[clamav-users] Bytecode run timed out

Al Varnell alvarnell at mac.com
Fri Jul 28 08:38:35 UTC 2017 

On Fri, Jul 28, 2017 at 01:35 AM, Mark Foley wrote:
> 
> It looks like this one that gives the "Bytecode run timed out" warning. I'm
> trying the other two as well.
> 
> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> 
> Plus, there's a new bytecode exploit that seems to be giving me a lot of
> positives: 
> 
> BC.Pdf.Exploit.CVE_2017_3032-6316401-6
> 
> I've put that (with the trailing '.{}') in the .ign2 file as well.
> 
> Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
> I've found no documentation on this and, if not, I might be getting false
> results.

That has not worked for me in the past.  If there is a way to comment out signature lines, I've not discovered it.

-Al-

> --Mark
> 
> -----Original Message-----
> From: Mark Foley <mfoley at novatec-inc.com>
> Date: Thu, 27 Jul 2017 14:56:44 -0400
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] Bytecode run timed out
> 
> Yes, I was able to find the file as well.  I've used the syntax in the
> /var/lib/clamav/local.ign2 file recommended by Al Varnell:
> 
> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
> 
> and that worked to block the warning. Now I will test each one in turn to see
> which bytecode is causing the message.
> 
> --Mark
> 
> On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind <rom at twister.dyndns.org> wrote;
>> 
>> I have been noticing the same issue.  I found at least one file that was 
>> causing the error, and was able to test with a single file, instead of 
>> having to virus scan an entire directory tree to test.
>> 
>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>> 
>> This worked for me:
>> 
>> # cat /var/lib/clamav/local.ign2
>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>> 
>> The problem file was the one listed under the JIT error messages, in my 
>> case, it was a pdf file that caused it.
>> 
>> - Fred
>> 
>> On 7/22/2017 6:56 PM, Al Varnell wrote:
>>> That's the correct place to put the file.
>>> 
>>> I suspect you'll want to try one at a time to nail down which signature is causing the problem.
>>> 
>>> Checking back I see there was a period rather than a space between the signature name and the brackets, so:
>>> 
>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
>>> 
>>> -Al-
>>> 
>>> 
>>> On Jul 22, 2017, at 1:45 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>>> 
>>>> That didn't work. I'll try w/o the {}.
>>>> 
>>>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
>>>> 
>>>> --Mark
>>>> 
>>>> -----Original Message-----
>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>> Date: Sat, 22 Jul 2017 11:08:28 -0400
>>>> To: clamav-users at lists.clamav.net
>>>> 
>>>> So, like this?
>>>> 
>>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
>>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
>>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
>>>> 
>>>> --Mark
>>>> 
>>>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>> Yes, they can be added to a local .ign2 file, but the last time it was discussed here, the entry needed to be followed by {} for some unknown reason, to make it work.
>>>>> 
>>>>> -Al-
>>>>> 
>>>>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
>>>>>> Are bytecodes individually blockable?
>>>>>> 
>>>>>> --Mark
>>>>>> 
>>>>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>>>> FYI, the following were added by bytecode 306:
>>>>>>> 
>>>>>>>  * BC.Multios.Exploit.CVE_2017_2816-6329916-0
>>>>>>>  * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>>>>>>>  * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>>>>>>> 
>>>>>>> -Al-
>>>>>>> 
>>>>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
>>>>>>>> I ran clamscan by hand on the files before and after the error, and it's the file
>>>>>>>> after the error.  I've bumped the --bytecode-timeout to 120000, 180000 and
>>>>>>>> finally 600000 (10 minutes) and it fails for all these values, even though the
>>>>>>>> file itself is not that big (1.2M).
>>>>>>>> 
>>>>>>>> This is a pretty recent phenomenon.  Perhaps something introduced in a recent
>>>>>>>> update.  I received bytecode.cld version 306 in freshclam starting on July 16,
>>>>>>>> 2017; which is exactly when I started seeing this warning.  I did not get the
>>>>>>>> warning with version 305.
>>>>>>>> 
>>>>>>>> Is this a bug?
>>>>>>>> 
>>>>>>>> For now, I guess I'll just have to live with it.
>>>>>>>> 
>>>>>>>> Thanks, --Mark
>>>>>>>> 
>>>>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>>>>>> It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown.
>>>>>>>>> 
>>>>>>>>> It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file.
>>>>>>>>> 
>>>>>>>>> -Al-
>>>>>>>>> 
>>>>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
>>>>>>>>>> Here's the partial output from clamscan w/o the --infected option:
>>>>>>>>>> 
>>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK
>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK
>>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK
>>>>>>>>>> 
>>>>>>>>>> These are Maildir format files. The "S=12386" part is in fact the file size.
>>>>>>>>>> It's not apparent from where the Warning message is issues what file is causing
>>>>>>>>>> the warning. The 12,657 byte file couldn't have been it and why would the
>>>>>>>>>> 1,266,193 size file cause the warning and not the more that twice-as-large file
>>>>>>>>>> immediately following? Also there are much larger files in this directory, up to
>>>>>>>>>> 21M, but this is the only warning issued.
>>>>>>>>>> 
>>>>>>>>>> --Mark
>>>>>>>>>> 
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
>>>>>>>>>> To: clamav-users at lists.clamav.net
>>>>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out
>>>>>>>>>> 
>>>>>>>>>> OK, I'll turn that off and see what I get.
>>>>>>>>>> 
>>>>>>>>>> --Mark
>>>>>>>>>> 
>>>>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smorgan at sourcefire.com> wrote:
>>>>>>>>>>> --infected suppresses the printing of clean file names.
>>>>>>>>>>> 
>>>>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smorgan at sourcefire.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>> My parameters are:
>>>>>>>>>>>> 
>>>>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
>>>>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> --Mark
>>>>>>>>>>>> 
>>>>>>>>>>>>> The default is 60000 milliseconds. What clamscan parameters are you
>>>>>>>>>>>> using?
>>>>>>>>>>>>> I am seeing file names by default.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Steve
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> It doesn't give any file names, even in the logfiles.  It happens when
>>>>>>>>>>>> I'm
>>>>>>>>>>>>>> running clamscan.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
>>>>>>>>>>>> files).
>>>>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again I'll
>>>>>>>>>>>>>> increase it.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Thanks, --Mark
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
>>>>>>>>>>>> smorgan at sourcefire.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
>>>>>>>>>>>> amount
>>>>>>>>>>>>>>> of processing.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the
>>>>>>>>>>>> bytecode
>>>>>>>>>>>>>>> signature may require attention.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
>>>>>>>>>>>> clamscan
>>>>>>>>>>>>>>> and BytecodeTimeout for clamd.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>> What is this? I just started happening.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
>>>>>>>>>>>>>> flag set
>>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>>>>>>>>>>>>>> error!
>>>>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Thanks, Mark
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170728/befea24f/attachment.bin>

More information about the clamav-users mailing list