Possible false positive issue with SigID 3334

Similar Messages

• Possible false positive issue with SigID 3353

  Here is a packet captured by the IDS that triggered SigID 3353 - SMB Request Overflow
  evAlert: eventId=1075708170032493259 severity=high
  originator:
  hostId: cisco-ids-v4.1
  appName: sensorApp
  appInstanceId: 1134
  time: 2005/07/18 14:53:30 2005/07/18 14:53:30 UTC
  interfaceGroup: 0
  vlan: 0
  signature: sigId=3353 sigName=SMB Request Overflow subSigId=0 version=S180 Malformed SMB Request
  context:
  fromVictim:
  000000 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
  000010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
  000020 01 00 00 00 00 00 00 00 00 00 00 68 FF 53 4D 42 ...........h.SMB
  000030 25 00 00 00 00 98 07 C8 00 00 00 00 00 00 00 00 %...............
  000040 00 00 00 00 00 50 78 07 01 90 81 0C 0A 00 00 30 .....Px........0
  000050 00 00 00 00 00 38 00 00 00 30 00 38 00 00 00 00 .....8...0.8....
  000060 00 31 00 2C 05 00 02 03 10 00 00 00 30 00 00 00 .1.,........0...
  000070 0A 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 ................
  000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000090 00 00 00 00 00 00 00 68 FF 53 4D 42 25 00 00 00 .......h.SMB%...
  0000A0 00 98 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
  0000B0 00 50 78 07 01 90 C1 0C 0A 00 00 30 00 00 00 00 .Px........0....
  0000C0 00 38 00 00 00 30 00 38 00 00 00 00 00 31 00 2C .8...0.8.....1.,
  0000D0 05 00 02 03 10 00 00 00 30 00 00 00 0B 00 00 00 ........0.......
  0000E0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  0000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  fromAttacker:
  000000 00 00 00 00 00 54 00 2C 00 54 00 02 00 26 00 0F .....T.,.T...&..
  000010 70 3D 00 00 5C 00 50 00 49 00 50 00 45 00 5C 00 p=..\.P.I.P.E.\.
  000020 00 00 00 00 05 00 00 03 10 00 00 00 2C 00 00 00 ............,...
  000030 0A 00 00 00 14 00 00 00 00 00 01 00 00 00 00 00 ................
  000040 BB E2 9E 20 19 4C 0D 4B B7 17 DF 44 B9 00 52 40 ... .L.K...D..R@
  000050 00 00 00 80 FF 53 4D 42 25 00 00 00 00 18 07 C8 .....SMB%.......
  000060 00 00 00 00 00 00 00 00 00 00 00 00 00 50 78 07 .............Px.
  000070 01 90 C1 0C 10 00 00 2C 00 00 00 54 05 00 00 00 .......,...T....
  000080 00 00 00 00 00 00 00 00 00 54 00 2C 00 54 00 02 .........T.,.T..
  000090 00 26 00 0F 70 3D 00 00 5C 00 50 00 49 00 50 00 .&..p=..\.P.I.P.
  0000A0 45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00 E.\.............
  0000B0 2C 00 00 00 0B 00 00 00 14 00 00 00 00 00 01 00 ,...............
  0000C0 00 00 00 00 15 FD E7 ED 7D DD E4 40 8A E9 7C 39 ........}..@..|9
  0000D0 30 15 BC C3 00 00 00 80 FF 53 4D 42 25 00 00 00 0........SMB%...
  0000E0 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
  0000F0 00 50 F0 06 01 90 00 0D 10 00 00 2C 00 00 00 80 .P.........,....
  participants:
  attack:
  attacker: proxy=false
  addr: locality=IN 10.24.238.193
  port: 1071
  victim:
  addr: locality=IN 10.24.4.42
  port: 139
  alertDetails: Traffic Source: int0 ;
  As you can see, looks like a pretty normal SMB packet. This sensor is on an internal network, so Windows file and printer sharing is the norm.
  I think there is a false positive issue that was introduced with the signature’s tuning via the S180 update. As a result, I have two questions:
  1) Am I right, or is the signature working as it should?
  2) Is anyone else having this problem?
  Any and all feedback will be greatly appreciated,
  Alex Arndt

  The new version of this signature should be included in the S182 update. As a workaround if you are using 5.x you may to create 2 meta signatures using this signature and the no-op sled signatures (3328 for better coverage create a meta associated with each one and the existing sig). In your component list be sure to set 3353 prior to 3328. Set unique attackers to 1, meta interval to 2, and component list in order to true. This should eliminate all benign triggers.

