False Positives with GRC AC 5.2

Hi,
I actually have been working with GRC AC 5.2 (Compliance Calibrator) and we encountered several problems with false positives, working in the risk analysis.
¿do anyone knows how to solve this problem? ¿do you have documents or links to help?
Thanks,
Ricardo.

Thank you Alpesh for response.
In fact, i have several problem with false positives, but with transactional level. For example, i have a user with pfcg and su01 transaction. The configutation of profiles in SAP r/3 system do not allow to user involved in this, to execute both transactions in end-to-end process, i mean, the user have a transaction vía s_tcode object, have some other objects related with pfcg and su01 transactions, but he doesn´t have the values that allow to a transactions work properly. Then the Compliance Calibrator informs risks that it doesn´t exists.
It seems that is a ruleset configuration problem in the CC, then my question is, ¿the standard ruleset detects properly these problems?
Let my explain the reason that causes the problem.
We have been working with personalized ruleset, for customer-request. For that reason we look the usobt_c table and we form the ruleset-->functions in CC so that this functions were equal to usobt_c table. We did that because the standard ruleset shows false positives, such as first example of this post.
Thank you very much,
RCL.
Edited by: Ricardo  Carrasco on Jun 18, 2009 11:58 PM

Similar Messages

  • Pvc2300: false positive with motion detection

    Hello!
    I bought 3 pvc 2300 cameras. I tried motion detection with camera's software and with "Active webcam" software and I received a lot of false positive mails.
    1. with camera's software, I set event with motion detection & sent mail, but I receive a lot of mail when there isn't motion (I saw registrations and images)
    2. with Active WebCam software I use Linksys cameras and Panasonic Cameras. With Panasonic cameras all is ok. With Linksys cameras, about every hours there is a black frame, so I receive a mail from motion detection. Black frame arrive about every hours, after 60 minutes from last black frame. That is very strange!
    I changed sensitivity, check frequency, number of frame at second, but I have same problem.
    Can you help me?
    Thanks
    Mary

    I have 2 Panasonic cameras too and I need one software to manage all cameras.
    sensitivity: on active webcam software, I changed sensitivity of motion detection
    frequency check: on active webcam software, I changed from check motion every 0,1 second to every 5 seconds
    number of frame: on Linksys software I changed Max Frame Rate from 15 fps to 6 fps.

  • False Positives?

    A personal friend owns a local heating and air company.  He had an IT friend re-do his website recently.  My wife noticed it and had me take a look.  It's simple and clean and in Firefox text doesn't overlap when one zooms text only.  I took a look at w3c.org and there are a lot of reported errors.  I saw the google map errors and thought... false positive with proprietary code.  I then went to a site I created in Dreamweaver that utilizes a google map and there are no errors on the page reported at W3c.org.  In fact, building sites with Dreamweaver, the only errors I end up needing to fix are the ones created when I paste content text from Notepat that has quotation marks and other such symbols that need to be replaced in Dreamweaver.
    Could I get an opinion on this site:
    Milton Heating and Air
    Hopefully if this W3C.org report comes through, please tell me if you think these errors are a false positive because some proprietary coding technology is used or there is a problem with the document declaration?:
    W3C report on this site
    Since the sites I build in Dreamweaver don't contain errors, I'm just not that familiar with identifying and correcting these types of problems.

    JoeyD1978
    I certainly see your point.  It was not my intent to pick apart this site.  I don't know the person who did the site and was not being critical of his work at all or mentioning his name.  I was posting for my own information related to validation variables at W3C.org.
    The truth is, hardly any of the major websites pass validation at W3C.org... for example, microsoft.com
    So, basically I was hoping to just get a better insight into the W3C.org validation process.  For instance most Drupal sites fail validation.  I know Maximum PC used to use Drupal.  These guys are very technical, so one would think someone at Maximum PC would make certain their site would pass validation.  It does not, like so many other sites. So many websites representing top level corporations failing to validate is a mystery to me.  I was just wondering if some proprietary coding method or dynamic page serving technology is responsible.
    I have to admit though, the owner of this company is a good friend, so if someone here were to tell me, yeah, this issue will negatively impact his Internet presence,  my loyalties will be to my friend rather than his site's designer.  I wasn't expecting any response like that.  I like the site's design. The reported errors were puzzling. I was simply curious about the afore mentioned.

  • TCP Hijack/TCP Segment Overwrite false positives?

