Hi,
1. I read this page: http://www.armresearch.com/support/articles/procedures/falsePositives.jsp and it seems to be the same. However, should this chapter be expanded to contain information about what to do if some of the new technologies are responsible for the false positive? The "panic rule" instructions don't really apply in cases like this where there IS no rule: <s u='20081007153730' m='D:\IMail\spool\proc\work\D822c01990000026c.smd' s='20' r='0'> <p s='0' t='0' l='10306' d='0'/> <g o='0' i='207.45.161.16' t='u' c='0.226425' p='1' r='Truncate'/> </s> Instead you should have some ready-made sample that shows how to except an IP that has ended up on the Truncate list, or at least move it to the "caution" list? 2. The explanation of the Log files is incomplete: http://www.armresearch.com/support/articles/software/snfServer/logFiles/acti vityLogs.jsp As you can see from the log snippet I posted, there is a node s:r=0. However, s:r is not in the documentation. Best Regards, Andy
