[clamav-users] Bytecode run timed out

Al Varnell alvarnell at mac.com
Mon Jul 31 21:59:48 UTC 2017 

Note that the bytecode - 308 update just dropped the following:

> Dropped Detection Signatures:
> 
>    * BC.Win.Packer.LizardNest-5588995-3
> 
>    * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> 
>    * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> 
>    * BC.Pdf.Exploit.CVE_2017_3032-6316401-6

-Al-

On Fri, Jul 28, 2017 at 01:38 AM, Al Varnell wrote:
> 
> On Fri, Jul 28, 2017 at 01:35 AM, Mark Foley wrote:
>> 
>> It looks like this one that gives the "Bytecode run timed out" warning. I'm
>> trying the other two as well.
>> 
>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>> 
>> Plus, there's a new bytecode exploit that seems to be giving me a lot of
>> positives: 
>> 
>> BC.Pdf.Exploit.CVE_2017_3032-6316401-6
>> 
>> I've put that (with the trailing '.{}') in the .ign2 file as well.
>> 
>> Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
>> I've found no documentation on this and, if not, I might be getting false
>> results.
> 
> That has not worked for me in the past.  If there is a way to comment out signature lines, I've not discovered it.
> 
> -Al-
> 
>> --Mark
>> 
>> -----Original Message-----
>> From: Mark Foley <mfoley at novatec-inc.com>
>> Date: Thu, 27 Jul 2017 14:56:44 -0400
>> To: clamav-users at lists.clamav.net
>> Subject: Re: [clamav-users] Bytecode run timed out
>> 
>> Yes, I was able to find the file as well.  I've used the syntax in the
>> /var/lib/clamav/local.ign2 file recommended by Al Varnell:
>> 
>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
>> 
>> and that worked to block the warning. Now I will test each one in turn to see
>> which bytecode is causing the message.
>> 
>> --Mark
>> 
>> On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind <rom at twister.dyndns.org> wrote;
>>> 
>>> I have been noticing the same issue.  I found at least one file that was 
>>> causing the error, and was able to test with a single file, instead of 
>>> having to virus scan an entire directory tree to test.
>>> 
>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>>> 
>>> This worked for me:
>>> 
>>> # cat /var/lib/clamav/local.ign2
>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>>> 
>>> The problem file was the one listed under the JIT error messages, in my 
>>> case, it was a pdf file that caused it.
>>> 
>>> - Fred
>>> 
>>> On 7/22/2017 6:56 PM, Al Varnell wrote:
>>>> That's the correct place to put the file.
>>>> 
>>>> I suspect you'll want to try one at a time to nail down which signature is causing the problem.
>>>> 
>>>> Checking back I see there was a period rather than a space between the signature name and the brackets, so:
>>>> 
>>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
>>>> 
>>>> -Al-
>>>> 
>>>> 
>>>> On Jul 22, 2017, at 1:45 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>>>> 
>>>>> That didn't work. I'll try w/o the {}.
>>>>> 
>>>>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
>>>>> 
>>>>> --Mark
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>>> Date: Sat, 22 Jul 2017 11:08:28 -0400
>>>>> To: clamav-users at lists.clamav.net
>>>>> 
>>>>> So, like this?
>>>>> 
>>>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
>>>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
>>>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
>>>>> 
>>>>> --Mark
>>>>> 
>>>>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>>> Yes, they can be added to a local .ign2 file, but the last time it was discussed here, the entry needed to be followed by {} for some unknown reason, to make it work.
>>>>>> 
>>>>>> -Al-
>>>>>> 
>>>>>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
>>>>>>> Are bytecodes individually blockable?
>>>>>>> 
>>>>>>> --Mark
>>>>>>> 
>>>>>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>>>>> FYI, the following were added by bytecode 306:
>>>>>>>> 
>>>>>>>> * BC.Multios.Exploit.CVE_2017_2816-6329916-0
>>>>>>>> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>>>>>>>> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>>>>>>>> 
>>>>>>>> -Al-
>>>>>>>> 
>>>>>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
>>>>>>>>> I ran clamscan by hand on the files before and after the error, and it's the file
>>>>>>>>> after the error.  I've bumped the --bytecode-timeout to 120000, 180000 and
>>>>>>>>> finally 600000 (10 minutes) and it fails for all these values, even though the
>>>>>>>>> file itself is not that big (1.2M).
>>>>>>>>> 
>>>>>>>>> This is a pretty recent phenomenon.  Perhaps something introduced in a recent
