[clamav-users] Bytecode run timed out

Fred Wittekind rom at twister.dyndns.org
Thu Jul 27 14:31:34 UTC 2017 

I have been noticing the same issue.  I found at least one file that was 
causing the error, and was able to test with a single file, instead of 
having to virus scan an entire directory tree to test.

LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 64 failed to run: Time limit reached

This worked for me:

# cat /var/lib/clamav/local.ign2
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}

The problem file was the one listed under the JIT error messages, in my 
case, it was a pdf file that caused it.

- Fred

On 7/22/2017 6:56 PM, Al Varnell wrote:
> That's the correct place to put the file.
>
> I suspect you'll want to try one at a time to nail down which signature is causing the problem.
>
> Checking back I see there was a period rather than a space between the signature name and the brackets, so:
>
> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
>
> -Al-
>
>
> On Jul 22, 2017, at 1:45 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>
>> That didn't work. I'll try w/o the {}.
>>
>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
>>
>> --Mark
>>
>> -----Original Message-----
>> From: Mark Foley <mfoley at novatec-inc.com>
>> Date: Sat, 22 Jul 2017 11:08:28 -0400
>> To: clamav-users at lists.clamav.net
>>
>> So, like this?
>>
>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
>>
>> --Mark
>>
>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>> Yes, they can be added to a local .ign2 file, but the last time it was discussed here, the entry needed to be followed by {} for some unknown reason, to make it work.
>>>
>>> -Al-
>>>
>>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
>>>> Are bytecodes individually blockable?
>>>>
>>>> --Mark
>>>>
>>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>> FYI, the following were added by bytecode 306:
>>>>>
>>>>>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
>>>>>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>>>>>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>>>>>
>>>>> -Al-
>>>>>
>>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
>>>>>> I ran clamscan by hand on the files before and after the error, and it's the file
>>>>>> after the error.  I've bumped the --bytecode-timeout to 120000, 180000 and
>>>>>> finally 600000 (10 minutes) and it fails for all these values, even though the
>>>>>> file itself is not that big (1.2M).
>>>>>>
>>>>>> This is a pretty recent phenomenon.  Perhaps something introduced in a recent
>>>>>> update.  I received bytecode.cld version 306 in freshclam starting on July 16,
>>>>>> 2017; which is exactly when I started seeing this warning.  I did not get the
>>>>>> warning with version 305.
>>>>>>
>>>>>> Is this a bug?
>>>>>>
>>>>>> For now, I guess I'll just have to live with it.
>>>>>>
>>>>>> Thanks, --Mark
>>>>>>
>>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>>>> It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown.
>>>>>>>
>>>>>>> It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file.
>>>>>>>
>>>>>>> -Al-
>>>>>>>
>>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
>>>>>>>> Here's the partial output from clamscan w/o the --infected option:
>>>>>>>>
>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK
>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK
>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK
>>>>>>>>
>>>>>>>> These are Maildir format files. The "S=12386" part is in fact the file size.
>>>>>>>> It's not apparent from where the Warning message is issues what file is causing
>>>>>>>> the warning. The 12,657 byte file couldn't have been it and why would the
>>>>>>>> 1,266,193 size file cause the warning and not the more that twice-as-large file
>>>>>>>> immediately following? Also there are much larger files in this directory, up to
>>>>>>>> 21M, but this is the only warning issued.
>>>>>>>>
>>>>>>>> --Mark
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
>>>>>>>> To: clamav-users at lists.clamav.net
>>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out
>>>>>>>>
>>>>>>>> OK, I'll turn that off and see what I get.
>>>>>>>>
>>>>>>>> --Mark
>>>>>>>>
>>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smorgan at sourcefire.com> wrote:
>>>>>>>>> --infected suppresses the printing of clean file names.
>>>>>>>>>
>>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>>>>>>>>>
>>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smorgan at sourcefire.com>
>>>>>>>>>> wrote:
>>>>>>>>>> My parameters are:
>>>>>>>>>>
>>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
>>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --Mark
>>>>>>>>>>
>>>>>>>>>>> The default is 60000 milliseconds. What clamscan parameters are you
>>>>>>>>>> using?
>>>>>>>>>>> I am seeing file names by default.
>>>>>>>>>>>
>>>>>>>>>>> Steve
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>> It doesn't give any file names, even in the logfiles.  It happens when
>>>>>>>>>> I'm
>>>>>>>>>>>> running clamscan.
>>>>>>>>>>>>
>>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
>>>>>>>>>> files).
>>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again I'll
>>>>>>>>>>>> increase it.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks, --Mark
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
>>>>>>>>>> smorgan at sourcefire.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
>>>>>>>>>> amount
>>>>>>>>>>>>> of processing.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the
>>>>>>>>>> bytecode
>>>>>>>>>>>>> signature may require attention.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
>>>>>>>>>> clamscan
>>>>>>>>>>>>> and BytecodeTimeout for clamd.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> What is this? I just started happening.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
>>>>>>>>>>>> flag set
>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>>>>>>>>>>>> error!
>>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks, Mark
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

More information about the clamav-users mailing list