What is False negative and False positive

Hi Gurus,
What is False negative and False positive?
what situations they will arises and what is the impact on database/cube?
Give me some examples.

yes, one of my friend has across this question in an interview.
the interviewer has explained like this:
Occasionally, some times clean blocks are marked as dirty,this is called false negative
and dirty blocks are marked as clean status is called as false positive.
I would like to know when this situation arises and what is the impact on the database/cube.

Similar Messages

What are the negative effects of shutting down often?

I use my computer everyday. Is it the best choice to shut it down every night (when i am sleeping) for:
a. Saving electricity?
b. maintaining battery life?
c. the environment???
And I am sure there are other factors I can't think of now. What are the negatives and positives of using sleep mode? When is it best to shut down?
Thank you all for reading, and answering!

I use my computer everyday. Is it the best choice to
shut it down every night (when i am sleeping) for:
a. Saving electricity?
Nominal as the computer uses very little power when it is in sleep mode. The surge when the computer starts from being off is probably more as the computer is dead and has to warm up and restart everything.
b. maintaining battery life?
Doesn't affect battery life. When the battery is charged the charge circuit turns off and the battery is idle as long as the magsafe is plugged in and powered.
c. the environment???
Letting your computer sleep or turning it off is going to have minimal impact on the environment. See first answer.
What are the negatives and positives of using
sleep mode?
No negatives I can think of. Positives are the computer wakes up right where you were. You don't need to close any programs or stop to make it go to sleep. Either close the lid or use one of the other methods to put it to sleep.
When is it best to shut down?
I always shut down when I am transporting my computer in a bag. Just personal habit. A few people transport it in a bag while it is asleep and have no problems. I also shut it down when I know I am going to be away from it for over 24 hours. Sleep would work just as well just habit.

Comparing documents and false positives

Hello,
I often have to send a proof of a book to a printer. The proof is a PDF. When they return a soft proof--another PDF that they will use to print--I need to quickly compare the two to make sure that there have been no changes in the text.
The Compare Documents feature certainly beats a side-by-side eyeball scan. But I often get a lot of false positives, words are flagged that actually have not changed.
It appears that my PDF, exported from InDesign has some hidden discretionary hyphens. In ID these are used to make sure a word breaks at the end of the line at the correct syllable. They are invisible when printed. In a PDF these are not necessary because the text ain't gonna reflow, right?
But when I compare the soft proof to the original PDF, words with discretionary hyphens are flagged. Somehow the printer has stripped the discretionary hyphens. That's fine but what must I do to get rid of them in my PDF?
Below is an example. The PDF shown is the one from the printer. The comment box shows the difference from the original PDF, though there is in fact no difference on the page.
Any advice would be appreciated.
Tom

I like Acrobat's text comparisons, which have saved me from bad goofs several times -- mostly stray key-strokes, but once I caught an InDesign footnote numbering snafu. However, the false positives have always been annoying even without flagging every single discretionary hyphen.
I imagine you have tried the image method for comparisons, a modern version of the old trick of putting printouts of the old and new versions of a page on a light table to find differences.
I don't recall seeing comments of the type "undefined", but does re-sorting comments by type at least isolate these so you can step through the rest? I'm no scripter, but can a javascript mark or eliminate comments containing hyphens?
More drastic, would it be worth trying to eliminate the discretionary hyphens? For instance, you could apply Harb's "Freeze Composition" in InDesign, and then search-and-replace all discretionary hyphens. (Read the comments on the In-Tools site, as well as those in the InDesignSecrets blog it links to because you might want to modify the way it handles hyphens.)
Good luck!
David

SCOM 2012 and NAP 802.1X Enforcement - Event ID: 6276 during client startup - False positive

Hi
We are running SCOM 2012 and we are using NAP 802.1X enforcement with HP IDM. We are getting multiple event ID: 6276's entries in SCOM during computer start-up, which is false positives as it seems the computer is put into the Non-Compliant network until
its true state is reported. Is there a way to suspend these events, in order for us to only receive valid Non-Compliant events?
Regards, Francois
Francois Vorster

Hi,
You can make dot3svc dependent on NAP agent so that NAP agent starts up completely before the first 802.1X authentication attempt is tried. This should reduce the number of re-authentication attempts.
-Greg

How can you distinguish a 'false positive'?