    Hello all,
    I was just curious if anyone else has had many false positives with 3 signatures in particular: TCP Hijack (3250.0 - High), TCP Hijack Simplex Mode (3251.0 - High), and TCP Segment Overwrite (1300.0 - High). The reason I think they are false positives is because they occur everyday, and I've also seem them caused by internal network traffic that crosses an IPS sensor (that is, making the potentially dangerous assumption that the internal devices can be trusted). We usually see between a dozen and 3 dozen a day depending on the signature, and we have 8 IPS total deployed internally and on the perimeters.
    Has anyone else had similar experiences? If so, do you have any suggestions on how to decrease the number of false positives for these alerts?
    Thanks,
    Ryan

    I get TCP Hijack and TCP Segment Overwrite all the time. I opened a TAC case about it because it was getting out of hand, and the engineer said that TCP Hijack would be very very hard to execute and if it is getting fired a lot odds are it is a false positive.
    This was his response:
    5769 - Malformed HTTP Request
    This signature basically just looks for traffic destined to one of your web ports (defined by the WEBPORTS variable) and containing a valid HTTP request (i.e., GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT) but followed by malformed (i.e., not proper http protocol syntax) URI information. This type of malformed HTTP request can be used for a variety of exploits. Microsoft has malformed HTTP request vulnerabilities, another attack known as "http request smuggling" can be launched using malformed HTTP requests at a Squid web proxy, which may cause the web proxy and an upstream HTTP agent to disagree on the boundary between HTTP requests on a persistent connection. These are a couple of examples.
    If you open this signature in IDM and go to "Edit", you can see the regex it looks for within the http payload. Basically, it looks for a valid HTTP request followed by the hex code regex [\x20][\x21-\x7e]+[\x20]?[\x0d\x0a]. A properly formed HTTP request should not contain this hex code.
    It's possible that normal traffic could cause this, but unlikely. If you have further concerns about this signature firing, please capture the trigger packet context either by changing the signature action to 'produce verbose alert' or 'log attacker packet' for analysis. If you need assistance in analyzing these alerts, please contact TAC and open a case on this issue.
    3250 or 3251 - TCP Hijack and TCP Hijack Simplex Mode
    This signature detects attempts to insert packets into a TCP stream by an attacker in an effort to take over this session. However, if you're using inline ips mode, TCP Hijack attacks are impossible. Also, this type of attack is very rare and not easy to do, and is often a false positive. Types of things that can be used by network sniffers to detect that a TCP hijack may be happening is looking for repeated ARP updates, frames sent between client and server with different MAC addresses, or tcp ack storms.
    For these two hijack signatures, per MySDN information:
    "This signature fires upon detecting out of order ack packets. The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event."
    Thus, very likely to be false positives and unlikely to be a legitimate attack given the difficulties involved in doing this. However, it's worth checking out the source / destination of the attacks. Again though, if you are running inline mode, these attacks are impossible and you can ignore these signatures.
    About the TCP Segment Overwrite, mine is always fired for port 20 traffic from some sort of web cache server. Is that the same for you?

  • Leopard spotlight finds always the same false positives

    leopard spotlight finds always the same false positives, with any keyword. How fix this if I don't want to exclude the folders from search?

    never mind-the files/folders were dated Jan 1, 1970. saved them new and erased the old ones.
    Message was edited by: schmunzelmonster

  • GRC 10 ALERT MONITOR: FALSE/POSITIVES BIAS CALL TRANSACTION

    Hi, everybody. I had an Issue related with GRC AC 10 alert monitor that is reporting that some users triggered SoD risks TR54 , TR01 and TR03 originated by transactions: ML81N - service entry against purchase order and FB05 - post with clearing. Both transactions are not available for those users because they don´t have the authorization profiles in the UMR or available in dialog mode.
    Nevertheless we observed that both actions (ML81N and FB05) were invoked by a "CALL TRANSACTION" instruction from another program report.
    I believe that this is a false positive alarm that were triggered even though the users have not assigned roles or functions of risk.
    I will appreciate your comments.
    Best Regards.
    Victor Sarabia
    IT GRC Manager

