On Fri, Jul 28, 2017 at 01:35 AM, Mark Foley wrote:
>
> It looks like this one that gives the "Bytecode run timed out" warning. I'm
> trying the other two as well.
>
> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
>
> Plus, there's a new bytecode exploit that seems to be giving me a lot of
> positives:
>
> BC.Pdf.Exploit.CVE_2017_3032-6316401-6
>
> I've put that (with the trailing '.{}') in the .ign2 file as well.
>
> Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
> I've found no documentation on this and, if not, I might be getting false
> results.That has not worked for me in the past. If there is a way to comment out signature lines, I've not discovered it. -Al- > --Mark > > -----Original Message----- > From: Mark Foley <[email protected]> > Date: Thu, 27 Jul 2017 14:56:44 -0400 > To: [email protected] > Subject: Re: [clamav-users] Bytecode run timed out > > Yes, I was able to find the file as well. I've used the syntax in the > /var/lib/clamav/local.ign2 file recommended by Al Varnell: > > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} > > and that worked to block the warning. Now I will test each one in turn to see > which bytecode is causing the message. > > --Mark > > On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind <[email protected]> > wrote; >> >> I have been noticing the same issue. I found at least one file that was >> causing the error, and was able to test with a single file, instead of >> having to virus scan an entire directory tree to test. >> >> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set >> LibClamAV Warning: [Bytecode JIT]: recovered from error >> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! >> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached >> >> This worked for me: >> >> # cat /var/lib/clamav/local.ign2 >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} >> >> The problem file was the one listed under the JIT error messages, in my >> case, it was a pdf file that caused it. >> >> - Fred >> >> On 7/22/2017 6:56 PM, Al Varnell wrote: >>> That's the correct place to put the file. >>> >>> I suspect you'll want to try one at a time to nail down which signature is >>> causing the problem. >>> >>> Checking back I see there was a period rather than a space between the >>> signature name and the brackets, so: >>> >>> BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} >>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} >>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} >>> >>> -Al- >>> >>> >>> On Jul 22, 2017, at 1:45 PM, Mark Foley <[email protected]> wrote: >>> >>>> That didn't work. I'll try w/o the {}. >>>> >>>> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? >>>> >>>> --Mark >>>> >>>> -----Original Message----- >>>> From: Mark Foley <[email protected]> >>>> Date: Sat, 22 Jul 2017 11:08:28 -0400 >>>> To: [email protected] >>>> >>>> So, like this? >>>> >>>> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {} >>>> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {} >>>> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {} >>>> >>>> --Mark >>>> >>>> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <[email protected]> wrote: >>>>> Yes, they can be added to a local .ign2 file, but the last time it was >>>>> discussed here, the entry needed to be followed by {} for some unknown >>>>> reason, to make it work. >>>>> >>>>> -Al- >>>>> >>>>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: >>>>>> Are bytecodes individually blockable? >>>>>> >>>>>> --Mark >>>>>> >>>>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <[email protected]> wrote: >>>>>>> FYI, the following were added by bytecode 306: >>>>>>> >>>>>>> * BC.Multios.Exploit.CVE_2017_2816-6329916-0 >>>>>>> * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 >>>>>>> * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 >>>>>>> >>>>>>> -Al- >>>>>>> >>>>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: >>>>>>>> I ran clamscan by hand on the files before and after the error, and >>>>>>>> it's the file >>>>>>>> after the error. I've bumped the --bytecode-timeout to 120000, 180000 >>>>>>>> and >>>>>>>> finally 600000 (10 minutes) and it fails for all these values, even >>>>>>>> though the >>>>>>>> file itself is not that big (1.2M). >>>>>>>> >>>>>>>> This is a pretty recent phenomenon. Perhaps something introduced in a >>>>>>>> recent >>>>>>>> update. I received bytecode.cld version 306 in freshclam starting on >>>>>>>> July 16, >>>>>>>> 2017; which is exactly when I started seeing this warning. I did not >>>>>>>> get the >>>>>>>> warning with version 305. >>>>>>>> >>>>>>>> Is this a bug? >>>>>>>> >>>>>>>> For now, I guess I'll just have to live with it. >>>>>>>> >>>>>>>> Thanks, --Mark >>>>>>>> >>>>>>>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <[email protected]> >>>>>>>> wrote: >>>>>>>>> It's almost certainly a file that follows S=12386 since that one is >>>>>>>>> being reported as "OK". The file that failed might not even be >>>>>>>>> listed, having failed the scan, although I suppose it's possible for >>>>>>>>> it to be the next one shown. >>>>>>>>> >>>>>>>>> It's my understanding that not all files receive a bytecode signature >>>>>>>>> scan, making it even more difficult to determine the problem file. >>>>>>>>> >>>>>>>>> -Al- >>>>>>>>> >>>>>>>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: >>>>>>>>>> Here's the partial output from clamscan w/o the --infected option: >>>>>>>>>> >>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: >>>>>>>>>> OK >>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>>>>>>> flag set >>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>>>>>>> error! >>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: >>>>>>>>>> OK >>>>>>>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: >>>>>>>>>> OK >>>>>>>>>> >>>>>>>>>> These are Maildir format files. The "S=12386" part is in fact the >>>>>>>>>> file size. >>>>>>>>>> It's not apparent from where the Warning message is issues what file >>>>>>>>>> is causing >>>>>>>>>> the warning. The 12,657 byte file couldn't have been it and why >>>>>>>>>> would the >>>>>>>>>> 1,266,193 size file cause the warning and not the more that >>>>>>>>>> twice-as-large file >>>>>>>>>> immediately following? Also there are much larger files in this >>>>>>>>>> directory, up to >>>>>>>>>> 21M, but this is the only warning issued. >>>>>>>>>> >>>>>>>>>> --Mark >>>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: Mark Foley <[email protected]> >>>>>>>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400 >>>>>>>>>> To: [email protected] >>>>>>>>>> Subject: Re: [clamav-users] Bytecode run timed out >>>>>>>>>> >>>>>>>>>> OK, I'll turn that off and see what I get. >>>>>>>>>> >>>>>>>>>> --Mark >>>>>>>>>> >>>>>>>>>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> --infected suppresses the printing of clean file names. >>>>>>>>>>> >>>>>>>>>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley >>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan >>>>>>>>>>>> <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> My parameters are: >>>>>>>>>>>> >>>>>>>>>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected >>>>>>>>>>>> --recursive \ >>>>>>>>>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> --Mark >>>>>>>>>>>> >>>>>>>>>>>>> The default is 60000 milliseconds. What clamscan parameters are >>>>>>>>>>>>> you >>>>>>>>>>>> using? >>>>>>>>>>>>> I am seeing file names by default. >>>>>>>>>>>>> >>>>>>>>>>>>> Steve >>>>>>>>>>>>> >>>>>>>>>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley >>>>>>>>>>>>> <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>>>> It doesn't give any file names, even in the logfiles. It >>>>>>>>>>>>>> happens when >>>>>>>>>>>> I'm >>>>>>>>>>>>>> running clamscan. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail >>>>>>>>>>>> files). >>>>>>>>>>>>>> What is the default for --bytecode-timeout? If I get it again >>>>>>>>>>>>>> I'll >>>>>>>>>>>>>> increase it. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, --Mark >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < >>>>>>>>>>>> [email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit >>>>>>>>>>>>>>> the >>>>>>>>>>>> amount >>>>>>>>>>>>>>> of processing. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Are you seeing it on a lot of files? If that is the case, the >>>>>>>>>>>> bytecode >>>>>>>>>>>>>>> signature may require attention. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for >>>>>>>>>>>> clamscan >>>>>>>>>>>>>>> and BytecodeTimeout for clamd. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Steve >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley >>>>>>>>>>>>>>> <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> What is this? I just started happening. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, >>>>>>>>>>>>>>>> timeout >>>>>>>>>>>>>> flag set >>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>>>>>>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted >>>>>>>>>>>>>>>> runtime >>>>>>>>>>>>>> error! >>>>>>>>>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, Mark >>> _______________________________________________ >>> clamav-users mailing list >>> [email protected] >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> _______________________________________________ >> clamav-users mailing list >> [email protected] >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