The IPS generated an alert, SMB Remote Registry Access Attempt. How to investigate the alert? I ran a couple of spyware programs on the host and found some cookies-generaly clean. At what point is the alert resigned as a false positive?
âTriggers when a client attempts to access the registry on the Windows server. Microsoft tools like REGEDIT provide the ability to access a servers registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.â
appInstanceId: 403
signature: description=SMB Remote Registry Access Attempt id=5579 version=S264
subsigId: 1
marsCategory: Probe/Host/WinRegistry

You should start by looking for documented benign triggers:
https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5579&signatureSubId=0
In this case, the benign triggers should tell you what you need to know.

How to determine is it SMB - Remote SAM server access , false positive?

How to determine is it SMB - Remote SAM server access , false positive?

5583-0 right?
I would say that there are different types of false positives. Do you mean, how do I determine if what what was seen actually represents an attempt to access the SAM database? I would start by looking at MySDN (or whatever Cisco is calling it these days...intellishield?). It's often not very up to date and missing information, but it's an easy thing to check. Here's the link for this sig:
https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5583&signatureSubId=0
If you look at the benign triggers, you'll see that it suggests that this only matters if the source is external. It's up to you whether to research any further. If you really want to inspect the signature further, you'll have to add one of the "log packets" actions. This will save a network trace when it fires again and then you can open it up in Wireshark, which understands SMB and will probably decode it enough for you to verify whether it actually was an attempt to access the "Remote SAM server".

Extensions.checkCompatibility.17.0 does not stay in false position

After updating from 16 to 17 some of the extensions that are crucial for me stopped working, got disabled and got listed as incompatible with 17.0. Now when I try to toggle the extensions.checkCompatibility.17.0 boolean into the “false” position, it readjusts itself into “true” after each restart, making it impossible to force those extensions as compatible.
Why is this happening and what can I do to make it stay at “false”?

edit: now extensions.checkUpdateSecurity stays true but I can’t find how to access the “make compatible” option. Nightly tester tools does not seem to provide it.
edit: nvm, issue solved by downgrading.

Lots of false positives on outbound SPAM filtering

Starting around 5:30AM this morning a lot of our outbound e-mail began testing as positively identified SPAM. In our environment I have positively identified outbound SPAM setup to go to a quarantine.
In looking at the e-mails they are legitimate e-mails.
My first attempt was to lower the positively identified SPAM threshold from 75 to 50, had no effect.
My second attempt was to exclude our internal domains so that e-mail hitting our IronPort appliances for internal recipients would be allowed through, positively identified SPAM or not.
EDIT: Reviewing some of the e-mails, some are a simple e-mail with text only and a single .pdf attachment. Tested as positively identified SPAM. Some have multiple hyper links but are to legitimate URLs.
My questions:
What changed this morning that is causing all of these false positives?
What can I do differently to not let this occur again?
Thanks...

Really appreciate the replies...
Bob, SBRS is disabled on my outbound mail and it also comes from private/internal IP addresses, does show "not enabled" in message tracking...
After my post this morning our appliances (two C660s) were still false positiving a lot of outbound mail that was for external recipients (my filter was excluding internal domains).. but after 1:00PM central or so they started declining and since 3:00PM there hasn't been a single one.. Could be the volume of e-mail is starting to go down a little but I'm guessing there was a CASE rules update...
Now I just need to decide if I'm going to set the SPAM threshold back to what it was or just leave it alone.. We have had a problem with internal users getting their mail accounts compromised and send out a lot of phishing e-mails that I have been trying to block.