• Possible legal case issue with google chrome pepper flash player.

  Ok so i have been on the phone to adobe for about an hour and this is the result.
  As far as adobe are concerned their flash player works fine which it does.
  However the google chrome Pepper flash player is obviously broken.
  Now adobe say this has nothing to do with them their flash player is fine and googles version of adobe flash player has nothing to do with ADOBE either.
  So why when you go into chrome plugin settings it says ADOBE flash player.
  It doesn't say Google Flash player.
  It says ADOBE Flash player.
  So it seem to me that either google have stolen the Adobe flash player then made their own and broke it. OR Adobe let them make their own version and is fully aware of the issue but doesn't care?
  How can Adobe ignore this issue for so long is disgraceful.
  Adobe should be in contact with google saying what have you done to OUR Flash player.
  Please the CEO of adobe should sort this out OR at least provide evidence that google hasn't stole Adobe flash player and broke it.
  This situation is completely unacceptable and i belive a legal case should be opened if Adobe has NOT given permission for google to use and implement a version of ADOBE's Flash player.

  your not going to like this, but i would of said the exact same thing myself, im a flash developer, i use chrome as my main browser with pepper running for general use. and from day to day im looking at javascript websites with simple little flash video players and adverts with spinning bitmaps, with no issues apart from the usual crashes when running flash videos, followed by that "oh snap" error message, which im sure the 18 year olds developing chrome find very ammusing. And of course when im developing flash applications im using the debugger version of the flash player in all my browsers like you should do, then i come to test my app on a pepper enabled instance of chrome one day and oh look at that nothing works. maybe if your running some basic timeline animation of a spinning dollar sign or a youtube video with some kids jumping off a roof it works, but a hell of alot is broken, loaders, loading fonts, uploading files, reloading cached files, and a plethora of things iv read in forums that i cant even get to try because i cant get anything to load consistently or find a debugger version of the pepper player to do a getStackTrace. i tried emptying all the caches and data from hosted apps, i tried deleting preference folders, tried recreating flash projects in flash builder from scratch, tried different versions of windows, tried testing it in the chrome beta, but that's even worse because instead of posting an error message it just hangs on a black screen in my app. none of this happens in any other version of the flash player i have tested so far, im tracking all errors that users of my app run into by logging them to a database and all of them are specific to pepper, and reproducable. In chromes bug reporting section there's a long list of these kinds of issues, its been like this for months, peoples businesses are being ruined by this stupid tiny little .dll file and the only solution anyone has found, other than the odd hack that fixes some bugs like setting video resolution to 479 instead of 480 to make a video stream play because google didnt bother to test anything other then the most basic default functions... Is to just throw a warning message to people with pepper player to go into their chrome plugins page, press a tiny little button in the corner to show some complicated dll file information, press another tiny disable button under the not very well marked pepflashplayer.dll, and then select always allow at the bottom so you don't have to deal with chrome blocking any working flash player other than pepper from running because its out of date. which in the end probably takes longer than installing the real flash player in the first place, there is literally no need for this damn dll file to even exist and for some mind blowing reason it has the exact same version number as every other flash player i have tried, which all work flawlessly. and also then obviously most people ignore the warning messages, continue to use your app wonder why its crashing, get frustrated and leave... So my only alternative so far is to totally block anyone using pepper player from even being able to load my app and tell them to do all of the above or use Internet explorer which seems to actually have a working built in flash player. so that instantly cuts out, as ofFebruary 2013, 50.0 % of Internet users unless they boot up internet explorer then manually navigate back to my webpage. which can make a huge dent to the amount of people who actually bother to even try your app.
  Now you may be saying to yourself "well he sounds a bit miffed about this pepper player that for me seems to work fine". maybe there's some kind of hack way to get swfs running in pepper that only some of you in the know, know about, google doesn't have any answers, when i rang adobe they were utterly clueless, when i rang google there wasn't even a human being to talk to from that faceless corporate monstrosity. and iv got 4 years worth of development time riding on this damn flash app which, unless adobe pull the plug on pepper, or google learn how to bundle other peoples software. is totally useless just as im trying to deploy it, and im going to have to copy and paste the whole lot into some .js files and try to reverse engineer it all into javascript which means gutting all the stuff that you can only do in flash, which is about half of it. now obviously you start asking questions like, how could it be possible that a version of flash this flea-ridden was ever allowed to be let out into the jungle when sooooo much is at risk for certain types of businesses that rely on this technology. you could literally put people out of a job by doing this, the man on the phone from adobe says well its not our problem its googles version and they are in charge of it, well if that's the case you better pull the licensing quick fast because it makes adobe look bad and the the flash brand look even worse. normal chrome users who arn't even trying to peddle their wares made in flash are even complaining that its "poisoning" their beloved chromium, and the most they have to suffer with is a buggy experience in a flash game but those of us with serious time and work invested into flash and businesses based on it are utterly fuming.
  Now, either you think this is all nonsense, you see no evidence, i must be doing something wrong, and all these cases im reading are just my imagination. Or you are fully aware of this situation and you are just saying the thing devs including myself always have to say to our users when we don't have a good answer or time to worry about it "Everything works great on my system, just submit a bug report". or you are so disconnected that you simply don't know about it yet and this is just a total waste of my time and anybody worth talking to his hidden deep in the bowels of adobe barred from communicating with the outside world.
  What i want to hear is that indeed you are fully aware of and informed about these issues, and within 1 month the pepper player will be removed from chrome and users will be allowed to use the official flash player from adobe which will remain stable and fully functional.