    1) How do I not alert on first failure but initiate an immediate retry in 30 seconds and if retry fails then alert.  This prevents false positives and is a feature that products such as uptrends performs as default
    SCOM has no that kind of feature
    2) How do I alert on with just one alert of transaction failure instead of each of the components of the transaction monitor failure.  Example our first failure threw 10 alerts encompassing each part of the transaction
    a) Right click web application transaction Monitoring object --> View Management Pack Object --> View Monitors
    b) Expanse the web application transaction monitor --> entity Health --> Availability --> Web Application XXXX
    c) Open the monitor properties of Request X -XXX and uncheck "Generate alerts for this monitor"
    3) How do I create an uptime report to show monthly and quarterly uptime for the website based on the transaction monitoring.
    a) go to Monitoring workspace --> Web Application Transaction Monitoring --> Web Application State
    b) select the web application transaction entity and click Availability Report task on task pane
    c) Select the report period and run
    Roger
    Roger

  • Possible false positive issue with SigID 3353

    Here is a packet captured by the IDS that triggered SigID 3353 - SMB Request Overflow
    evAlert: eventId=1075708170032493259 severity=high
    originator:
    hostId: cisco-ids-v4.1
    appName: sensorApp
    appInstanceId: 1134
    time: 2005/07/18 14:53:30 2005/07/18 14:53:30 UTC
    interfaceGroup: 0
    vlan: 0
    signature: sigId=3353 sigName=SMB Request Overflow subSigId=0 version=S180 Malformed SMB Request
    context:
    fromVictim:
    000000 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000020 01 00 00 00 00 00 00 00 00 00 00 68 FF 53 4D 42 ...........h.SMB
    000030 25 00 00 00 00 98 07 C8 00 00 00 00 00 00 00 00 %...............
    000040 00 00 00 00 00 50 78 07 01 90 81 0C 0A 00 00 30 .....Px........0
    000050 00 00 00 00 00 38 00 00 00 30 00 38 00 00 00 00 .....8...0.8....
    000060 00 31 00 2C 05 00 02 03 10 00 00 00 30 00 00 00 .1.,........0...
    000070 0A 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 ................
    000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    000090 00 00 00 00 00 00 00 68 FF 53 4D 42 25 00 00 00 .......h.SMB%...
    0000A0 00 98 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0000B0 00 50 78 07 01 90 C1 0C 0A 00 00 30 00 00 00 00 .Px........0....
    0000C0 00 38 00 00 00 30 00 38 00 00 00 00 00 31 00 2C .8...0.8.....1.,
    0000D0 05 00 02 03 10 00 00 00 30 00 00 00 0B 00 00 00 ........0.......
    0000E0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    fromAttacker:
    000000 00 00 00 00 00 54 00 2C 00 54 00 02 00 26 00 0F .....T.,.T...&..
    000010 70 3D 00 00 5C 00 50 00 49 00 50 00 45 00 5C 00 p=..\.P.I.P.E.\.
    000020 00 00 00 00 05 00 00 03 10 00 00 00 2C 00 00 00 ............,...
    000030 0A 00 00 00 14 00 00 00 00 00 01 00 00 00 00 00 ................
    000040 BB E2 9E 20 19 4C 0D 4B B7 17 DF 44 B9 00 52 40 ... .L.K...D..R@
    000050 00 00 00 80 FF 53 4D 42 25 00 00 00 00 18 07 C8 .....SMB%.......
    000060 00 00 00 00 00 00 00 00 00 00 00 00 00 50 78 07 .............Px.
    000070 01 90 C1 0C 10 00 00 2C 00 00 00 54 05 00 00 00 .......,...T....
    000080 00 00 00 00 00 00 00 00 00 54 00 2C 00 54 00 02 .........T.,.T..
    000090 00 26 00 0F 70 3D 00 00 5C 00 50 00 49 00 50 00 .&..p=..\.P.I.P.
    0000A0 45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00 E.\.............
    0000B0 2C 00 00 00 0B 00 00 00 14 00 00 00 00 00 01 00 ,...............
    0000C0 00 00 00 00 15 FD E7 ED 7D DD E4 40 8A E9 7C 39 ........}..@..|9
    0000D0 30 15 BC C3 00 00 00 80 FF 53 4D 42 25 00 00 00 0........SMB%...
    0000E0 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0000F0 00 50 F0 06 01 90 00 0D 10 00 00 2C 00 00 00 80 .P.........,....
    participants:
    attack:
    attacker: proxy=false
    addr: locality=IN 10.24.238.193
    port: 1071
    victim:
    addr: locality=IN 10.24.4.42
    port: 139
    alertDetails: Traffic Source: int0 ;
    As you can see, looks like a pretty normal SMB packet. This sensor is on an internal network, so Windows file and printer sharing is the norm.
    I think there is a false positive issue that was introduced with the signature’s tuning via the S180 update. As a result, I have two questions:
    1) Am I right, or is the signature working as it should?
    2) Is anyone else having this problem?
    Any and all feedback will be greatly appreciated,
    Alex Arndt

