Tilman: What's the MD5 or SHA256 of the file, so I can see if we already have it?
Thanks, - Alain On Tue, Aug 7, 2018 at 9:50 AM, Tilman Schmidt <tschm...@cardtech.de> wrote: > The problem is back, this time with two bytecodes: 2 and 90. > ClamAV version is 0.100.1. > The last clamscan run without the error was on 2018-07-26 06:00. > The preceding freshclam run said: > > Thu Jul 26 05:49:13 2018 -> main.cld is up to date (version: 58, sigs: > 4566249, f-level: 60, builder: sigmgr) > Thu Jul 26 05:49:13 2018 -> daily.cld is up to date (version: 24783, > sigs: 2025533, f-level: 63, builder: neo) > Thu Jul 26 05:49:13 2018 -> bytecode.cld is up to date (version: 325, > sigs: 90, f-level: 63, builder: neo) > > The first clamscan run exhibiting the problem was on 2018-07-27 06:00. > The freshclam run preceding that said: > > Fri Jul 27 05:49:24 2018 -> main.cld is up to date (version: 58, sigs: > 4566249, f-level: 60, builder: sigmgr) > Fri Jul 27 05:49:24 2018 -> daily.cld is up to date (version: 24786, > sigs: 2027088, f-level: 63, builder: neo) > Fri Jul 27 05:49:24 2018 -> bytecode.cld is up to date (version: 326, > sigs: 93, f-level: 63, builder: neo) > > So it would seem that bytecode.cld version 326 is the culprit. > > The error message is again triggered only by a single file: > > -rw-rw-r-- 1 tschmidt tschmidt 4896567 Jul 11 11:15 > .java/deployment/cache/6.0/6/41d72bc6-799a1944 > > As you can see the file has been there for about four weeks, but the > messages started only two weeks ago, so it seems their reappearance was > triggered by the signature update, not by the appearance of the file. > > Manual tests: > > Scanning the file with clamscan without the --bytecode-timeout option > took 25 m 49 s on a Core i5-4460 3.20GHz processor, emitting 144 of the > "Time limit reached" messages, alternating between bytecode 2 and 90. > (In hindsight, this seems to contradict the default value of one minute > for --bytecode-timeout given in the man page.) > > With --bytecode-timeout=240000 (assumedly quadrupling the default), > clamscan has been working on that file for five hours and emitted 60 of > the "failed to run" messages so far, with no end in sight. > I have little hope that raising the value further will change anything > except making the scan run even longer. > > How would I go about submitting that file to the ClamAV signature team > as suggested by Al Varnell? It's neither a Malware Sample nor a False > Positive in the sense of the word. > > Thanks, > Tilman > > Am 09.07.2018 um 16:22 schrieb Micah Snyder (micasnyd): > > It's a pretty common error if you lower the--bytecode-timeout value. By > > contrast, you can also raise --bytecode-timeout higher than the default > > until the errors go away if you want to scan those files, and don't wish > > to delete the one triggering the timeout. > > > > It isn't entirely surprising that a more complex file for which we have > > a bytecode signature could also cause the default timeout to be exceeded. > > > > Cheers, > > Micah > > > > Micah Snyder > > ClamAV Development > > Talos > > Cisco Systems, Inc. > > > > > >> On Jul 9, 2018, at 4:51 AM, Tilman Schmidt <tschm...@cardtech.de > >> <mailto:tschm...@cardtech.de>> wrote: > >> > >> Would have gladly done so, had anyone hinted at that possibility. > >> Now it's too late, the file is gone. > >> > >> Am 09.07.2018 um 10:37 schrieb Al Varnell: > >>> Agree that apparently nobody knows, but a lot of us care. > >>> > >>> I only wish you had submitted that file to the ClamAV signature team as > >>> I suspect they would have figured it out by now. > >>> > >>> -Al- > >>> ClamXAV User > >>> > >>> On Mon, Jul 09, 2018 at 01:27 AM, Tilman Schmidt wrote: > >>>> I've been trying in vain to get an answer on that one since > 2018-06-20. > >>>> For me it's bytecode 73, otherwise the same. > >>>> Looks like no-one knows or cares. > >>>> > >>>> I ended up bisecting the scan and removing the file whose scan > triggered > >>>> the message. > >>>> Luckily it wasn't needed for the operation of the affected system. > >>>> An alternative might be to exclude it from the scan. > >>>> > >>>> Am 09.07.2018 um 06:14 schrieb pee...@email.cz > >>>> <mailto:pee...@email.cz> <mailto:pee...@email.cz>: > >>>>> On my debian 9, clamav 0.100.0+dfsg-0+deb8u1) I got following error: > >>>>> > >>>>> clamscan /media/6b300944-6e7c-493e-b9c9-faeebb70a415/nastenka > >>>>> /srv/dev-disk-by-label-white/zaloha > >>>>> '--exclude=\.(mp4|MP4|mkv|MKV|avi|AVI|wmv|WMV|ts|TS|flv|FLV| > mov|MOV|JPG|jpg|mp3|MP3|tc)$' > >>>>> -ri -l /var/log/clamav/clamscanDisk.log > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>> error! > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>> flag set > >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>> flag set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>> error! > >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>> flag set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>> error! > >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>> flag set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>> error! > >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>> flag set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>> error! > >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached > >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout > >>>>> flag set > >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error > >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime > >>>>> error! > >>>>> LibClamAV Warning: Bytecode 86 failed to run: Time limit reached > >>>>> > >>>>> in clamd.conf is: > >>>>> Bytecode true > >>>>> BytecodeSecurity TrustSigned > >>>>> BytecodeTimeout 120000 > >>>>> > >>>>> There is no clamd, I do not need it. I just need once a week check > >>>>> discs. > >>>>> > >>>>> Thank you for help. > > -- > Tilman Schmidt > cardtech Card & POS Service GmbH > Cologne, Germany > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