• Possibly cell radio issue with lollipopo 5.1.1 update

  hi all I thought update had gone ok. Very little battery usage when phone is in sleep/display off, etc. Used home wifi network a lot yesterday. Basically no data wifi. day 2 (today): I was out today and had my data connection (4G) on quite a lot (hadn't yesterday).Wasn't streaming or anything, just needed data for checking train times, google maps a bit - certainly nothing intensive.Phone was charged to 100% (switched off) then switched on at 9am ish this morningCell Standby reports, although only 5% of max battery usage, 24% time without signal (out of 8hr). This seems ridiculously high.I have noticed that my signal strength is frequently 1 bar with 4G.I noticed a bit of signal fluctuation, even with 4G switched off but virtually every time I got my phone out and 4G was on, it was on 1 bar of signal.I checked the battery history details:WiFi is indicated as active for the entire time I've had a shoddy mobile network signal - this correlates with my 4G usage.Other times when Wifi has been on (home network, not data), cell signal seems fine.I am on O2 in London4G can be a little up and down for me but has NOT generated this measure of cell standby / out of signal until 5.1.1 upgrade5.0.2 was ok, although tbh I use 3G most of the time, as I associate better battery usage when I don't use 4G.I was even in exactly the same locations using data, etc, as when I was with 5.0.2 ROM, so I'd not anticipate such a dramatic difference/drop in signal quality.I checked with 02 and there are no reported service issues in my area (checked via their website service status).I've just remembered that I had GPS on too but know, 100%, that Location Services was set to "device only", rather than high accuracy. You can also see from my battery history usage, how little the GPS was 'on' for.I am very surprised and disappointed at this. This suggests (to me) a radio issue in the latest update. However, I've not seen others complaining about cell radio issues, so can't corroborate/prove my suspicions. Anyone have any suggestions for me?   Cheers, Gaz Screenshots:    

  uliwooly wrote:
  @MyAliasIsGary Reinstall 5.1.1 with PCC, it's a pain but it should smooth things out, also turn off auto update apps and check if you are auto backing up with G+/photos PC Companion (PCC)  Bridge (for Mac)   Alternatives on How to backup Xperias http://talk.sonymobile.com/thread/36355 hi mate oh seriously though? A re-install?  It took a day for me to get everything back in place (I wiped my internal storage), so I'd have a clean install of 5.1.1 (I wiped 5.0.2). So am I to do a repair or reinstall (or are they the same)? The only other thing I did yesterday was hold power button and volume-down until you get 3 buzzes - I read that this wipes the cache partition. It was suggested this could clean up sluggish performance after an update (although tbh I didn't find my phone to be sluggish). RE: auto updates. I've turned all them off. Also, things should not be syncing in background either (I'm careful to turn that off). G+ shouldn't be updating in background as I've disabled it lol In fact I've disabled most of the google stuff.RE: backing up of photos. This shouldn't be happening, at least going on the amount of data I've used today (only 17MB). Btw, could you just explain (or point me to an article) as to why I should use PC companion (rather than say just doing factory reset)?   Cheers, Gaz

