I have been noticing the same issue. I found at least one file that was
causing the error, and was able to test with a single file, instead of
having to virus scan an entire directory tree to test.
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
This worked for me:
# cat /var/lib/clamav/local.ign2
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
The problem file was the one listed under the JIT error messages, in my
case, it was a pdf file that caused it.
- Fred
On 7/22/2017 6:56 PM, Al Varnell wrote:
That's the correct place to put the file.
I suspect you'll want to try one at a time to nail down which signature is
causing the problem.
Checking back I see there was a period rather than a space between the
signature name and the brackets, so:
BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
-Al-
On Jul 22, 2017, at 1:45 PM, Mark Foley <[email protected]> wrote:
That didn't work. I'll try w/o the {}.
Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
--Mark
-----Original Message-----
From: Mark Foley <[email protected]>
Date: Sat, 22 Jul 2017 11:08:28 -0400
To: [email protected]
So, like this?
BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
--Mark
On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <[email protected]> wrote:
Yes, they can be added to a local .ign2 file, but the last time it was
discussed here, the entry needed to be followed by {} for some unknown reason,
to make it work.
-Al-
On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
Are bytecodes individually blockable?
--Mark
On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <[email protected]> wrote:
FYI, the following were added by bytecode 306:
* BC.Multios.Exploit.CVE_2017_2816-6329916-0
* BC.Pdf.Exploit.CVE_2017_2818-6331913-0
* BC.Pdf.Exploit.CVE_2017_2862-6331914-0
-Al-
On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
I ran clamscan by hand on the files before and after the error, and it's the
file
after the error. I've bumped the --bytecode-timeout to 120000, 180000 and
finally 600000 (10 minutes) and it fails for all these values, even though the
file itself is not that big (1.2M).
This is a pretty recent phenomenon. Perhaps something introduced in a recent
update. I received bytecode.cld version 306 in freshclam starting on July 16,
2017; which is exactly when I started seeing this warning. I did not get the
warning with version 305.
Is this a bug?
For now, I guess I'll just have to live with it.
Thanks, --Mark
On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <[email protected]> wrote:
It's almost certainly a file that follows S=12386 since that one is being reported as
"OK". The file that failed might not even be listed, having failed the scan,
although I suppose it's possible for it to be the next one shown.
It's my understanding that not all files receive a bytecode signature scan,
making it even more difficult to determine the problem file.
-Al-
On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
Here's the partial output from clamscan w/o the --infected option:
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
OK
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
OK
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
OK
These are Maildir format files. The "S=12386" part is in fact the file size.
It's not apparent from where the Warning message is issues what file is causing
the warning. The 12,657 byte file couldn't have been it and why would the
1,266,193 size file cause the warning and not the more that twice-as-large file
immediately following? Also there are much larger files in this directory, up to
21M, but this is the only warning issued.
--Mark
-----Original Message-----
From: Mark Foley <[email protected]>
Date: Thu, 20 Jul 2017 21:51:38 -0400
To: [email protected]
Subject: Re: [clamav-users] Bytecode run timed out
OK, I'll turn that off and see what I get.
--Mark
On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <[email protected]> wrote:
--infected suppresses the printing of clean file names.
On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <[email protected]> wrote:
On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <[email protected]>
wrote:
My parameters are:
clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
--allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
--Mark
The default is 60000 milliseconds. What clamscan parameters are you
using?
I am seeing file names by default.
Steve
On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <[email protected]>
wrote:
It doesn't give any file names, even in the logfiles. It happens when
I'm
running clamscan.
I am running it on lots of files, 124,681 to be exact (IMAP mail
files).
What is the default for --bytecode-timeout? If I get it again I'll
increase it.
Thanks, --Mark
On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
[email protected]>
wrote:
When ClamAV runs bytecode signatures, it uses a timer to limit the
amount
of processing.
Are you seeing it on a lot of files? If that is the case, the
bytecode
signature may require attention.
You can try increasing the timeout limit. --bytecode-timeout for
clamscan
and BytecodeTimeout for clamd.
Steve
On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <[email protected]>
wrote:
What is this? I just started happening.
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
error!
LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
Thanks, Mark
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
