Exception Rule wizard

Events in CSA MC for agents shows system state along with details,rule & wizard. Why does system state mean?
When i follow the wizard to create an exception rule,when i click finish it gives an error "see csamclog.txt for details".I checked the log file it shows
"[PID=3800] [webadmin]: {Invalid network interface specification Broadcom NetXtreme Gigabit Ethernet.<br> Expected components for wireless interfaces (separated by backslash characters): type, mode, encryption, SSID.<br> Expected components for PPP interfaces (separated by backslash characters): interface type, device type, device, remote computer.<br> Expected components for other interfaces: type, name.} {Invalid network interface specification VMware Virtual Ethernet Adapter for VMnet1.<br> Expected components"

System state is used to apply additional rules to a host and is usually set when a "set" rule is triggered.
An example is "Untrusted Rootkit Detected".
If the Kernel Protection rule detects a driver loading dynamically that it doesn't recognize as trusted, it applies the "Untrusted Rootkit Detected" system state to the host.
It then activates the "Rootkit lockdown module" dynamically which prevents the host from communicating as a client or server.
The system state must be reset from the MC and should be done after you've made an exception (for a false positive) or disinfected the machine.
Not sure why the wizard was giving you errors unless it didn't recognize the network interfaces discovered.
You should be able to view all your network interface variables under:
Configuration > Variables > Network Interface Sets
Tom

Similar Messages

  • Territory Management Exception rules

    Guys, we are on CRM 7.0 and need your expertise to understand how to build exception rules in Territory Management.
    We have rules built upon Country/Regions and postal codes in US e.g.
    1. If country is US and region is New York then return Territory T1
    2. If postal code is from 18701 to 18711 or 18720 to 18735 then return Territory T2
    Now I want to exclude some account numbers from these statements mentioned above like
    1. If country is US and region is New York then return Territory T1 but exclude account numbers 100001, 1000020, 100034, 100045
    2. If postal code is from 18701 to 18711 or 18720 to 18735 then return Territory T2 but exclude account number 123456, 123453, 183639, 1735283
    How should I make my rules in system and building what operators.
    Please suggest.
    Thanks,
    Sandeep

    Hi Sandeep,
    you will Need to set-up two rules, one for Territory T1 which Looks like this
    The "is between" Statement should include all NY ZIP codes and the exception all ZIP-Codes which should be assigned to territory T2
    In the rule for Territory T2 you define only the ZIP-Codes which you have used as an exception in the rule for territory T1.
    Hope this helps

  • How to make exception rules for Stylish rules which change fonts?

    How to make exception rules for Stylish rules which change fonts?
    I use [https://addons.mozilla.org/en-US/firefox/addon/stylish/ Stylish add-on] to change specific fonts to other fonts of my choice, but I have a problem. I want to change the font Arial to Tahoma in almost all pages I visit, but with the exception of websites as wikipedia.org. Because of this, I find myself having a very long list of domains to change Arial to Tahoma, only because I don't want that rule to apply to wikipedia.org and additional one or two other websites.
    The current rule I'm using is, (my actual list is a lot longer, but this is just an example):<br/>
    '''''@-moz-document domain("mozilla.org"), domain("thefreelibrary.com"), domain("sil.org"), domain("ethnologue.com") {'''''<br/>
    '''''@font-face { font-family: 'Arial'; src: local('Tahoma'); }'''''<br/>
    I can't use the following rule because I don't want it to apply to wikipedia.org:<br/>
    '''''@font-face { font-family: 'Arial'; src: local('Tahoma'); }'''''

    Try something like this:<br />
    <br />
    <pre><nowiki>@font-face { font-family: 'Arial'; src: local('Tahoma'); }
    @-moz-document domain(wikipedia.org){
    @font-face { font-family: 'Arial'; src: local('Arial'); }
    </nowiki></pre>

  • GSS Rule Wizard vs Builder

    For adding additional domains to GSS, can the Wizard be used. (Just making sure wizard won't interfear with existing configs.)

    I have added the following link for more information about the GSS Rule Wizard .
    http://www.cisco.com/en/US/products/hw/contnetw/ps4162/products_configuration_guide_chapter09186a00801cc5d7.html#wp1023544

  • Oracle Auditor Framework Rules Wizard is broken

    The rules wizard to create the new rules extension using the Oracle Audit Framework in JDev 10.1.3.3 is broken. A new wizard needs to be created for the latest JDev builds. Also, the tutorial for Auditing Java files needs to be updated for the newer package structure of base classes and also the newer format for the extensions XML needs to be posted. Can anyone provide information on the format for the extensions.xml file ?

    Hi,
    can you be more specific? I don't see the mentioned extension in the list of installable extensions in JDeveloper 10.1.3.3. Is this what you mean with "broken"?
    I am not aware of a new extensions XML file added to JDeveloper 10.1.3.3 that wasn't in 10.1.3.2 - am I missing something ?
    Please clarify
    Frank

  • Rules wizard or similar idea?

