Mailing List Archive

Hi Ralf,

There are 3 bytecode rules for detecting CVE's that seem to take a rather long time to run, particularly as the file grows in size. I'm discussing with our threat research team if we can remove them as CVE's are old enough that no one should reasonably still be affected by the vulnerabilities.

I am curious though - what are your MaxFileSize / MaxScanSize settings? I wonder if you're seeing timeouts with the default settings or if you increased them.

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, February 20, 2024 9:36 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>
Subject: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

In yesterdays logs I found this:

Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes
Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode 'BC.Img.Exploit.CVE-2017-16386-6404655-1.{}' (id: 77) failed to run: Exceeded time limit

is this a bad Bytecode rule?

--
Ralf Hildebrandt
Charit? - Universit?tsmedizin Berlin
Gesch?ftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstra?e 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

* Micah Snyder (micasnyd) <micasnyd@cisco.com>:

> There are 3 bytecode rules for detecting CVE's that seem to take a
> rather long time to run, particularly as the file grows in size. I'm
> discussing with our threat research team if we can remove them as
> CVE's are old enough that no one should reasonably still be affected
> by the vulnerabilities.
>
> I am curious though - what are your MaxFileSize / MaxScanSize
> settings? I wonder if you're seeing timeouts with the default settings
> or if you increased them.

MaxFileSize 100M
MaxScanSize 200M
MaxScanTime 120000

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat