Are bytecodes individually blockable? --Mark
On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <[email protected]> wrote: > > FYI, the following were added by bytecode 306: > > * BC.Multios.Exploit.CVE_2017_2816-6329916-0 > * BC.Pdf.Exploit.CVE_2017_2818-6331913-0 > * BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > > -Al- > > On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > > > > I ran clamscan by hand on the files before and after the error, and it's > > the file > > after the error. I've bumped the --bytecode-timeout to 120000, 180000 and > > finally 600000 (10 minutes) and it fails for all these values, even though > > the > > file itself is not that big (1.2M). > > > > This is a pretty recent phenomenon. Perhaps something introduced in a > > recent > > update. I received bytecode.cld version 306 in freshclam starting on July > > 16, > > 2017; which is exactly when I started seeing this warning. I did not get > > the > > warning with version 305. > > > > Is this a bug? > > > > For now, I guess I'll just have to live with it. > > > > Thanks, --Mark > > > > On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <[email protected]> wrote: > >> > >> It's almost certainly a file that follows S=12386 since that one is being > >> reported as "OK". The file that failed might not even be listed, having > >> failed the scan, although I suppose it's possible for it to be the next > >> one shown. > >> > >> It's my understanding that not all files receive a bytecode signature > >> scan, making it even more difficult to determine the problem file. > >> > >> -Al- > >> > >> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote: > >>> > >>> Here's the partial output from clamscan w/o the --infected option: > >>> > >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS: > >>> OK > >>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag > >>> set > >>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! > >>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S: > >>> OK > >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S: > >>> OK > >>> > >>> These are Maildir format files. The "S=12386" part is in fact the file > >>> size. > >>> It's not apparent from where the Warning message is issues what file is > >>> causing > >>> the warning. The 12,657 byte file couldn't have been it and why would the > >>> 1,266,193 size file cause the warning and not the more that > >>> twice-as-large file > >>> immediately following? Also there are much larger files in this > >>> directory, up to > >>> 21M, but this is the only warning issued. > >>> > >>> --Mark > >>> > >>> -----Original Message----- > >>> From: Mark Foley <[email protected]> > >>> Date: Thu, 20 Jul 2017 21:51:38 -0400 > >>> To: [email protected] > >>> Subject: Re: [clamav-users] Bytecode run timed out > >>> > >>> OK, I'll turn that off and see what I get. > >>> > >>> --Mark > >>> > >>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <[email protected]> > >>> wrote: > >>>> > >>>> --infected suppresses the printing of clean file names. > >>>> > >>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <[email protected]> > >>>> wrote: > >>>> > >>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > >>>>> <[email protected]> > >>>>> wrote: > >>>>> My parameters are: > >>>>> > >>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected > >>>>> --recursive \ > >>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1 > >>>>> > >>>>> > >>>>> --Mark > >>>>> > >>>>>> > >>>>>> The default is 60000 milliseconds. What clamscan parameters are you > >>>>> using? > >>>>>> I am seeing file names by default. > >>>>>> > >>>>>> Steve > >>>>>> > >>>>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <[email protected]> > >>>>> wrote: > >>>>>> > >>>>>>> It doesn't give any file names, even in the logfiles. It happens when > >>>>> I'm > >>>>>>> running clamscan. > >>>>>>> > >>>>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail > >>>>> files). > >>>>>>> > >>>>>>> What is the default for --bytecode-timeout? If I get it again I'll > >>>>>>> increase it. > >>>>>>> > >>>>>>> Thanks, --Mark > >>>>>>> > >>>>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan < > >>>>> [email protected]> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the > >>>>> amount > >>>>>>>> of processing. > >>>>>>>> > >>>>>>>> Are you seeing it on a lot of files? If that is the case, the > >>>>> bytecode > >>>>>>>> signature may require attention. > >>>>>>>> > >>>>>>>> You can try increasing the timeout limit. --bytecode-timeout for > >>>>> clamscan > >>>>>>>> and BytecodeTimeout for clamd. > >>>>>>>> > >>>>>>>> Steve > >>>>>>>> > >>>>>>>> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <[email protected]> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>>> What is this? I just started happening. > >>>>>>>>> > >>>>>>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>>>> flag set > >>>>>>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>>>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>>>> error! > >>>>>>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached > >>>>>>>>> > >>>>>>>>> Thanks, Mark _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