    The new version of this signature should be included in the S182 update. As a workaround if you are using 5.x you may to create 2 meta signatures using this signature and the no-op sled signatures (3328 for better coverage create a meta associated with each one and the existing sig). In your component list be sure to set 3353 prior to 3328. Set unique attackers to 1, meta interval to 2, and component list in order to true. This should eliminate all benign triggers.

  • The Accessibility Object for AS2 is returning a false positive for AS2 with IE10 on Windows 8 Pro.

    There is an issue with the our legacy content player, which is written in Flash Actionscript 1 & 2.  This
    player behaves fine in most browsers on most platforms, but in IE10 on Windows 8 it doesn't work
    properly.
    Internet Explorer 110
    Version:  10.0.9200.16688
    Update Version:  10.0.9 (KB2870699)
    Windows 8 Pro
    This seems to because of the Flash engine's Accessibility object using the Microsoft Active
    Accessibility (MSAA) API to detect the presence of Screen Readers.  This detection is creating a false
    positive on Windows 8 machines and that may be due to the touch screen support on that platform.  This
    doesn't appear to be occuring with Chrome or Firefox on the same platform; however.  So I suspect that
    IE or IE's Flash compenent is doing something different than these other browsers.

    This is legacy code and is too close to its end-of-life to justify porting to AS3.  As far as a work-around I am already looking into it. I was hoping that someone had already encountered this issue and created a work-around.  This would have saved time.
    Any other takers?

  • Possible false positive issue with SigID 3334

    I have yet another possible false positive signature. This time it is SigID 3334 - Windows Workstation Service Overflow.
    Here's a capture from the EventStore on the sensor, again with the signature modified so that it captures the offending packet (CapturePacket=true):
    evAlert: eventId=1075708170032497693 severity=high
    originator:
    hostId: cisco_ids-v4.1
    appName: sensorApp
    appInstanceId: 1134
    time: 2005/07/19 17:08:44 2005/07/19 17:08:44 UTC
    interfaceGroup: 0
    vlan: 0
    signature: sigId=3353 sigName=SMB Request Overflow subSigId=0 version=S180 Malformed SMB Request
    context:
    fromVictim:
    000000 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000020 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000040 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000050 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000060 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000080 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    000090 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    0000A0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    0000B0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    0000C0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    0000D0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    0000E0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
    0000F0 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ................
    fromAttacker:
    000000 00 2C 4C 00 00 46 1B 00 00 6A 38 00 00 5D 16 00 .,L..F...j8..]..
    000010 00 19 4E 00 00 F7 13 00 00 B6 54 00 00 25 31 00 ..N.......T..%1.
    000020 00 82 29 00 00 7B 3F 00 00 66 53 00 00 5B 3C 00 ..)..{?..fS..[<.
    000030 00 BB 40 00 00 BE 57 00 00 9F 4B 00 00 D9 06 00 [email protected].....
    000040 00 0C 0D 00 00 56 2C 00 00 D4 14 00 00 0B 13 00 .....V,.........
    000050 00 B4 57 00 00 F2 0B 00 00 F8 19 00 00 B9 4B 00 ..W...........K.
    000060 00 A6 3D 00 00 3F 1A 00 00 ED 1A 00 00 29 4E 00 ..=..?.......)N.
    000070 00 22 38 00 00 53 23 00 00 70 58 00 00 73 58 00 ."8..S#..pX..sX.
    000080 00 78 58 00 00 81 58 00 00 1C 1A 00 00 2D 59 00 .xX...X......-Y.
    000090 00 50 3A 00 00 00 00 00 3B FF 53 4D 42 2E 00 00 .P:.....;.SMB...
    0000A0 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 ................
    0000B0 00 02 10 FF FE 00 18 80 60 0C FF 00 DE DE 08 18 ........`.......
    0000C0 00 00 00 00 88 0C 88 0C FF FF FF FF 88 0C 00 00 ................
    0000D0 00 00 00 00 00 00 00 80 FF 53 4D 42 25 00 00 00 .........SMB%...
    0000E0 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0000F0 02 10 94 06 00 18 C0 60 10 00 00 2C 00 00 00 88 .......`...,....
    participants:
    attack:
    attacker: proxy=false
    addr: locality=OUT 10.28.108.79
    port: 1046
    victim:
    addr: locality=IN 10.24.4.42
    port: 139
    alertDetails: Traffic Source: int0 ;
    Now if I understand this alarm correctly, it's looking at any SMB data that appears after the "\PIPE" in a packet, right? Given my dump, I don't think there's anything to get excited about... Is this another broken SMB-related signature?
    Alex Arndt

