[clamav-users] Bytecode run timed out

Al Varnell alvarnell at mac.com
Sat Jul 22 22:56:52 UTC 2017 

That's the correct place to put the file.

I suspect you'll want to try one at a time to nail down which signature is causing the problem.

Checking back I see there was a period rather than a space between the signature name and the brackets, so:

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}

-Al-


On Jul 22, 2017, at 1:45 PM, Mark Foley <mfoley at novatec-inc.com> wrote:

> That didn't work. I'll try w/o the {}. 
> 
> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
> 
> --Mark
> 
> -----Original Message-----
> From: Mark Foley <mfoley at novatec-inc.com>
> Date: Sat, 22 Jul 2017 11:08:28 -0400
> To: clamav-users at lists.clamav.net
> 
> So, like this?
> 
> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
> 
> --Mark
> 
> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarnell at mac.com> wrote:
>> Yes, they can be added to a local .ign2 file, but the last time it was discussed here, the entry needed to be followed by {} for some unknown reason, to make it work.
>> 
>> -Al-
>> 
>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
>>> 
>>> Are bytecodes individually blockable?
>>> 
>>> --Mark
>>> 
>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>> 
>>>> FYI, the following were added by bytecode 306:
>>>> 
>>>>  * BC.Multios.Exploit.CVE_2017_2816-6329916-0
>>>>  * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>>>>  * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>>>> 
>>>> -Al-
>>>> 
>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
>>>>> 
>>>>> I ran clamscan by hand on the files before and after the error, and it's the file
>>>>> after the error.  I've bumped the --bytecode-timeout to 120000, 180000 and
>>>>> finally 600000 (10 minutes) and it fails for all these values, even though the
>>>>> file itself is not that big (1.2M). 
>>>>> 
>>>>> This is a pretty recent phenomenon.  Perhaps something introduced in a recent
>>>>> update.  I received bytecode.cld version 306 in freshclam starting on July 16,
>>>>> 2017; which is exactly when I started seeing this warning.  I did not get the
>>>>> warning with version 305. 
>>>>> 
>>>>> Is this a bug?
>>>>> 
>>>>> For now, I guess I'll just have to live with it.
>>>>> 
>>>>> Thanks, --Mark
>>>>> 
>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>>> 
>>>>>> It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown.
>>>>>> 
>>>>>> It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file.
>>>>>> 
>>>>>> -Al-
>>>>>> 
>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
>>>>>>> 
>>>>>>> Here's the partial output from clamscan w/o the --infected option:
>>>>>>> 
>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK
>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK
>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK
>>>>>>> 
>>>>>>> These are Maildir format files. The "S=12386" part is in fact the file size.
>>>>>>> It's not apparent from where the Warning message is issues what file is causing
>>>>>>> the warning. The 12,657 byte file couldn't have been it and why would the
>>>>>>> 1,266,193 size file cause the warning and not the more that twice-as-large file
>>>>>>> immediately following? Also there are much larger files in this directory, up to
>>>>>>> 21M, but this is the only warning issued.
>>>>>>> 
>>>>>>> --Mark
>>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
>>>>>>> To: clamav-users at lists.clamav.net
>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out
>>>>>>> 
>>>>>>> OK, I'll turn that off and see what I get.
>>>>>>> 
>>>>>>> --Mark
>>>>>>> 
>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smorgan at sourcefire.com> wrote:
>>>>>>>> 
>>>>>>>> --infected suppresses the printing of clean file names.
>>>>>>>> 
>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>>>>>>>> 
>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smorgan at sourcefire.com>
>>>>>>>>> wrote:
>>>>>>>>> My parameters are:
>>>>>>>>> 
>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --Mark
>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> The default is 60000 milliseconds. What clamscan parameters are you
>>>>>>>>> using?
>>>>>>>>>> I am seeing file names by default.
>>>>>>>>>> 
>>>>>>>>>> Steve
>>>>>>>>>> 
>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>> wrote:
>>>>>>>>>> 
>>>>>>>>>>> It doesn't give any file names, even in the logfiles.  It happens when
>>>>>>>>> I'm
>>>>>>>>>>> running clamscan.
>>>>>>>>>>> 
>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
>>>>>>>>> files).
>>>>>>>>>>> 
>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again I'll
>>>>>>>>>>> increase it.
>>>>>>>>>>> 
>>>>>>>>>>> Thanks, --Mark
>>>>>>>>>>> 
>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
>>>>>>>>> smorgan at sourcefire.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
>>>>>>>>> amount
>>>>>>>>>>>> of processing.
>>>>>>>>>>>> 
>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the
>>>>>>>>> bytecode
>>>>>>>>>>>> signature may require attention.
>>>>>>>>>>>> 
>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
>>>>>>>>> clamscan
>>>>>>>>>>>> and BytecodeTimeout for clamd.
>>>>>>>>>>>> 
>>>>>>>>>>>> Steve
>>>>>>>>>>>> 
>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>>> What is this? I just started happening.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
>>>>>>>>>>> flag set
>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>>>>>>>>>>> error!
>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Thanks, Mark

More information about the clamav-users mailing list