CSA Message: What does it mean?

spodonnell · ‎12-16-2005

I have a customer running CSA in Testmode on a Citrix Server. When a user successfully starts a session on the Citrix server, CSA produces a message in the event log.

TESTMODE: The process '<remote application>' (as user xxxx\xxxx) attempted to modify a Cisco Security Agent resource Cisco Registry Key\Value: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\csahook\. The operation would have been denied.

Can someone explain what this message really indicates.

Thanks

Scott

pmccubbin · ‎12-17-2005

It means that if the client had been running the CSA Agent in "Live" mode rather than Test mode then the remote application would not have been allowed to modify a CSA resource.

You will see plenty of similar messages and your Value Add to the customer will be to work with them to decide which should be allowed and which should be denied. This is part of the testing and tuning of the CSA application that needs to be done at the beginning of every CSA implementation.

Hope this helps.

spodonnell · ‎12-17-2005

Sorry, I should have been more clear. I understand the "TestMode" part of the message. It's just not clear what is happening regarding the csahook message. The user isn't doing anything but logging into a Citrix session.

tsteger1 · ‎12-19-2005

Because the user is logging in remotely, CSA sees it as a remote application and by default, they are not allowed to modify the registry. You could try creating an exception, but unless you have a local event to trigger it (login maybe?) you may open things up a bit more that you'd like. can be many things, not all of them benign.