Possible false positive issue with SigID 3334

I have yet another possible false positive signature. This time it is SigID 3334 - Windows Workstation Service Overflow.
Here's a capture from the EventStore on the sensor, again with the signature modified so that it captures the offending packet (CapturePacket=true):
evAlert: eventId=1075708170032497693 severity=high
originator:
hostId: cisco_ids-v4.1
appName: sensorApp
appInstanceId: 1134
time: 2005/07/19 17:08:44 2005/07/19 17:08:44 UTC
interfaceGroup: 0
vlan: 0
signature: sigId=3353 sigName=SMB Request Overflow subSigId=0 version=S180 Malformed SMB Request
context:
fromVictim:
000000 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000020 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000040 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000050 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000060 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000080 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
000090 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
0000A0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
0000B0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
0000C0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
0000D0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
0000E0 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
0000F0 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ................
fromAttacker:
000000 00 2C 4C 00 00 46 1B 00 00 6A 38 00 00 5D 16 00 .,L..F...j8..]..
000010 00 19 4E 00 00 F7 13 00 00 B6 54 00 00 25 31 00 ..N.......T..%1.
000020 00 82 29 00 00 7B 3F 00 00 66 53 00 00 5B 3C 00 ..)..{?..fS..[<.
000030 00 BB 40 00 00 BE 57 00 00 9F 4B 00 00 D9 06 00 [email protected].....
000040 00 0C 0D 00 00 56 2C 00 00 D4 14 00 00 0B 13 00 .....V,.........
000050 00 B4 57 00 00 F2 0B 00 00 F8 19 00 00 B9 4B 00 ..W...........K.
000060 00 A6 3D 00 00 3F 1A 00 00 ED 1A 00 00 29 4E 00 ..=..?.......)N.
000070 00 22 38 00 00 53 23 00 00 70 58 00 00 73 58 00 ."8..S#..pX..sX.
000080 00 78 58 00 00 81 58 00 00 1C 1A 00 00 2D 59 00 .xX...X......-Y.
000090 00 50 3A 00 00 00 00 00 3B FF 53 4D 42 2E 00 00 .P:.....;.SMB...
0000A0 00 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 ................
0000B0 00 02 10 FF FE 00 18 80 60 0C FF 00 DE DE 08 18 ........`.......
0000C0 00 00 00 00 88 0C 88 0C FF FF FF FF 88 0C 00 00 ................
0000D0 00 00 00 00 00 00 00 80 FF 53 4D 42 25 00 00 00 .........SMB%...
0000E0 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000F0 02 10 94 06 00 18 C0 60 10 00 00 2C 00 00 00 88 .......`...,....
participants:
attack:
attacker: proxy=false
addr: locality=OUT 10.28.108.79
port: 1046
victim:
addr: locality=IN 10.24.4.42
port: 139
alertDetails: Traffic Source: int0 ;
Now if I understand this alarm correctly, it's looking at any SMB data that appears after the "\PIPE" in a packet, right? Given my dump, I don't think there's anything to get excited about... Is this another broken SMB-related signature?
Alex Arndt

It looks like you posted the wrong event log so I have no way to tell if this is a false positive.
(I'm assuming your referring to signature 3334-0)
If you are using the 4.x version of this signature there may be potential for a false positive, since we do not tie the regex to a uuid. If you are running 5.x I do not think its possible for this signature to false positive. To add fidelity we used 5.xs engine meta and created a signature to ensure a hit on this signature as well as one for the msrpc bind requests uuid. There is no way to improve the signature in 4.x without creating a risk for false negatives (if you dont mind the risk just increase the allocation hint). That being said, the 4.x version of this signature does look for very specific things:
3334-0 looks for an msrpc bind request using SMB_COM_Transaction utilizing the PIPE resource with an allocation hint >=1700, function 38 (base-10 for all these values), opcode 25 (base 10), set count of 2, and a word count of 16.
Thanks,
Craig Williams
Cisco Systems

