False Positives

Sniffer is suddenly creating a lot of False Positives. What do I do?

Most likely this is being caused by a new rule in the system. The fastest way to turn off this rule is to rollback to the previous version of the rulebase. That is, you can keep a copy of your previous day's rulebase, perhaps the day before that also. If you detect a critical false positive problem (Rulebase Panic) then you can do the following:

Rulebase Panic Procedure:

1. Locate the rule ID in your Message Sniffer log which is causing the false positive
2. Create a rule-panic entry in your .cfg file - this will temporarily deactivate the rule.
3. Submit your false positive report normally.
4. Send a note to support@armresearch.com indicating that you are having a critical false positive issue - we will expedite processing.
5. Once the false positive issue is resolved (we will block, remove, or modify the rules that are causing you the false positive and we'll work with you to make that decision once we know which rules are involved), re-enable your automated updates and/or remove any rule-panic entries you have made.

For V2-2 & previous:

1. Temporarily disable your automated updates.
2. Swap your previous backup into place to eliminate the problem.
3. Follow the above procedure from step 3 forward.

The persistent engine should reload and pick up your change within no more than 10 minutes unless you have altered your timing settings. For immediate results you should issue "rulebase.exe reload" from your command line, Or you could restart your persistent instance service.

For V3 & Later:

Follow the Rulebase Panic Procedure listed above, but at step 2 your rule-panic entries will go in your snf_engine.xml (or sndmdplugin.xml) file in the <rule-panics/> section.