    It looks like you posted the wrong event log so I have no way to tell if this is a false positive.
    (I'm assuming your referring to signature 3334-0)
    If you are using the 4.x version of this signature there may be potential for a false positive, since we do not tie the regex to a uuid. If you are running 5.x I do not think it’s possible for this signature to false positive. To add fidelity we used 5.x’s engine meta and created a signature to ensure a hit on this signature as well as one for the msrpc bind request’s uuid. There is no way to improve the signature in 4.x without creating a risk for false negatives (if you don’t mind the risk just increase the allocation hint). That being said, the 4.x version of this signature does look for very specific things:
    3334-0 looks for an msrpc bind request using SMB_COM_Transaction utilizing the PIPE resource with an allocation hint >=1700, function 38 (base-10 for all these values), opcode 25 (base 10), set count of 2, and a word count of 16.
    Thanks,
    Craig Williams
    Cisco Systems

  • Tuning issue with false positive

    One of my clients moved two of their email devices to a DMZ. The both produce alerts on the mass mailing worm alert. Before they were moved to the DMZ, you would see the alert and it would have a source and destination IP. Now it only has the destination IP address of where the device is sending email to. Since the MARS does not pick up the devices new IP address, I cannot false positive tune these alerts out. How would I go about fixing this issue?

    When the IDS mistakenly thinks that normal traffic is malicious then false positives happen To reduce them you have to fine tune the system by letting it know what normal traffic means on your network.
    Cisco has provided some great guidance on how to reduce false positives here:
    http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008072f396.html#wp1030968

  • Cellular signal becomes false positive

    Everything works fine, except after a while the cellular signal becomes a false positive. By this I mean the upper left corner continue to read "Verizon 4G LTE" with a few bars, but there's actually no signal. All apps that require the Internet doesn't work. It's an easy fix though — in Settings, the Cellular Data has to be turned off, then turned back on. And by "after a while" I mean when it falls into sleep mode after a FaceTime session, then awoken. Not sure exactly how long afterwards. Not sure if it's consistently after one nap or longer. Not sure if running other apps would do the same thing.
    Question is:
    Is this normal?
    I can imagine the upside is that you don't waste data in a prepaid data plan like when background apps continue to run.
    The dreadful downside, however, is that any incoming FaceTime call cannot get through.
    If this is NOT normal, is it a common glitch/bug/quirk? And how to fix it?
    iPad3, OS 6.0.1

    You can't begin measuring velocity until it is positive unless you have already been measuring velocity.
    The solution is to always do the measurement.  Evaluate it with a >0.  In the true condition, then do whatever it is you want to do.

  • LMS 4.2.2 DFM still not possible to disable Duplicate IP false positives?

    I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
    Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
    DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
    Is it possible to disable these false positives in DFM?
    Thanks for any hints!

    I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
    Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
    DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
    Is it possible to disable these false positives in DFM?
    Thanks for any hints!

  • Comparing documents and false positives

    Hello,
    I often have to send a proof of a book to a printer. The proof is a PDF. When they return a soft proof--another PDF that they will use to print--I need to quickly compare the two to make sure that there have been no changes in the text.
    The Compare Documents feature certainly beats a side-by-side eyeball scan. But I often get a lot of false positives, words are flagged that actually have not changed.
    It appears that my PDF, exported from InDesign has some hidden discretionary hyphens. In ID these are used to make sure a word breaks at the end of the line at the correct syllable. They are invisible when printed. In a PDF these are not necessary because the text ain't gonna reflow, right?
    But when I compare the soft proof to the original PDF, words with discretionary hyphens are flagged. Somehow the printer has stripped the discretionary hyphens. That's fine but what must I do to get rid of them in my PDF?
    Below is an example. The PDF shown is the one from the printer. The comment box shows the difference from the original PDF, though there is in fact no difference on the page.
    Any advice would be appreciated.
    Tom

