[clamav-users] Bytecode run timed out

Mark Foley mfoley at novatec-inc.com
Sat Jul 22 03:36:40 UTC 2017 

I ran clamscan by hand on the files before and after the error, and it's the file
after the error.  I've bumped the --bytecode-timeout to 120000, 180000 and
finally 600000 (10 minutes) and it fails for all these values, even though the
file itself is not that big (1.2M). 

This is a pretty recent phenomenon.  Perhaps something introduced in a recent
update.  I received bytecode.cld version 306 in freshclam starting on July 16,
2017; which is exactly when I started seeing this warning.  I did not get the
warning with version 305. 

Is this a bug?

For now, I guess I'll just have to live with it.

Thanks, --Mark

On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarnell at mac.com> wrote:
>
> It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown.
>
> It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> > 
> > Here's the partial output from clamscan w/o the --infected option:
> > 
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK
> > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK
> > 
> > These are Maildir format files. The "S=12386" part is in fact the file size.
> > It's not apparent from where the Warning message is issues what file is causing
> > the warning. The 12,657 byte file couldn't have been it and why would the
> > 1,266,193 size file cause the warning and not the more that twice-as-large file
> > immediately following? Also there are much larger files in this directory, up to
> > 21M, but this is the only warning issued.
> > 
> > --Mark
> > 
> > -----Original Message-----
> > From: Mark Foley <mfoley at novatec-inc.com>
> > Date: Thu, 20 Jul 2017 21:51:38 -0400
> > To: clamav-users at lists.clamav.net
> > Subject: Re: [clamav-users] Bytecode run timed out
> > 
> > OK, I'll turn that off and see what I get.
> > 
> > --Mark
> > 
> > On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smorgan at sourcefire.com> wrote:
> >> 
> >> --infected suppresses the printing of clean file names.
> >> 
> >> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
> >> 
> >>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smorgan at sourcefire.com>
> >>> wrote:
> >>> My parameters are:
> >>> 
> >>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
> >>>  --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>> 
> >>> 
> >>> --Mark
> >>> 
> >>>> 
> >>>> The default is 60000 milliseconds. What clamscan parameters are you
> >>> using?
> >>>> I am seeing file names by default.
> >>>> 
> >>>> Steve
> >>>> 
> >>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfoley at novatec-inc.com>
> >>> wrote:
> >>>> 
> >>>>> It doesn't give any file names, even in the logfiles.  It happens when
> >>> I'm
> >>>>> running clamscan.
> >>>>> 
> >>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
> >>> files).
> >>>>> 
> >>>>> What is the default for --bytecode-timeout? If I get it again I'll
> >>>>> increase it.
> >>>>> 
> >>>>> Thanks, --Mark
> >>>>> 
> >>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> >>> smorgan at sourcefire.com>
> >>>>> wrote:
> >>>>>> 
> >>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
> >>> amount
> >>>>>> of processing.
> >>>>>> 
> >>>>>> Are you seeing it on a lot of files? If that is the case, the
> >>> bytecode
> >>>>>> signature may require attention.
> >>>>>> 
> >>>>>> You can try increasing the timeout limit. --bytecode-timeout for
> >>> clamscan
> >>>>>> and BytecodeTimeout for clamd.
> >>>>>> 
> >>>>>> Steve
> >>>>>> 
> >>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfoley at novatec-inc.com>
> >>>>> wrote:
> >>>>>> 
> >>>>>>> What is this? I just started happening.
> >>>>>>> 
> >>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> >>>>> flag set
> >>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> >>>>> error!
> >>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>>>> 
> >>>>>>> Thanks, Mark

More information about the clamav-users mailing list