The problem is back, this time with two bytecodes: 2 and 90. ClamAV version is 0.100.1. The last clamscan run without the error was on 2018-07-26 06:00. The preceding freshclam run said:
Thu Jul 26 05:49:13 2018 -> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Thu Jul 26 05:49:13 2018 -> daily.cld is up to date (version: 24783, sigs: 2025533, f-level: 63, builder: neo) Thu Jul 26 05:49:13 2018 -> bytecode.cld is up to date (version: 325, sigs: 90, f-level: 63, builder: neo) The first clamscan run exhibiting the problem was on 2018-07-27 06:00. The freshclam run preceding that said: Fri Jul 27 05:49:24 2018 -> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Fri Jul 27 05:49:24 2018 -> daily.cld is up to date (version: 24786, sigs: 2027088, f-level: 63, builder: neo) Fri Jul 27 05:49:24 2018 -> bytecode.cld is up to date (version: 326, sigs: 93, f-level: 63, builder: neo) So it would seem that bytecode.cld version 326 is the culprit. The error message is again triggered only by a single file: -rw-rw-r-- 1 tschmidt tschmidt 4896567 Jul 11 11:15 .java/deployment/cache/6.0/6/41d72bc6-799a1944 As you can see the file has been there for about four weeks, but the messages started only two weeks ago, so it seems their reappearance was triggered by the signature update, not by the appearance of the file. Manual tests: Scanning the file with clamscan without the --bytecode-timeout option took 25 m 49 s on a Core i5-4460 3.20GHz processor, emitting 144 of the "Time limit reached" messages, alternating between bytecode 2 and 90. (In hindsight, this seems to contradict the default value of one minute for --bytecode-timeout given in the man page.) With --bytecode-timeout=240000 (assumedly quadrupling the default), clamscan has been working on that file for five hours and emitted 60 of the "failed to run" messages so far, with no end in sight. I have little hope that raising the value further will change anything except making the scan run even longer. How would I go about submitting that file to the ClamAV signature team as suggested by Al Varnell? It's neither a Malware Sample nor a False Positive in the sense of the word. Thanks, Tilman Am 09.07.2018 um 16:22 schrieb Micah Snyder (micasnyd): > It's a pretty common error if you lower the--bytecode-timeout value. By > contrast, you can also raise --bytecode-timeout higher than the default > until the errors go away if you want to scan those files, and don't wish > to delete the one triggering the timeout. > > It isn't entirely surprising that a more complex file for which we have > a bytecode signature could also cause the default timeout to be exceeded. > > Cheers, > Micah > > Micah Snyder > ClamAV Development > Talos > Cisco Systems, Inc. > > >> On Jul 9, 2018, at 4:51 AM, Tilman Schmidt <tschm...@cardtech.de >> <mailto:tschm...@cardtech.de>> wrote: >> >> Would have gladly done so, had anyone hinted at that possibility. >> Now it's too late, the file is gone. >> >> Am 09.07.2018 um 10:37 schrieb Al Varnell: >>> Agree that apparently nobody knows, but a lot of us care. >>> >>> I only wish you had submitted that file to the ClamAV signature team as >>> I suspect they would have figured it out by now. >>> >>> -Al- >>> ClamXAV User >>> >>> On Mon, Jul 09, 2018 at 01:27 AM, Tilman Schmidt wrote: >>>> I've been trying in vain to get an answer on that one since 2018-06-20. >>>> For me it's bytecode 73, otherwise the same. >>>> Looks like no-one knows or cares. >>>> >>>> I ended up bisecting the scan and removing the file whose scan triggered >>>> the message. >>>> Luckily it wasn't needed for the operation of the affected system. >>>> An alternative might be to exclude it from the scan. >>>> >>>> Am 09.07.2018 um 06:14 schrieb pee...@email.cz >>>> <mailto:pee...@email.cz> <mailto:pee...@email.cz>: >>>>> On my debian 9, clamav 0.100.0+dfsg-0+deb8u1) I got following error: >>>>> >>>>> clamscan /media/6b300944-6e7c-493e-b9c9-faeebb70a415/nastenka >>>>> /srv/dev-disk-by-label-white/zaloha >>>>> '--exclude=\.(mp4|MP4|mkv|MKV|avi|AVI|wmv|WMV|ts|TS|flv|FLV|mov|MOV|JPG|jpg|mp3|MP3|tc)$' >>>>> -ri -l /var/log/clamav/clamscanDisk.log >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>> error! >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>> flag set >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>> flag set >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>> error! >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>> flag set >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>> error! >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>> flag set >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>> error! >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>> flag set >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>> error! >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout >>>>> flag set >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime >>>>> error! >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached >>>>> >>>>> in clamd.conf is: >>>>> Bytecode true >>>>> BytecodeSecurity TrustSigned >>>>> BytecodeTimeout 120000 >>>>> >>>>> There is no clamd, I do not need it. I just need once a week check >>>>> discs. >>>>> >>>>> Thank you for help. -- Tilman Schmidt cardtech Card & POS Service GmbH Cologne, Germany _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