False positive KB2478662 after Server Cleanup Wizard

This morning WSUS gave me false positives for several clients. I've seen FPs before, but I've never discovered what causes them. In fact, I'm finding it hard to even ask a useful question.
On Friday I ran the WSUS Cleanup Wizard. On Monday I found that our Server 2008 R2 box and all but two of our Windows 7 boxes report as needing .NET update KB2478662 - a long-superseded update from 2011.
I ran "wmic qfe list" to learn that neither KB2478662 nor its two superseding patches (KB2633873 and KB2539635) were installed on any of the unhappy clients. However, KB2972100 supersedes KB2633873 and KB2539635 (but not the earlier KB2478662),
and is installed on all the clients involved. KB2972100 is not listed as superseding KB2478662, the earliest in the chain, so it appears this sort of leapfrogging supersession may not be detected well by WSUS.
However: KB2972100 was installed two months ago, and KB2478662 didn't show before Friday; according to the Microsoft Catalog, none of the update packages has been updated recently; and I'm not finding reports from other admins of the ghost of KB2478662 emerging
from the shadows. I can only assume that running the Cleanup Wizard Friday somehow left WSUS in a state where this false positive could result.
Like I said, I can't decide what question to ask. Am I likely correct in blaming the Cleanup Wizard? If so, is there some way of cleaning up after the wizard? Or of preventing this sort of false positive in the first place? Or is there
some other common cause for this sort of FP?
I seem to get two or three of these FPs a year, and I always end up researching the chain of superseding updates, manually scanning clients until I'm sure the latest update is really in place - and then I decline the false positive. But I'd love to know
a better way to handle these, or to avoid them.