>>>>>>>>> update.  I received bytecode.cld version 306 in freshclam starting on July 16,
>>>>>>>>> 2017; which is exactly when I started seeing this warning.  I did not get the
>>>>>>>>> warning with version 305.
>>>>>>>>> 
>>>>>>>>> Is this a bug?
>>>>>>>>> 
>>>>>>>>> For now, I guess I'll just have to live with it.
>>>>>>>>> 
>>>>>>>>> Thanks, --Mark
>>>>>>>>> 
>>>>>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarnell at mac.com> wrote:
>>>>>>>>>> It's almost certainly a file that follows S=12386 since that one is being reported as "OK". The file that failed might not even be listed, having failed the scan, although I suppose it's possible for it to be the next one shown.
>>>>>>>>>> 
>>>>>>>>>> It's my understanding that not all files receive a bytecode signature scan, making it even more difficult to determine the problem file.
>>>>>>>>>> 
>>>>>>>>>> -Al-
>>>>>>>>>> 
>>>>>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
>>>>>>>>>>> Here's the partial output from clamscan w/o the --infected option:
>>>>>>>>>>> 
>>>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: OK
>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: OK
>>>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: OK
>>>>>>>>>>> 
>>>>>>>>>>> These are Maildir format files. The "S=12386" part is in fact the file size.
>>>>>>>>>>> It's not apparent from where the Warning message is issues what file is causing
>>>>>>>>>>> the warning. The 12,657 byte file couldn't have been it and why would the
>>>>>>>>>>> 1,266,193 size file cause the warning and not the more that twice-as-large file
>>>>>>>>>>> immediately following? Also there are much larger files in this directory, up to
>>>>>>>>>>> 21M, but this is the only warning issued.
>>>>>>>>>>> 
>>>>>>>>>>> --Mark
>>>>>>>>>>> 
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
>>>>>>>>>>> To: clamav-users at lists.clamav.net
>>>>>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out
>>>>>>>>>>> 
>>>>>>>>>>> OK, I'll turn that off and see what I get.
>>>>>>>>>>> 
>>>>>>>>>>> --Mark
>>>>>>>>>>> 
>>>>>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smorgan at sourcefire.com> wrote:
>>>>>>>>>>>> --infected suppresses the printing of clean file names.
>>>>>>>>>>>> 
>>>>>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfoley at novatec-inc.com> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smorgan at sourcefire.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> My parameters are:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
>>>>>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> --Mark
>>>>>>>>>>>>> 
>>>>>>>>>>>>>> The default is 60000 milliseconds. What clamscan parameters are you
>>>>>>>>>>>>> using?
>>>>>>>>>>>>>> I am seeing file names by default.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> It doesn't give any file names, even in the logfiles.  It happens when
>>>>>>>>>>>>> I'm
>>>>>>>>>>>>>>> running clamscan.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
>>>>>>>>>>>>> files).
>>>>>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again I'll
>>>>>>>>>>>>>>> increase it.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Thanks, --Mark
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
>>>>>>>>>>>>> smorgan at sourcefire.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
>>>>>>>>>>>>> amount
>>>>>>>>>>>>>>>> of processing.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the
>>>>>>>>>>>>> bytecode
>>>>>>>>>>>>>>>> signature may require attention.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for
>>>>>>>>>>>>> clamscan
>>>>>>>>>>>>>>>> and BytecodeTimeout for clamd.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfoley at novatec-inc.com>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>> What is this? I just started happening.
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
>>>>>>>>>>>>>>> flag set
>>>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
>>>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>>>>>>>>>>>>>>> error!
>>>>>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> Thanks, Mark
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users at lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>> 
>>>> 
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>> 
>>>> http://www.clamav.net/contact.html#ml
>>>> 
>>> 
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> -Al-

-Al-
-- 
Al Varnell
Mountain View, CA





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170731/db262be0/attachment.bin>

More information about the clamav-users mailing list