    I like Acrobat's text comparisons, which have saved me from bad goofs several times -- mostly stray key-strokes, but once I caught an InDesign footnote numbering snafu.  However, the false positives have always been annoying even without flagging every single discretionary hyphen.
    I imagine you have tried the image method for comparisons, a modern version of the old trick of putting printouts of the old and new versions of a page on a light table to find differences.
    I don't recall seeing comments of the type "undefined", but does re-sorting comments by type at least isolate these so you can step through the rest?  I'm no scripter, but can a javascript mark or eliminate comments containing hyphens?
    More drastic, would it be worth trying to eliminate the discretionary hyphens?  For instance, you could apply Harb's "Freeze Composition" in InDesign, and then search-and-replace all discretionary hyphens.  (Read the comments on the In-Tools site, as well as those in the InDesignSecrets blog it links to because you might want to modify the way it handles hyphens.)
    Good luck!
    David

  • Extensions.checkCompatibility.17.0 does not stay in false position

    After updating from 16 to 17 some of the extensions that are crucial for me stopped working, got disabled and got listed as incompatible with 17.0. Now when I try to toggle the extensions.checkCompatibility.17.0 boolean into the “false” position, it readjusts itself into “true” after each restart, making it impossible to force those extensions as compatible.
    Why is this happening and what can I do to make it stay at “false”?

    edit: now extensions.checkUpdateSecurity stays true but I can’t find how to access the “make compatible” option. Nightly tester tools does not seem to provide it.
    edit: nvm, issue solved by downgrading.

  • Lots of false positives on outbound SPAM filtering

    Starting around 5:30AM this morning a lot of our outbound e-mail began testing as positively identified SPAM.  In our environment I have positively identified outbound SPAM setup to go to a quarantine.
    In looking at the e-mails they are legitimate e-mails. 
    My first attempt was to lower the positively identified SPAM threshold from 75 to 50, had no effect.
    My second attempt was to exclude our internal domains so that e-mail hitting our IronPort appliances for internal recipients would be allowed through, positively identified SPAM or not.
    EDIT:  Reviewing some of the e-mails, some are a simple e-mail with text only and a single .pdf attachment.  Tested as positively identified SPAM.  Some have multiple hyper links but are to legitimate URLs.
    My questions:
    What changed this morning that is causing all of these false positives?
    What can I do differently to not let this occur again?
    Thanks...

    Really appreciate the replies...
    Bob, SBRS is disabled on my outbound mail and it also comes from private/internal IP addresses, does show "not enabled" in message tracking...
    After my post this morning our appliances (two C660s) were still false positiving a lot of outbound mail that was for external recipients (my filter was excluding internal domains)..  but after 1:00PM central or so they started declining and since 3:00PM there hasn't been a single one..   Could be the volume of e-mail is starting to go down a little but I'm guessing there was a CASE rules update...
    Now I just need to decide if I'm going to set the SPAM threshold back to what it was or just leave it alone..  We have had a problem with internal users getting their mail accounts compromised and send out a lot of phishing e-mails that I have been trying to block.

Maybe you are looking for

  • How to open .Ink files in Mac?

    I have recently copied a slideshow from my friend's laptop (not a Mac) into my pendrive. When I tried to open the slideshow in my Mac, it was unable to because the format has changed to .Ink files. How do I fix this? PS. All of my existing files in m

  • Delivery Times on 24" iMacs

    Can't believe the responsiveness. Ordered CTO with 500GB drive and 2GB RAM on late Thursday, September 14. Shipping was estimated at Sep 20 with arrival on the 25th. Actual shipment was the 16th - arrived on the 19th! Went from Shanghai to Phillippin

  • Inserts/Updates on replicated tables Logical Standby Database ??

    Hello all, We have a Logical standby database on 10.2.0.5. Can you please suggest if there is a way we can do data inserts/updates on replicated tables ? Can this be done by doing a alter database guard none; or alter session disable|enable guard; ??

  • Impossible migration

    I imagine this might have been answered already, but I didn't find it in my search. Thanks for your patience. I want to migrate from my iBook (10.4.1) to my new iMac, and big guy is not seeing the little guy. (it does work the other way around when I

  • Archive and Reinstall, everything there but photos

    I had to restart my computer and it went to the apple screen and wouldn't come back on, I had to start it back up with the disc, no problem there, selected archive and reinstall - the install failed and I had to set up a new user. Still no problem. W