so I don't have a years-long database of approved updates.
That remains to be seen. It only takes one hour of overambitious update approvals to generate five years of content on a WSUS server. :-)
KB2478662 has never appeared before
KB2478662 is an update contained in MS11-039 and has existed since June, 2011. If your WSUS server is only a couple of months old, I'm pretty confident in stating that KB2478662 was part of your original synchronization. KB247862 (MS11-039) is not a superseded
update.
It's much more likely that you just did not notice it before.. but it's always been there.
(as I noted, KB2972100 was broadly installed in October) and has never had any approvals at all.
I can't speak to the question of approvals, but if it was broadly installed, then I'd guess that happened before you deployed this WSUS server and those updates were installed as a result of Automatic Updates. Given that it was released on Oct 14th,
that makes perfect sense.
I've never had the opportunity to decline it, because it's never appeared as "needed".
Those two statements are totally noncongruent. You don't decline an update because it is or is not needed, or was or was not ever reported as needed, you decline an update because it will **NEVER** be needed again at all.
None of the four updates I mention came out since I installed WSUS.
Correct, but not really relevant.
KB2478662 (MS11-039, Jun 2011) - already explained. NOT superseded, except for ITANIUM systems, which was superseded by MS11-069.
KB2539635 (MS11-069, Aug 2011) - SUPERSEDED by KB2633873 (MS12-016, Feb 2012), KB2604115 (MS12-035, May 2012), KB2729452 (MS12-074, Nov 2012), KB2742599 (MS13-004, Jan 2013), and KB2972100 (MS14-057, Oct 2014).
KB2633873 (MS12-016, Feb 2012) - SUPERSEDED by KB2604115 (MS12-035, May 2012), KB2729452 (MS12-074, Nov 2012), KB2742599 (MS13-004, Jan 2013), and KB2972100 (MS14-057, Oct 2014).
KB2972100 (MS14-057, Oct 2014) - The *CURRENT* update.
So since they all came out before you installed WSUS that means that ALL of them were ON your server the day you installed it, and TWO of them were relevant from Day One. The other two should have been immediately declined if KB2972100 was reported as 100%
NotApplicable.
If WSUS thinks KB2478662 is superseded, I have no idea why the Cleanup Wizard hasn't already handled it.
There's no "think" about it. Either the update is superseded, or it is not, and whether it's superseded and what supersedes it and what it supersedes is displayed in the Update Details in the WSUS console. One need only read the screen to get the
facts. In this case KB2478662 is NOT superseded (unless you have an Itanium server), and nothing "thinks" that it is (except you).
As for why the Server Cleanup Wizard hasn't dealt with it, one need only understand what the Server Cleanup Wizard DOES do with superseded updates. Superseded updates are declined *IF* (and only IF):
The update is superseded and has not been approved for at least 30 days.
The update is superseded and not needed by any client systems or downstream servers.
The update is superseded and the superseding update is APPROVED.
So... the ITANIUM instance of KB2478662 will not be handled by the Server Cleanup Wizard, because you have likely not approved any ITANIUM updates that supersede it. And the other instances of KB2478662 will not be handled by the Server Cleanup Wizard because
they are not superseded.
So, back to your original message.
KB2478662 WILL be "Needed" on any system where it is NOT installed, because this update is NOT superseded. Your original premise that this update is superseded is the root of all confusion.
Furthermore, neither KB2633873 nor KB2539635 superseded that package, but they are superseded by a newer update (KB2972100) which predates the existence of your WSUS server, so the presence of KB2972100 and the absence of BK2633873 and KB2539635 is 100%
normal and expected.
You were correct in noting that KB2972100 does not supersede KB2478662, but that's the point at which your logic broke down and asking yourself how 'D' supersedes 'C' and 'B', and 'C' and 'B' supersede 'A', but 'D' does not supersede 'A' might have led to
a re-evaluation of your conclusions.
Ergo... there are *NO* false positives. What is reported is FACTUAL.
HINT: (I've written this over a hundred times in the past five years).... The question you should be asking in such situations is NOT "What's wrong with the update?", but rather "What's wrong with the client?" or "What's wrong with
my analysis?" The WUA evaluates applicability based on a defined set of rules, and reports the update status to the WSUS server based on the evaluation of those rules. If the update is more than a week old.. I absolutely PROMISE you that there is *NOTHING*
wrong with the detection logic in that update and you need to focus your investigation on things other than the updates.
As for how to handle superseded updates and update approvals, you may find some benefit from this article:
Removing unneeded update approvals
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

Login Stats "false-positive"?

This deals with login stats... (I've not done any coding yet - just trying to hypothesize first... but will use CF queries)
I'm sure there's a way to do this but can't quite figure it. I know it's easy enough to do a database row count or add the 'number fields' in a
database column for a total, but - how to do this without getting a "false positive" as per below?
Goal: To find the name of the school with the lowest number of Teacher logins.
The LoginCounter database field is set up as a 'number field' and adds an increment of 1 each time a teacher logs in to the site. (for my counter code
to work, this field starts with a default of 1). I have a SchoolName field in the TeacherID row, associating a Teacher with a school and, currently
there are 5 schools... I don't have to do any kind of table join - all fields are in one table.
No problem with pulling a total on the total number of logins of ALL teachers in ALL schools or All teachers in THIS school and then comparing this
number between the different schools.
But I can see more than one "false positive" per the following:
Say, there are 20 TeacherID in School_01 and 40 TeacherID in School_02. And say, totaling the LoginCounter column shows a total of 30 teacher logins
for School_01 and 50 teacher logins for School_02. By just adding up the total LoginCounter per school would show that School_01 has the lowest number
of teacher logins.
However, you have to take into consideration that some teachers may have only logged in once (or rather, none)... as well as considering that, say, 15
teachers out of 20 teachers in School_01 may have logged in a total of 30 times... when, at School_02, one teacher may have logged in 35 times along
with 5 of his colleagues logging in once apiece. In this scenario School_01 still has the lowest total of loggins but School_02 actually has the poorer
score of total teacher logins.
How would I average the number of teachers per school with the total number of schools with the number of logins per teacher to
obtain an accurate count of actual teacher logins? An "over-zealous" teacher, logging in way more numerous times than other teachers would throw the
final figure off...
Is it even possible to obtain an accurate comparison the way I have the database fields set up? I guess (the way I have it set up) I can only consider the LoginCounter fields that have only a "1" (the number of teachers who have never logged in) and get an average to compare between schools. But if all the teachers in a school have logged in numerous times, I'll have to find some kind of "representative number" based on some kind of average between the number of teachers in a school and (the part I can't figure) some kind of average of each teacher's login total.
In retrospect, after re-reading this before posting... I guess I have only two things here: (1) The total number of logins per school (disregarding an
'over-zealous' teacher and, (2) a count on teachers who have never logged in, compared between schools. I just don't know if I can get an accurate
count for "Lowest Number of Logins School" if all teachers in a school have logged in numerous times... Is there a way to get some kind of average, or rather some 'representative number' based on the number of teachers per school and each one's login total? Or, maybe each teacher's LoginCount doesn't even come into play here... (I know this sounds a bit confusing.)
- ed