    Hi,
    Im trying to come up with a rules configuration system for a java program. Something that will allow users configure options in the GUI easily by selecting an event, and then an action to be performed on that particular event, with the possiblity of specifing conditions for the event as well. Similar to the rules wizard that you get in Microsoft Outlook for running filters on your incoming emails, and also the rules wizard found in the configuration options for Outpost firewall.
    Does anyone have any helpful links or anything that might be able to point me in the right direction, tutorials, examples or anything like that.
    Many Thanks,
    James

    Not sure this is the best link but it will get you started.
    http://java.sun.com/blueprints/patterns/InterceptingFilter.html

  • Is it possible to create exception rule in Comparator sort order?

    I have been working on trying to learn how to use Comparators to sort Collections... In one of my recent experiments, I tried to order a PriorityQueue of String elements alphabetically, in ascending order, with one exception: any word beginning with the letter "z" should be given a higher priority than any other word. I haven't been able to find a way to do this, nor to discern whether or not it's possible.
    Any help is appreciated.

    Try something like this:public class MyComparator implements Comparator<String> {
        @Override
        public int compare(String s1, String s2) {
            boolean s1StartsWithZ = s1.startsWith("z");
            boolean s2StartsWithZ = s2.startsWith("z");
            if (s1StartsWithZ && !s2StartsWithZ) return 1;
            if (s2StartsWithZ && !s1StartsWithZ) return -1;
            return s1.compareTo(s2);
    }

  • CSA Rule Exception issue

    Is it possible when creating an exception with the Rule Wizard to not have it create a new rule module every time a rule is created.
    I would like to just add rules to an Exceptions policy that is applied to the group with out it creating a new rule module every time.

    Hi Adam
    Yes, it says that in the user guide and I experienced the same thing when doing it.
    Part of the user guide seems a bit confusing to me though.
    The 1st statement on page 10-22 in the CSA 5.2 User guide is correct:
    You can create a new rule module (an "exception rule module") which
    would contain the new exception rule. (This is the default and recommended choice.)
    The 2nd statement is (I feel) incorrect:
    "This new module would be attached to a new exception policy which is then
    attached to the group(s) containing the host from which the event was received."
    I've done this several times and have yet to see it create an separate exception policy
    And the 3rd statement is correct:
    "If you choose to create this exception module, all subsequent exception rules you
    create through the wizard will be added to the same exception module and policy
    if the group it is to be applied to is also the same. Therefore, a group could only
    have one exception policy, but contain an exception rule module with any number
    of exception allow rules created through the wizard."
    Tom

  • CSA wizard for API events

    This is just an FYI.
    If you use the wizard to generate an exception rule for API events, sometimes the pattern created isn't correct. For example, you have an ASP.NET application that trips this event:
    TESTMODE: The process 'C:\WINDOWS\system32\inetsrv\w3wp.exe' (as user NT AUTHORITY\NETWORK SERVICE) attempted to access a resource which would have resulted in the user being asked the following question. 'The process C:\WINDOWS\system32\inetsrv\w3wp.exe is attempting to invoke a system function from a buffer. Do you wish to allow this?'
    And the wizard excludes this pattern:
    f643001f7510897b0883c4145f5e5b*\CreateThread\**\CreateThread
    You will need to remove the 2nd CreateThread at the end so it looks like this:
    f643001f7510897b0883c4145f5e5b*\CreateThread\**
    I don't know if this is a bug in the API rules themselves, or in the wizard itself. It only seems to be a problem when its duplicated - if it shows a destination file or another value, then it works fine as-is. Hope this helps someone.

    Also, when you took them out of test mode, did you move the host to a different group or are they in the same group just with test mode disabled?
    You may want to check the group itself to see if the logging option is on. Check out screen shot

  • Dealing with inherited xml facts in business rules

    Hello Everyone,
    I encountered a problem while writing business rules for an xml input message which is of abstract type. The schema follows the xml inheritance and the structure is somewhat like -
    Document (abstract)
    *|*
    Message (abstract)
    *|*
    NotificationMessage (abstract)
    *|*
    *|-ContractCreated (concrete)*
    *|-ContractCancelled*
    *|-ContractUpdate*
    *|-ContractEnhance*
    The input for buiness rules is a variable of type "Document". Rule wizard has generated all jaxb classes correctly.
    Now when I am writing a if-then rule as below -
    If Document is ContractCreated and ....
    +....+
    the compiler warns with message :- RUL-05162: The rule set "Ruleset1" requires fact type "ContractCreated", but this type is not part of the input.
    How to deal with such xml facts where input is abstract type and rule needs to be applied on concrete definition??
    Note- The incoming xml messages are instances of schema that is used across the applications hence schema cannot be modified.
    Thanks,
    Viv
    Edited by: user564736 on Jan 21, 2013 7:23 AM

