Hi everyone. Earlier this week, we were seeing some intermittent corruption in some Message Sniffer rulebase updates. The problem has been resolved, but we wanted to explain the issue.
Since Arm Research has made no changes to precipitate this and since it's only been reported by a few systems intermittently, it was a bit of a challenge to nail down. However, it has been Arm Research's top priority since it was discovered. Here is a list of what we know about the issue: * The problem appears to have started around Nov 29. * It is highly intermittent and random. * It causes some false positives. * You can identify a short-match event by looking at the index and endex of a rule match. If the difference is less than 5 then you have a short rule match. * You can mitigate the problem by temporarily putting the associated rule ID in your rule-panic list in your SNF configuration. (Visit the following link to learn how to create a rule-panic: http://know.mailsbestfriend.com/how_to_add_a_panic_rule_to_message_sniffer-8 28470693.shtml) * Normally the problem goes away on the next rulebase update. * Sometimes it doesn't go away but changes the associated rule ID. After much research and experimentation, Arm determined that some time on Nov 28th a corrupted rule entered the rulebase and caused the intermittent short-match problem. They have removed a group of rules surrounding that timeframe and have observed a 3 sigma drop in the rate of short-match events. This indicates that the problem is solved and not likely to return. Now that Arm knows this kind of event is possible (it's not supposed to be mathematically) they will be building a detection and mitigation strategy into the engine... just in case it does happen again. Once in two decades makes that seem unlikely. Arm will also be continuing their research on the sequestered rules to identify the one(s) that caused the problem and identify a way to prevent that recurring. In the meantime the detection mechanisms they used to monitor their experiments will remain in place so that if they do see any future events they we will be able to identify them much more quickly. If you have any questions about this issue, please let us know and we will be happy to help. Linda Pagillo Mail's Best Friend Email: <mailto:linda.pagi...@mailsbestfriend.com> linda.pagi...@mailsbestfriend.com Web: <http://www.mailsbestfriend.com/> www.mailsbestfriend.com Office: 703.988.3606 logo-1