Thanks for the responses, folks...
All of you are right about the LoginCounter not having to have a default of "1". I had forgotten that, when a participating school is set up, all teachers are set up with a unique "generic-basic unique login" name and password -- just to be able to login on "Training Day". They can change their name and password once they are in their admin section. Teachers who aren't there on "Training Day" are sent an email with instructions on logging in for the first time and changing their name and password. I guess what I'm saying is that, when a participating school 'comes on board', all the participating teachers are added to the database before they even start using the teacher admin section. Maybe it doesn't matter -- I just didn't want an empty or null value when each row is set up...
The login code is as follows, running on the 'validation page' upon login submit.
<cfif session.status IS "valid">
<cfoutput QUERY="getuser">
<cfif #LastLoginDate# NEQ #TodaysDateTime#>
    <cfset #newcount# = LoginCounter + 1>
    <cfquery datasource="#application.dsn#">
    UPDATE teacher_logon
SET
LastLoginDate=#TodaysDateTime#,
LoginCounter=#newcount#
WHERE AdminID = #AminID#
</cfquery>
<cflocation url="Teacher/index.cfm?TeacherID=#AdminID#" addtoken="Yes">
</cfif>
</cfoutput>
So... "0" + "1" = "1" ... I just wasn't sure, when I wrote the code, if this field could be left blank ("blank" + "1")... so, when the individual's row is first entered I put a default "1" here -- since, for training purposes they are already set up to go into the admin section with a pre-created name and password. I figured I could always subtract "1" from the individual's LoginCounter field for accuracy.
I think 12Roberts login ratio is probably what I'm looking for -- Login Ratio: A = total number of teachers and Z = teachers who have never logged in...... Login Ratio = A-Z. (In my existing case a field value of "1" would equal a teacher who has never logged in and a field value of "2" would be a teacher who has logged in once.) I know, I know -- Why don't I just make it complicated or something, LOL.)
I think I was over-blowing my question and 12Robots simple Login Ration is what I was looking. Thanks, 12Robots and, thanks to all for the input. I'm going to mark this post as 'solved' since, the way I have this set up, this ratio is about all I can do with a "lowest login school count".
Thanks again, folks...
- ed

Possible avast! anti-virus false positive on imac

greetings, installed the free avast! anti-virus software earlier today & ran a scan on my imac. results showed 2 infections of - Win32:Injector-AEO[Trj] . so i did a quick search & found that the win32 virus should have no effect on a mac. is that true? but that i could possible infect others pc's? also found that avast! is know for false positives, presumably so they can get you to upgrade to their expensive pay service. there seems to be no way to remove the infections with the free software avast! provided. i was advised to de-install the avast! software - which i did. so i was wondering what the best course of action is at this point? get norton or something & rescan, or what?