• False Positives with GRC AC 5.2

  Hi,
  I actually have been working with GRC AC 5.2 (Compliance Calibrator) and we encountered several problems with false positives, working in the risk analysis.
  ¿do anyone knows how to solve this problem? ¿do you have documents or links to help?
  Thanks,
  Ricardo.

  Thank you Alpesh for response.
  In fact, i have several problem with false positives, but with transactional level. For example, i have a user with pfcg and su01 transaction. The configutation of profiles in SAP r/3 system do not allow to user involved in this, to execute both transactions in end-to-end process, i mean, the user have a transaction vía s_tcode object, have some other objects related with pfcg and su01 transactions, but he doesn´t have the values that allow to a transactions work properly. Then the Compliance Calibrator informs risks that it doesn´t exists.
  It seems that is a ruleset configuration problem in the CC, then my question is, ¿the standard ruleset detects properly these problems?
  Let my explain the reason that causes the problem.
  We have been working with personalized ruleset, for customer-request. For that reason we look the usobt_c table and we form the ruleset-->functions in CC so that this functions were equal to usobt_c table. We did that because the standard ruleset shows false positives, such as first example of this post.
  Thank you very much,
  RCL.
  Edited by: Ricardo  Carrasco on Jun 18, 2009 11:58 PM

• Tuning issue with false positive

  One of my clients moved two of their email devices to a DMZ. The both produce alerts on the mass mailing worm alert. Before they were moved to the DMZ, you would see the alert and it would have a source and destination IP. Now it only has the destination IP address of where the device is sending email to. Since the MARS does not pick up the devices new IP address, I cannot false positive tune these alerts out. How would I go about fixing this issue?

  When the IDS mistakenly thinks that normal traffic is malicious then false positives happen To reduce them you have to fine tune the system by letting it know what normal traffic means on your network.
  Cisco has provided some great guidance on how to reduce false positives here:
  http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008072f396.html#wp1030968

• Possible problem with SigID 5442

  We've been experiencing some false-positives with the Cursor/Icon File Format Buffer Overflow (SigID 5442) signature.
  We've had some instances where the alarm has fired on a string containing ".ani", but not at all related to a file of this type.
  Here's an example lifted right out of one such alarm...
  ACON[\x00-\xFF]*anih([^\x24][\x00-\xFF][\x00-\xFF][\x00-\xFF]|[\x24][^\x00][\x00-\xFF][\x00-\xFF]|[\x24][\x00][^\x00][\x00-\xFF]|[\x24][\x00][\x00][^\x00])
  Note that there is no leading "." in front of "ani" and that the text is actually "anih".
  Is this intended behaviour for this SigID, or have I found a bug?
  Thanks in advance,
  Alex Arndt