    Can you verify and make sure, you have sleceted the "Tree" option for the input of the Decision Function.
    Look at the Following for reference:
    http://docs.oracle.com/cd/E29505_01/user.1111/e10228/descfunc.htm#BCGIFGBI

  • Adding Unknown computers resources by direct membership rule issue

    Hi, everybody!
    Finally, i've got issue discrabed here
    http://blog.coretech.dk/kea/collections-not-being-refreshed-in-configmgr-2012-r2/
    In situation with large count of primary sites and unknown computers accounts (two for each site certainly),  it's placed to be a big problem deploying task sequences to unknown computers...The comfort and rigth decision in
    my thought is deploying tasks to site's unknown collection that contains two of all unknows (only each site x86 and x64 account) directly. But after creating those/that collections/collection per sites becomes alive previously noticed trouble....How
    can we add/devide unknown computers for deploying tasks on them....Situations with availiable lists of all task sequences (as you know right that occurs while deploying tasks to  unkonow built-in collection) of all hierarchy in installing process misleads
    primary sites sccm admins....there are situations with starting wrong tasks (belongs not to their site unknowns).....
    I repeat, adding each sites unkonws to separate collection directly occurs upper link problem...
    Is any idea, guys?         

    Jason, it is above 20 sites...
    I've noticed one thing: when i use collection adding direct membership rule wizard using "unknown computer" and it's "site code" like criteria, collecton working fine. As soon as, i use console's "adding to existing collection"
    capability clicking by right mouse click on one of the unknowns...it's gonna to be fail to update in previously described way..... 

  • Unable to view Business Rules in Planning application

    Hi All,
    After changing the password of hypadmin i am not able to view all the business rules in my planning application and EAs console business rules wizard also doesn't shown planning when i am trying to add location.
    Please suggest how to do password change in Hyperion 11.1.2.
    Regards,
    Vasu

    Hi,
    If it's admin id(configuration id), then you need to configure all the components which is registered with shared services after changing your password.
    For example, EAS configuration, only re-configure for -> Register with shared services.
    Like the same way we need to do for all components with new password & for planning apps, need to edit datasource with new password.
    Thanks.

  • CSA 5.1 & Rule 596

    Rule 596 (Network Access Control) generates a TON of noise. Any best practices on tuning this one?
    Obviously, cloning the module this one belongs to, "Rootkit Lockdown Module", and setting the new Network Access Control rule built inside to "Deny" instead of "Priority Deny" will allow exception rule creation, but...
    Does anyone recommend anything different, such as simply adding Application Classes to the list of apps that this rule should not apply to?
    Any suggestions are appreciated...

    I just checked a fresh install of CSA 5.1 and rule 596 is a high priority deny for all ip traffic.
    I do not agree with changing that rule to straight deny or to deny server only. The reason that rule kicks in is because your systems are "Set" as rootkit detected. If that is a true positive, you should clean the rootkits, not just do something to reduce the alerts. You can check this by going to Events > Status Summary and seeing how many hosts are listed in "Untrusted rootkit detected".
    I recommend changing the "Set" Rootkit detected rule itself to monitor. This is one of the 2 set rules in the System Hardening module (or rule 46 in a fresh install). Then use event suppression to keep these alerts out of your main event view if there are too many of them (I'm guessing Symantec will come up). But remember, these are potentially rootkits we're talking about here so you still want to keep an eye on them even if you suppress the events.
    I do not recommend changing rule 596 to straight deny or to deny server connections only. The rootkit lockdown module is meant for dealing with machines that have rootkits. This rule applies to servers as well so you can still see tons of alerts if CSA thinks your servers have rootkits.

  • PCG Flow Rule

    Guess I am facing problem with the periodic flow rule creation. I have defined the Flow Rule as a Periodic control and in the Process Flow, stated it as a Notification Type. But when I am trying to place an Item (created in the Advanced Rule Wizard) for 'Notification Body' for this Process Flow, I am getting the following error : Primary Keys for Process Definition and Advanced Rule Does Not match. Also, what should I put in the 'Functional Owner' so that I get all the notification mails ?
    Can you kindly comment ?