Windows malware does not affect OS X. It is true you can pass along the malware to another through email assuming the malware came to you in email and you forwarded the email to others.
In general you have no need for such protection in OS X at this time. You would be better off with no such software installed.
Helpful Links Regarding Malware Protection
An excellent link to read is Tom Reed's Mac Malware Guide.
Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
See these Apple articles:
          Mac OS X Snow Leopard and malware detection
          OS X Lion- Protect your Mac from malware
          OS X Mountain Lion- Protect your Mac from malware
          About file quarantine in OS X
If you require anti-virus protection I recommend using VirusBarrier Express 1.1.6 or Dr.Web Light both from the App Store. They're both free, and since they're from the App Store, they won't destabilize the system. (Thank you to Thomas Reed for these recommendations.)

Tuning issue with false positive

One of my clients moved two of their email devices to a DMZ. The both produce alerts on the mass mailing worm alert. Before they were moved to the DMZ, you would see the alert and it would have a source and destination IP. Now it only has the destination IP address of where the device is sending email to. Since the MARS does not pick up the devices new IP address, I cannot false positive tune these alerts out. How would I go about fixing this issue?

When the IDS mistakenly thinks that normal traffic is malicious then false positives happen To reduce them you have to fine tune the system by letting it know what normal traffic means on your network.
Cisco has provided some great guidance on how to reduce false positives here:
http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008072f396.html#wp1030968

Cellular signal becomes false positive

Everything works fine, except after a while the cellular signal becomes a false positive. By this I mean the upper left corner continue to read "Verizon 4G LTE" with a few bars, but there's actually no signal. All apps that require the Internet doesn't work. It's an easy fix though — in Settings, the Cellular Data has to be turned off, then turned back on. And by "after a while" I mean when it falls into sleep mode after a FaceTime session, then awoken. Not sure exactly how long afterwards. Not sure if it's consistently after one nap or longer. Not sure if running other apps would do the same thing.
Question is:
Is this normal?
I can imagine the upside is that you don't waste data in a prepaid data plan like when background apps continue to run.
The dreadful downside, however, is that any incoming FaceTime call cannot get through.
If this is NOT normal, is it a common glitch/bug/quirk? And how to fix it?
iPad3, OS 6.0.1

You can't begin measuring velocity until it is positive unless you have already been measuring velocity.
The solution is to always do the measurement. Evaluate it with a >0. In the true condition, then do whatever it is you want to do.

False Positives with GRC AC 5.2

Hi,
I actually have been working with GRC AC 5.2 (Compliance Calibrator) and we encountered several problems with false positives, working in the risk analysis.
¿do anyone knows how to solve this problem? ¿do you have documents or links to help?
Thanks,
Ricardo.

Thank you Alpesh for response.
In fact, i have several problem with false positives, but with transactional level. For example, i have a user with pfcg and su01 transaction. The configutation of profiles in SAP r/3 system do not allow to user involved in this, to execute both transactions in end-to-end process, i mean, the user have a transaction vía s_tcode object, have some other objects related with pfcg and su01 transactions, but he doesn´t have the values that allow to a transactions work properly. Then the Compliance Calibrator informs risks that it doesn´t exists.
It seems that is a ruleset configuration problem in the CC, then my question is, ¿the standard ruleset detects properly these problems?
Let my explain the reason that causes the problem.
We have been working with personalized ruleset, for customer-request. For that reason we look the usobt_c table and we form the ruleset-->functions in CC so that this functions were equal to usobt_c table. We did that because the standard ruleset shows false positives, such as first example of this post.
Thank you very much,
RCL.
Edited by: Ricardo Carrasco on Jun 18, 2009 11:58 PM

What is False negative and False positive

Similar Messages

Maybe you are looking for