  It looks like this may indeed be a false positive. I believe the problem stems from the variable length fields that can appear between the ACON header and the anih stub chuck identifier. To eliminate the possibility of false negatives we chose to use the [\x00-\xff] wildcard; this does allow for a slim chance of false positives. This signature was chosen because it addresses the vulnerability and cannot false negative. That being said we will continue to research this signature for modification in a future signature update.
  In the meantime the following 5.x custom signatures may be of use. The main signature is a meta signature consisting of 2 component signatures. In order to create 5.x custom meta signatures the sensor must be running signature update S167 or later.
  Component Signature 1: RIFF ACON
  Engine: String.TCP
  Direction: From Service
  Ports: #WEBPORTS
  Severity: Informational
  Regex: RIFF[\x00-\xff][\x00-\xff][\x00-\xff][\x00-\xff]ACON
  Do not associate an alarm event action with this signature
  Component Signature 2: anih
  Engine: String.TCP
  Direction: From Service
  Ports: #WEBPORTS
  Severity: Informational
  Regex: anih([^\x24][\x00-\xFF][\x00-\xFF][\x00-\xFF]|[\x24][^\x00][\x00-\xFF][\x00-\xFF]|[\x24][\x00][^\x00][\x00-\xFF]|[\x24][\x00][\x00][^\x00])
  Do not associate an alarm event action with this signature
  Meta Signature: ANI Cursor Overflow
  Engine: META
  Component List: Component Signature 1, Component Signature 2 (use their signature IDs)
  Meta-Reset-Interval: 1
  Component List In Order: True
  Meta-Key: Attacker Address
  Unique Victims: 1
  Severity: High
  Associate an alarm event action with this signature
  This signature will reduce the length of time allowed to pass between seeing the ACON header and anih sub-chuck identifier; this time is set by the Meta Reset Interval parameter. Since all of these events must occur in the same file in an actual attack they will be seen almost immediately. To eliminate false negatives increase this interval; to eliminate false positives decrease this interval. The reset interval of 1 should not false negative unless an extremely slow connection is being monitored (sub 1kB/s).
  Here is a 4.x custom signature; it should reduce the chance of any false positives.
  RIFF[\x00-\xff][\x00-\xff][\x00-\xff][\x00-\xff]ACON((LIST|INAM|IART|fram|icon|rate|seq)[\x00-\xFF]+)?anih([^\x24][\x00-\xFF][\x00-\xFF][\x00-\xFF]|[\x24][^\x00][\x00-\xFF][\x00-\xFF]|[\x24][\x00][^\x00][\x00-\xFF]|[\x24][\x00][\x00][^\x00]))
  This signature looks for the anih field immediately following the ACON header or following another header that immediately follows the ACON header. This signature may not be as effective as the 5.x signature.

• LMS 4.2.2 DFM still not possible to disable Duplicate IP false positives?

  I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
  Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
  DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
  Is it possible to disable these false positives in DFM?
  Thanks for any hints!

  I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
  Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
  DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
  Is it possible to disable these false positives in DFM?
  Thanks for any hints!

• The Accessibility Object for AS2 is returning a false positive for AS2 with IE10 on Windows 8 Pro.

  There is an issue with the our legacy content player, which is written in Flash Actionscript 1 & 2.  This
  player behaves fine in most browsers on most platforms, but in IE10 on Windows 8 it doesn't work
  properly.
  Internet Explorer 110
  Version:  10.0.9200.16688
  Update Version:  10.0.9 (KB2870699)
  Windows 8 Pro
  This seems to because of the Flash engine's Accessibility object using the Microsoft Active
  Accessibility (MSAA) API to detect the presence of Screen Readers.  This detection is creating a false
  positive on Windows 8 machines and that may be due to the touch screen support on that platform.  This
  doesn't appear to be occuring with Chrome or Firefox on the same platform; however.  So I suspect that
  IE or IE's Flash compenent is doing something different than these other browsers.

  This is legacy code and is too close to its end-of-life to justify porting to AS3.  As far as a work-around I am already looking into it. I was hoping that someone had already encountered this issue and created a work-around.  This would have saved time.
  Any other takers?

• Possible avast! anti-virus false positive on imac

  greetings, installed the free avast! anti-virus software earlier today & ran a scan on my imac. results showed 2 infections of - Win32:Injector-AEO[Trj] . so i did a quick search & found that the win32 virus should have no effect on a mac. is that true? but that i could possible infect others pc's? also found that avast! is know for false positives, presumably so they can get you to upgrade to their expensive pay service. there seems to be no way to remove the infections with the free software avast! provided. i was advised to de-install the avast! software - which i did. so i was wondering what the best course of action is at this point? get norton or something & rescan, or what?

  Windows malware does not affect OS X. It is true you can pass along the malware to another through email assuming the malware came to you in email and you forwarded the email to others.
  In general you have no need for such protection in OS X at this time. You would be better off with no such software installed.
  Helpful Links Regarding Malware Protection
  An excellent link to read is Tom Reed's Mac Malware Guide.
  Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
  See these Apple articles:
            Mac OS X Snow Leopard and malware detection
            OS X Lion- Protect your Mac from malware
            OS X Mountain Lion- Protect your Mac from malware
            About file quarantine in OS X
  If you require anti-virus protection I recommend using VirusBarrier Express 1.1.6 or Dr.Web Light both from the App Store. They're both free, and since they're from the App Store, they won't destabilize the system. (Thank you to Thomas Reed for these recommendations.)