    Thanks Naveen,
    But can you explain why I am receiving this error : "Primary Keys for Process Definition and Advanced Rule Does Not match" since my understanding was that there is not stringent condition for selecting the table and primary keys for the periodic type flow rule.
    Regards,
    Arka

  • Problems with Association Rules

    Hi all,
    I am trying to use ODMr to run association rules and am getting the following error message:
    Server task state: error
    Server task detail:
    ORA-40101: Data Mining System Error ORA-40101: Data Mining System Error ORA-40101: Data Mining System Error ODM_ASSOCIATION_MODEL-BUILD--20010
    ORA-06512: at "SYS.DBMS_SYS_ERROR", line 105
    ORA-06512: at "DMSYS.ODM_ASSOCIATION_RULE_MODEL", line 144
    ORA-06512: at "DMSYS.ODM_ASSOCIATION_RULE_MODEL", line 1396
    ORA-00902: invalid datatype
    ORA-06512: at "SYS.DBMS_SYS_ERROR", line 105
    ORA-06512: at "DMSYS.ODM_ASSOCIATION_RULE_MODEL", line 144
    ORA-06512: at "DMSYS.ODM_ASSOCIATION_RULE_MODEL", line 1396
    ORA-06512: at "DMSYS.DBMS_DATA_MINING", line 305
    ORA-06512: at "DMSYS.DBMS_JDM_INTERNAL", line 157
    ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
    ORA-06512: at "DMSYS.DBMS_JDM_INTERNAL", line 179
    ORA-06512: at line 1
    This error is generated on the sample data as used in the ORACLE 10G Release 2 Data Mining Tutorial, and on other datasets that I tried.
    My sense is that the algorithm is expecting data in the datatype of DM_NESTED_NUMERICALS, even though the documentation asks for transactional data. When I converted to nested columns, the prog errored out again as it was expecting a number rather than nested column.??

    Hi Carolyn,
    I reviewed the tutorial and tested out the example for Association Rules. The example uses SH.SALES and SH.PRODUCTS.
    It worked fine.
    ODMr converts the "transactional" data, in the case of Association Rules, into DM_NESTED_NUMERICALS.
    When ODM documentation refers to transactional data, it implies the use of nested columns. This can be confusing given that older versions of ODM actually supported a "transactional format", which is now supported only through nested columns.
    I copied the following view definition that was passed in to ODM to build the Association Rules model (based on the tutorial noted above). Take a look at them to get a better understanding on what ODMr is doing to prepare the data.
    If you can give us a specific example including the tutorial table you used and the settings you specified in the Association Rules Wizard, I can review that to see what the problem might be.
    Thanks, Mark
    SELECT caseTable."DMR$CASE_ID", txnTable1."PROD_ID" FROM "DMUSER"."DM4J$VSALES657013432" caseTable, (SELECT "DMR$CASE_ID", CAST(COLLECT(DM_Nested_Numerical("NAME", "VALUE")) AS DM_Nested_Numericals) "PROD_ID" FROM "DMUSER"."DM4J$SALES423975876" GROUP BY "DMR$CASE_ID") txnTable1 WHERE caseTable."DMR$CASE_ID" = txnTable1."DMR$CASE_ID"
    The view makes references to other tables/views defined below:
    DM4J$VSALES657013432 is shown below:
    SELECT distinct "DMR$CASE_ID" FROM
         (SELECT "CUST_ID","TIME_ID", DENSE_RANK() OVER (ORDER BY "CUST_ID","TIME_ID") DMR$CASE_ID FROM "SH"."SALES")
    ORDER BY "DMR$CASE_ID"
    DM4J$SALES423975876 is shown below:
    SELECT DMR$CASE_ID, CAST("PROD_ID" AS VARCHAR2(30)) as NAME, 1 as VALUE
    FROM
    (SELECT "PROD_ID", "CUST_ID","TIME_ID", DENSE_RANK() OVER (ORDER BY "CUST_ID","TIME_ID") DMR$CASE_ID FROM "SH"."SALES")
    ORDER BY DMR$CASE_ID

Maybe you are looking for

  • 10g Forms closing when print button on smartbar used.

    I have an application run on Application Server 10g (9.0.4). The client machine is Windows 98 runing IE 5.5. Everytime the print button in the smartbar is click and the printer dialog is display, then the ok button is click the oracle form applicatio

  • HT204053 can I use the same apple ID/icloud account for 2 iphones?

    I have 2 Iphones in the family.  Want the same music, ad apps on both phones.  Can I do this with one Itunes account?

  • IN Clause in Report

    Hi, I want to give mutiple parameters in report e.g. my query is select * from dept where departname in (Mutiple Values). When the report will run, user can enter either one OR mutiple departments.... Thanks John

  • Errors in Alert log file

    Hi, I have encountered following errors in alrt log file, its strange to see FAST_START_MTTR_TARGET is out of valid and aksing to use another value and that value is changing every second, it should be in increasing order or it should be consistent.

  • Oracle Excel Generation 6i Form is showing error while compiling in Form10g

    Hi, I generate MS-Excel Report by Oracle form 6i but when I am compiling that form in Oracle Form 10g then it is showing error "component 'SERVER_ACTIVE' must be declared" and "component 'GET_INTERFACE_POINTER' must be declared". Can anybody help me.