CA ControlMinder maintains driver settings it uses under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\FsiDrv
The FsiDrv registry key contains the following registry entries:
Defines the minimum time in seconds between two consecutive audit events from the same source. CA ControlMinder does not log audit messages for consecutive events from the same source that occur within this time period.
Default: 0 (all audit events are logged)
Specifies whether to disable batch OpLocks (opportunistic locking) of an entire file. When disabled (value is zero), the driver collects 100 percent of audit information for file access but performance decreases. A non-zero value keeps batch OpLocks operating regularly (enabled) and increases performance, but potentially provides incomplete audit information that may not include attempts to access related files.
Note: You must reload the driver to use the new setting. Unload the driver (net stop seosdrv) after you stop CA ControlMinder (secons -s).
Default: 1 (enabled)
Defines how many drivers you want to add to your bypass list.
Type: REG_DWORD
Default: 0
Defines the seosdrv kernel memory cache limit size in megabytes.
Type: REG_DWORD
Limits: 8 - 64
Default: 16
Defines the time stamp measurement resolution using the following format: a:1000.
Type: DWORD
Limits: 1 - 1000 (decimal)
Default: 100
The location of the driver.
Default: system_drive\Windows_path\system32\drivers
Defines the name of a driver that you want to bypass, for example thisdrv.sys.
Values: drvNumber - a number from 0 to BypassDriversCount - 1.
Type: REG_SZ
Limit: 49 characters.
Note: Create one registry entry for each driver that you want to bypass and verify that the BypassDriversCount specifies the number of drivers you defined.
Specifies that CA ControlMinder traces all kernel mode threads that are created by another product which creates system threads, for example Trend Micro™ PC-cillin Antivirus.
Note: Enabling this registry value can cause performance issues. We recommend that you contact CA Technologies before you enable this registry value. For assistance, contact CA Support at http://ca.com/support.
Type: REG_DWORD
Default: 0 (disabled)
The toggle to enable or disable the generic file cache.
Values: 0—enable the generic file cache, 1—disable the generic file cache
Default: 0
Specifies whether to disable loophole protection, which protects CA ControlMinder from applications such as Process Monitor (procmon.exe) that may close its handles.
Values: 0 - enable loophole protection; 1 - disable loophole protection.
Default: 0
Defines the audit queue limit. When the queue length exceeds this limit, CA ControlMinder artificially slows down threads that generate audit events. This way it can read the queue and write to the log file faster than new items are added to the queue.
Note: When new items are added to the queue faster than CA ControlMinder can read and process them, the system's memory may be exhausted.
Default: 200
Defines the number of consecutive timeouts that CA ControlMinder detects before it triggers a driver bypass. Once reached, the driver stops sending authorization requests to the authorization engine until the engine indicates that it is ready to process events.
A value of zero disables this bypass.
Default: 5
Defines the driver response during intercepted network event at dispatch at IRQL.
Values: 0,1
Default:
The maximum time in seconds to wait for seosd to respond.
Default: 10
The driver's response after time-out.
Default: 0 (Deny)
The toggle to enable or disable the generic registry cache.
Values: 0—enable the generic registry cache, 1—disable the generic registry cache
Default: 0
Defines the range of accumulated authorization timeout in comparison to the queue timeout.
Type: DWORD
Values: 70 - 99
Default: 70
Line separated list of user names who can administer the computer in maintenance mode (SilentModeEnabled =1).
No default
Determines whether maintenance mode is active (1).
Default: 0 (disabled)
Specifies if CA ControlMinder bypasses access checks for system processes. By default, CA ControlMinder does not consider system processes to be trusted and does not bypass access checks for system processes.
Values: 0 - bypass access checks; 1 - do not bypass access checks.
Default: 1
Defines the range of accumulated authorization timeout in comparison to the queue timeout value. For example, if the driver authorization queue contains 15 events and the average processing period is 0.1 seconds, then the accumulated authorization timeout is 1.5 seconds, which represents 15% of 10 seconds. The value below the yellow range sets the state to green. The value above the yellow range sets the state to red.
Type: DWORD
Values: 20 - 50
Default: 40
Copyright © 2013 CA Technologies.
All rights reserved.
|
|