• Possible solution to disconnecting issues with Realtek RTL8188CE

  As you may recall I've been having issues with my RTL8188CE WLAN card (and if I recall I'm not the only one), anyway I have found something that solves it for, at least, my system
  I introduce to you: Linux Mint Debian Edition, the distro itself is irrelevant but how it sets up networking is very relevant, from what I can tell it uses a so called obsolete method of setting up the network firmware this would be ndiswrapper, from what I can tell it works excellent.
  Another thing I noticed is that this card is utter garbage in any OS, it doesn't work right in windows either (making multiplayer games... less than entertaining)
  Now, here's the catch: I don't recall how LMDE set it up nor do I have a partition running it right now (sacrificed for a pure debian jessie system (I always keep coming back to debian)), if anyone has this card they could try installing lmde to figure out the network setup it is using (actually, that would be really helpful)
  Anyway, that's my two cents to the issue of getting this card working
  No seriously, that's all. Now off to get my Debian install and then arch install working with this setup to verify that it can be replicated on other systems. (if possible could anyone try this and post their results, I had four disconnects over the last month, three were my own fault for messing with the driver)
  P.S if this is in the wrong section (might be, it seemed like the most relevant one to me though) please don't overreact ^^
  EDIT: Update - the card seems to work somewhat reliably with the native linux driver on kernel 3.10 with ipv6 disabled, still not perfect but *usable* (as in haven't disconnected for over an hour)
  Now, time to do some more experimenting (the actual stability seems very random depending on kernel version, driver version, position of the moon and whether or not you've successfully located elmo)
  Last edited by CubeGod (2013-11-08 14:24:19)

  UPDATE: Okay, so as I mentioned that running kernel 3.10 with ipv6 (and powersaving) disabled it works, it isn't perfect, it loses connection every now and then, doesn't get any usable speeds and it randomly disconnects and requires a reauth, nothing major as it isn't exactly common (ugh, it's a major improvement over disconnects every two seconds)
  This card is still awful though (on an unrelated note I still find it hilarious that the card works even worse in windows *rolls eyes* I blame microsoft)

• Performance issues with Motion (position, scale, rotate) and GTX 590

  I'm experiencing performance issues with my Premiere Pro CC when I scale, position or rotate a clip in the program monitor.
  I have no performance issues with playback! It's only, when i move something with the mouse or by changing the x,y-values of Position in the Motion-Dialog in video effects.
  Premiere then lags terribly and updates the program monitor only about once per second - this makes it very difficult and cumbersome to work and position things.
  On a second Premiere installation on my laptop, performance is fine and fluid - allthough it doesn't have GPU support and is a much slower computer.
  I'm pretty sure this has somehow to do with my graphic card, which is a Nvidia GTX 590.
  I was told by the support, that it is actually a dual graphic card, which is not supported/liked by Premiere.
  The thing is, until the latest Premiere update, I did not have performance issues at all with this card.
  I also read on the forum that others with the GTX 590 did not experience any problems with it
  So where does this come from?
  There is no change in performance whether or not I activate Mercury Playback Engine GPU acceleration.
  I also tried deactivating one of the 2 gpus, but there also was no change.
  Does anyone else know this problem and has anyone a solution?
  I'm running Premiere CC on a Win 7 64bit engine, Nvidia GTX 590, latest driver (of today),

  I am suffering from the same phenomenon since I updated just before christmas, I think.
  I am hardly able to do scaling, rotating and translating in the program monitor itslef - whil motion has been highlighted in teh effect controls.
  In the effect controls I can scale, rotate etc however.
  Also I have noticed there is a yellow box with handles in teh program monitor. I remember it was white before.
  I cannot figure out what to change in my preferences. What has happened?
  best,
  Hans Wessels
  Premiere CC
  Mac Pro OSX 10.7.5
  16 GB 1066 MHz DD3
  2 X NVIDIA GeForce GT 120 512 MB

• Possible GPU Issues With Camera Raw 6.6

  Over the past day on my Windows 7 x64 workstation I've done some updates.  Specifically:
  The Adobe updater brought in Camera Raw 6.6, replacing 6.5.
  I updated the to the ATI Catalyst 11.12 display driver version from previous version 11.11.
  I allowed Windows Update to apply the dozen or so changes that were pending.
  I was just doing some OpenGL testing with Photoshop CS5 12.0.4 x64 and I noticed that under some conditions I saw Photoshop drop out of OpenGL acceleration.  Specifically, when I opened a Canon 5D Mark II image through Camera Raw I saw subsequent operations stop using OpenGL acceleration even though the checkmark remained in the [  ] Enable OpenGL Drawing box in Edit - Preferences - Performance.
  What I did to determine whether OpenGL acceleration was enabled was this:  Select the Zoom Tool, then click and hold the left mouse button on the image.  When OpenGL is enabled, I see a smooth increase in zoom.  When it goes disabled, I see only a jump in zoom level after letting up the mouse button.  Also, the [  ] Scrubby Zoom box gets grayed out.  As I mentioned, even in this condition, a check of Edit - Preferences - Performance still shows OpenGL enabled.
  Just as a control, I saved the converted file as a PSD, and every time I opened THAT file (with a fresh copy of PS CS5 running) and did the same operations I could not reproduce the failure.  The difference being I did not run Camera Raw.
  Since I wasn't specifically looking for issues with Camera Raw, I am not sure that the problem occurred every time I did run Camera Raw.  I do know that when I open images from my own camera (40D; I do not own a 5D Mark II) that the problem doesn't seem to occur.  Notably I always open my image from Camera Raw to the largest possible pixel size - 6144 x 4096, as I did with the 5D Mark II image, so it's not an obvious size difference that's leading to the issue.  Given other comments of late, I'm wondering if it could be a specific issue with conversions of files from 5D Mark II.
  Nor am I sure whether any of the above updates caused it - it might done this before; I don't regularly convert 5D Mark II images.  I DO think I would have noticed Photoshop reverting to GDI operation before, since I just noticed it pretty easily, but I'm not completely sure of that either.  I do use OpenGL-specific features (such as right-click brush sizing) pretty often.
  I'm trying now to find a set of steps with which to reliably reproduce the problem now, and will advise.
  -Noel

  Figures.  Now I can't reproduce the problem at all, even after an hour of testing.  It probably had nothing to do with Camera Raw.
  I wonder if there are latent GPU status indicators and config values stored by Photoshop based on its specific environment that might not be right for the first run (or first few runs) after a display driver update.  Hm....
  -Noel

• Pvc2300: false positive with motion detection

  Hello!
  I bought 3 pvc 2300 cameras. I tried motion detection with camera's software and with "Active webcam" software and I received a lot of false positive mails.
  1. with camera's software, I set event with motion detection & sent mail, but I receive a lot of mail when there isn't motion (I saw registrations and images)
  2. with Active WebCam software I use Linksys cameras and Panasonic Cameras. With Panasonic cameras all is ok. With Linksys cameras, about every hours there is a black frame, so I receive a mail from motion detection. Black frame arrive about every hours, after 60 minutes from last black frame. That is very strange!
  I changed sensitivity, check frequency, number of frame at second, but I have same problem.
  Can you help me?
  Thanks
  Mary

  I have 2 Panasonic cameras too and I need one software to manage all cameras.
  sensitivity: on active webcam software, I changed sensitivity of motion detection
  frequency check: on active webcam software, I changed from check motion every 0,1 second to every 5 seconds
  number of frame: on Linksys software I changed Max Frame Rate from 15 fps to 6 fps.

• Role reconciliation issue with user ID in acting (HDA) position

  Hi all,
  I am experiencing an issue with my role reconciliation for user who is in a HDA (acting) position. This user has a 008 relationship to her own position and a A081 relationship to the position she is acting in. Roles are assigned to these 2 positions.
  After the programme PFCG_TIME_DEPENDENCY has been run, I would assume the user to acquire the roles assigned to the HDA position and lose the roles assigned to her in her original position. However, this isn't the case.
  I am just wondering whether anyone else has encountered this issue and know of a solution to this.
  Thank you.
  Kim

  Kim,
  After the programme PFCG_TIME_DEPENDENCY has been run, I would assume the user to acquire the roles assigned to the HDA position and lose the roles assigned to her in her original position. However, this isn't the case.
  Before PFUD takes place, change of assignment should be done in PA40(automatically or manually depending on your setup).
  Thanks,
  Sri