[clamav-users] Bytecode run timed out

Fri Jul 21 23:51:33 UTC 2017

It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown.

It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file.

-Al-

On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> 
> Here's the partial output from clamscan w/o the --infected option:
> 
> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK
> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK
> 
> These are Maildir format files. The "S=12386" part is in fact the file size.
> It's not apparent from where the Warning message is issues what file is causing
> the warning. The 12,657 byte file couldn't have been it and why would the
> 1,266,193 size file cause the warning and not the more that twice-as-large file
> immediately following? Also there are much larger files in this directory, up to
> 21M, but this is the only warning issued.
> 
> --Mark
> 
> -----Original Message-----
> From: Mark Foley <mfoley at novatec-inc.com>
> Date: Thu, 20 Jul 2017 21:51:38 -0400
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] Bytecode run timed out
> 
> OK, I'll turn that off and see what I get.
> 
> --Mark
> 
> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smorgan at sourcefire.com> wrote:
>> 
>> --infected suppresses the printing of clean file names.
>> 
>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>> 
>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smorgan at sourcefire.com>
>>> wrote:
>>> My parameters are:
>>> 
>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
>>>  --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>>> 
>>> 
>>> --Mark
>>> 
>>>> 
>>>> The default is 60000 milliseconds. What clamscan parameters are you
>>> using?
>>>> I am seeing file names by default.
>>>> 
>>>> Steve
>>>> 
>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfoley at novatec-inc.com>
>>> wrote:
>>>> 
>>>>> It doesn't give any file names, even in the logfiles.  It happens when
>>> I'm
>>>>> running clamscan.
>>>>> 
>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
>>> files).
>>>>> 
>>>>> What is the default for --bytecode-timeout? If I get it again I'll
>>>>> increase it.
>>>>> 
>>>>> Thanks, --Mark
>>>>> 
>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
>>> smorgan at sourcefire.com>
>>>>> wrote:
>>>>>> 
>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
>>> amount
>>>>>> of processing.
>>>>>> 
>>>>>> Are you seeing it on a lot of files? If that is the case, the
>>> bytecode
>>>>>> signature may require attention.
>>>>>> 
>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
>>> clamscan
>>>>>> and BytecodeTimeout for clamd.
>>>>>> 
>>>>>> Steve
>>>>>> 
>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfoley at novatec-inc.com>
>>>>> wrote:
>>>>>> 
>>>>>>> What is this? I just started happening.
>>>>>>> 
>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
>>>>> flag set
>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>>>>> error!
>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>> 
>>>>>>> Thanks, Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170721/c7199a4b/attachment.bin>