Yes, they can be added to a local .ign2 file, but the last time it was
discussed here, the entry needed to be followed by {} for some unknown reason,
to make it work.-Al- On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > > Are bytecodes individually blockable? > > --Mark > > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <[email protected]> wrote: >> >> FYI, the following were added by bytecode 306: >> >> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 >> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 >> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 >> >> -Al- >> >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: >>> >>> I ran clamscan by hand on the files before and after the error, and it's >>> the file >>> after the error. I've bumped the --bytecode-timeout to 120000, 180000 and >>> finally 600000 (10 minutes) and it fails for all these values, even though >>> the >>> file itself is not that big (1.2M). >>> >>> This is a pretty recent phenomenon. Perhaps something introduced in a >>> recent >>> update. I received bytecode.cld version 306 in freshclam starting on July >>> 16, >>> 2017; which is exactly when I started seeing this warning. I did not get >>> the >>> warning with version 305. >>> >>> Is this a bug? >>> >>> For now, I guess I'll just have to live with it. >>> >>> Thanks, --Mark >>> >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <[email protected]> wrote: >>>> >>>> It's almost certainly a file that follows S=12386 since that one is being >>>> reported as "OK". The file that failed might not even be listed, having >>>> failed the scan, although I suppose it's possible for it to be the next >>>> one shown. >>>> >>>> It's my understanding that not all files receive a bytecode signature >>>> scan, making it even more difficult to determine the problem file. >>>> >>>> -Al- >>>> >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: >>>>> >>>>> Here's the partial output from clamscan w/o the --infected option: >>>>> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: >>>>> OK >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag >>>>> set >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: >>>>> OK >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: >>>>> OK >>>>> >>>>> These are Maildir format files. The "S=12386" part is in fact the file >>>>> size. >>>>> It's not apparent from where the Warning message is issues what file is >>>>> causing >>>>> the warning. The 12,657 byte file couldn't have been it and why would the >>>>> 1,266,193 size file cause the warning and not the more that >>>>> twice-as-large file >>>>> immediately following? Also there are much larger files in this >>>>> directory, up to >>>>> 21M, but this is the only warning issued. >>>>> >>>>> --Mark >>>>> >>>>> -----Original Message----- >>>>> From: Mark Foley <[email protected]> >>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400 >>>>> To: [email protected] >>>>> Subject: Re: [clamav-users] Bytecode run timed out >>>>> >>>>> OK, I'll turn that off and see what I get. >>>>> >>>>> --Mark >>>>> >>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <[email protected]> >>>>> wrote: >>>>>> >>>>>> --infected suppresses the printing of clean file names. >>>>>> >>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan >>>>>>> <[email protected]> >>>>>>> wrote: >>>>>>> My parameters are: >>>>>>> >>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected >>>>>>> --recursive \ >>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 >>>>>>> >>>>>>> >>>>>>> --Mark >>>>>>> >>>>>>>> >>>>>>>> The default is 60000 milliseconds. What clamscan parameters are you >>>>>>> using? >>>>>>>> I am seeing file names by default. >>>>>>>> >>>>>>>> Steve >>>>>>>> >>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>>> It doesn't give any file names, even in the logfiles. It happens when >>>>>>> I'm >>>>>>>>> running clamscan. >>>>>>>>> >>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail >>>>>>> files). >>>>>>>>> >>>>>>>>> What is the default for --bytecode-timeout? If I get it again I'll >>>>>>>>> increase it. >>>>>>>>> >>>>>>>>> Thanks, --Mark >>>>>>>>> >>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < >>>>>>> [email protected]> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the >>>>>>> amount >>>>>>>>>> of processing. >>>>>>>>>> >>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the >>>>>>> bytecode >>>>>>>>>> signature may require attention. >>>>>>>>>> >>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for >>>>>>> clamscan >>>>>>>>>> and BytecodeTimeout for clamd. >>>>>>>>>> >>>>>>>>>> Steve >>>>>>>>>> >>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <[email protected]> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> What is this? I just started happening. >>>>>>>>>>> >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>>>>>> flag set >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>>>>>> error! >>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>>>>>>>>>> >>>>>>>>>>> Thanks, Mark > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
