug and attach the file. >>> >>> Meanwhile you can try setting the timeout lower, using >>> --bytecode-timeout/BytecodeTimeout (it is 6 ms by default). >> >> I will do this for the next daily run and get back to you tomorrow. > > I ran: > /usr/local/bin/clamscan -rv --bytecode-timeout=1 /home > > It didn't produce any errors this time. Maybe a recent update of the > signature database fixed this? > There were no updates to bytecode recently. Maybe the file that caused the problem is gone already? --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 5 mrt. 2012, at 15:42, Ben Stuyts wrote: > > On 5 mrt. 2012, at 11:07, Török Edwin wrote: > >> On 03/05/2012 11:33 AM, Ben Stuyts wrote: >>> Hi, >>> >>> Since two days, I'm getting lots of these messages while scanning one of >>> the servers here: >>> >>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set >>> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code >>> >>> This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar 5 01:34:31 2012. >>> >>> This brings scanning this server to a crawl, unfortunately, so I had to >>> kill the nightly scans. Does this indicate a problem in the signatures, or >>> is there a problem with the local scanner? >>> >> >> Can you find out which file is causing this? (run clamscan -v to see what >> file it is scanning) >> Then please open a bug and attach the file. >> >> Meanwhile you can try setting the timeout lower, using >> --bytecode-timeout/BytecodeTimeout (it is 6 ms by default). > > I will do this for the next daily run and get back to you tomorrow. I ran: /usr/local/bin/clamscan -rv --bytecode-timeout=1 /home It didn't produce any errors this time. Maybe a recent update of the signature database fixed this? Kind regards, Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 5 mrt. 2012, at 11:07, Török Edwin wrote: > On 03/05/2012 11:33 AM, Ben Stuyts wrote: >> Hi, >> >> Since two days, I'm getting lots of these messages while scanning one of the >> servers here: >> >> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set >> LibClamAV Warning: Bytcode 3 failed to run: Unknown error code >> >> This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar 5 01:34:31 2012. >> >> This brings scanning this server to a crawl, unfortunately, so I had to kill >> the nightly scans. Does this indicate a problem in the signatures, or is >> there a problem with the local scanner? >> > > Can you find out which file is causing this? (run clamscan -v to see what > file it is scanning) > Then please open a bug and attach the file. > > Meanwhile you can try setting the timeout lower, using > --bytecode-timeout/BytecodeTimeout (it is 6 ms by default). I will do this for the next daily run and get back to you tomorrow. Kind regards, Ben ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 03/05/2012 11:33 AM, Ben Stuyts wrote: > Hi, > > Since two days, I'm getting lots of these messages while scanning one of the > servers here: > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set > LibClamAV Warning: Bytcode 3 failed to run: Unknown error code > > This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar 5 01:34:31 2012. > > This brings scanning this server to a crawl, unfortunately, so I had to kill > the nightly scans. Does this indicate a problem in the signatures, or is > there a problem with the local scanner? > Can you find out which file is causing this? (run clamscan -v to see what file it is scanning) Then please open a bug and attach the file. Meanwhile you can try setting the timeout lower, using --bytecode-timeout/BytecodeTimeout (it is 6 ms by default). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml