Previous Topic: Remote ShutdownNext Topic: Instrumentation


FsiDrv

CA ControlMinder maintains driver settings it uses under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\FsiDrv

The FsiDrv registry key contains the following registry entries:

AuditRefreshPeriod

Defines the minimum time in seconds between two consecutive audit events from the same source. CA ControlMinder does not log audit messages for consecutive events from the same source that occur within this time period.

Default: 0 (all audit events are logged)

BatchOplockStatus

Specifies whether to disable batch OpLocks (opportunistic locking) of an entire file. When disabled (value is zero), the driver collects 100 percent of audit information for file access but performance decreases. A non-zero value keeps batch OpLocks operating regularly (enabled) and increases performance, but potentially provides incomplete audit information that may not include attempts to access related files.

Note: You must reload the driver to use the new setting. Unload the driver (net stop seosdrv) after you stop CA ControlMinder (secons -s).

Default: 1 (enabled)

BypassDriversCount

Defines how many drivers you want to add to your bypass list.

Type: REG_DWORD

Default: 0

CacheLimit

Defines the seosdrv kernel memory cache limit size in megabytes.

Type: REG_DWORD

Limits: 8 - 64

Default: 16

CounterResolution

Defines the time stamp measurement resolution using the following format: a:1000.

Type: DWORD

Limits: 1 - 1000 (decimal)

Default: 100

directory

The location of the driver.

Default: system_drive\Windows_path\system32\drivers

DriverName_drvNumber

Defines the name of a driver that you want to bypass, for example thisdrv.sys.

Values: drvNumber - a number from 0 to BypassDriversCount - 1.

Type: REG_SZ

Limit: 49 characters.

Note: Create one registry entry for each driver that you want to bypass and verify that the BypassDriversCount specifies the number of drivers you defined.

DynamicSysThreadDetection

Specifies that CA ControlMinder traces all kernel mode threads that are created by another product which creates system threads, for example Trend Micro™ PC-cillin Antivirus.

Note: Enabling this registry value can cause performance issues. We recommend that you contact CA Technologies before you enable this registry value. For assistance, contact CA Support at http://ca.com/support.

Type: REG_DWORD

Default: 0 (disabled)

FileCacheDisabled

The toggle to enable or disable the generic file cache.

Values: 0—enable the generic file cache, 1—disable the generic file cache

Default: 0

LoopHoleProtectionDisabled

Specifies whether to disable loophole protection, which protects CA ControlMinder from applications such as Process Monitor (procmon.exe) that may close its handles.

Values: 0 - enable loophole protection; 1 - disable loophole protection.

Default: 0

MaxAuditRecordLimit

Defines the audit queue limit. When the queue length exceeds this limit, CA ControlMinder artificially slows down threads that generate audit events. This way it can read the queue and write to the log file faster than new items are added to the queue.

Note: When new items are added to the queue faster than CA ControlMinder can read and process them, the system's memory may be exhausted.

Default: 200

MaxTimeoutLimit

Defines the number of consecutive timeouts that CA ControlMinder detects before it triggers a driver bypass. Once reached, the driver stops sending authorization requests to the authorization engine until the engine indicates that it is ready to process events.

A value of zero disables this bypass.

Default: 5

NetworkDispatchLevelAccess

Defines the driver response during intercepted network event at dispatch at IRQL.

Values: 0,1

Default:

QueueTimeout

The maximum time in seconds to wait for seosd to respond.

Default: 10

QueueTimeoutAnswer

The driver's response after time-out.

Default: 0 (Deny)

RegistryCacheDisabled

The toggle to enable or disable the generic registry cache.

Values: 0—enable the generic registry cache, 1—disable the generic registry cache

Default: 0

RedRangeLimit

Defines the range of accumulated authorization timeout in comparison to the queue timeout.

Type: DWORD

Values: 70 - 99

Default: 70

SilentModeAdmins

Line separated list of user names who can administer the computer in maintenance mode (SilentModeEnabled =1).

No default

SilentModeEnabled

Determines whether maintenance mode is active (1).

Default: 0 (disabled)

SystemBypassRestricted

Specifies if CA ControlMinder bypasses access checks for system processes. By default, CA ControlMinder does not consider system processes to be trusted and does not bypass access checks for system processes.

Values: 0 - bypass access checks; 1 - do not bypass access checks.

Default: 1

YellowRangeLimit

Defines the range of accumulated authorization timeout in comparison to the queue timeout value. For example, if the driver authorization queue contains 15 events and the average processing period is 0.1 seconds, then the accumulated authorization timeout is 1.5 seconds, which represents 15% of 10 seconds. The value below the yellow range sets the state to green. The value above the yellow range sets the state to red.

Type: DWORD

Values: 20 - 50

Default: 40