Loading...

Knowledge Center


Advanced Debug/Configuration options for File and Removable Media Protection
Technical Articles ID:   KB83461
Last Modified:  5/28/2019
Rated:


Environment

McAfee File and Removable Media Protection (FRP) 5.x, 4.3.x

For details of FRP supported environments, see KB81149.

Summary

The Advanced Debug/Configuration Policy option (introduced in FRP 4.3.1) allows certain specific features or workflows within the product to be enabled or disabled on the client. This policy option is available by selecting Show Advanced from the Encryption Options policy page.

NOTE: With the release of FRP 5.0.2, the policy option has been renamed from Advanced Debug Options to Advanced Configuration Options to more accurately reflect the relevancy/utility of the available settings.

Syntax generic rules:
  • Blank spaces are not allowed anywhere.
  • Each (three letter) acronym must be followed by a colon (:).
  • Every colon (:) must be followed by an integer (in range), a minus sign (to remove value), or a string value.
  • Each statement (where there is more than one) must be separated by a hash symbol (#).
  • To force a reboot, add R+ anywhere in the string. To remove the reboot requirement, add R- anywhere in the string.
NOTES: 
  • The configuration changes you can make with the Advanced Debug/Configuration Policy option may require a client restart before they take effect. These configuration settings may modify registry entries on the client, and should be exercised with caution.
  • Any local modifications to registry settings on the client will not be sent back to the ePO server, and will not be overridden by the current policy setting.
  • Local changes will be replaced only if a new configuration setting is explicitly set in the policy option and pushed to the client from ePO.
  • After a configuration setting has been applied, the setting will not be removed by simply deleting that string. You must use the correct syntax to reverse the setting.
    Example: If you use the string DIS:1#V2E:1 to enable a setting, you must use the string DIS:1#V2E:- to reverse the setting.
  • A default FRP query, FRP: Advanced Debug/Configuration Option Events is available that reports on the status of the configured advanced debug/configuration option settings on the endpoint.

Solution

FRP 4.3.1 and later. This configuration setting requires a client restart before it will take effect.

Remove the check for legacy SafeBoot Content Encryption 2.x files to improve performance
When you perform actions on encrypted files with FRP, the product checks if the files are encrypted with the legacy SafeBoot Content Encryption 2.x. This processing time can negatively affect performance, especially when working with data sets that contain a large number of files. The following configuration setting removes the check for legacy SafeBoot Content Encryption 2.x files:
  • To deploy this configuration setting to the clients, input the following string in the Advanced Debug Options field:

    DIS:0#V2E:0
     
  • If you prefer not to prompt users for a reboot after this setting has been deployed, add (R-) to the following string to remove the reboot prompt:

    DIS:0#V2E:0#R-
     
  • To remove the above configuration setting, input the following string in the Advanced Debug Options field:

    DIS:-#V2E:-
IMPORTANT: When this optimization is enabled, legacy SafeBoot Content Encryption 2.x files will no longer be readable by an FRP client. Ensure that there are no files still encrypted with legacy SafeBoot Content Encryption 2.x before you disable support for legacy SafeBoot 2.x files.

Solution

FRP 4.3.1 and later. This configuration setting requires a client restart before it will take effect.

Disable FRP functionality for local and network drives and use only the removable media encryption functionality.
FRP includes the flexibility to use only the Offsite Access protection level functionality (previously referred to as Endpoint Encryption for Removable Media) for removable media devices and CD/DVDs.
  • To deploy this configuration setting to the clients, input the following string in the Advanced Debug Options field:

    ENR:1#ENW:1
     
  • If you prefer not to prompt users for a reboot after this setting has been deployed, add (R-) to the following string to remove the reboot prompt:

    ENR:1#ENW:1#R-
     
  • To remove the above configuration setting and use the entire product functionality again, input the following string in the Advanced Debug Options field:
ENR:-#ENW:-

Solution

FRP 5.0.2 and later. This configuration setting requires a client restart before it will take effect.

Disable pagefile encryption
FRP encrypts the pagefile by default for security purposes unless the disk is encrypted with McAfee Drive Encryption or Microsoft BitLocker. All available disks on the system must be encrypted if you wish to exempt the pagefile from encryption. In earlier FRP versions, the pagefile was encrypted at all times, irrespective of the disk encryption status.

To accommodate scenarios such as enabling easy collection of memory dumps, you can use the following configuration setting in the Advanced Configuration Options field to disable pagefile encryption, irrespective of disk encryption status:

PTP:1
  • If you prefer not to prompt users for a reboot after this setting has been deployed, add (R-) to the following string to remove the reboot prompt:

    NOTE: The pagefile will be decrypted only after the next reboot:

    PTP:1#R-
     
  • To remove the above configuration setting and enable pagefile encryption again, input the following string in the Advanced Debug Options field:

    PTP:0
IMPORTANT: If the disk is encrypted with either Drive Encryption or Microsoft BitLocker, this setting will be ignored and FRP will not encrypt the pagefile.

Solution

FRP 5.0.3 and later. This configuration setting does not require a client restart before it will take effect.

Ability to control ‘delete’ options available to the end user during USB device initialization
During the initialization (container creation) process, based on the size of existing data on the USB device, the end user is asked to choose between ‘Secure Erase’ and ‘Quick format’ options. This Advanced Configuration setting provides Admins control over the options available to the end user.

NOTE: This setting is applicable to the Offsite Access Removable media protection level options.
  • The following string will let users choose between Secure Erase and Quick format options (this is the default behavior today):

    RME:0
     
  • To always perform Secure Erase during the initialization process, input the following string in the Advanced Configuration Options field. Since the end user does not make any decisions in this case, no UI is displayed to the user:

    RME:1

    NOTE: Depending on the size of existing data, a Secure Erase operation may take a considerable amount of time.
     
  • To always perform Quick format during the initialization process, input the following string in the Advanced Configuration Options field. Since the end user does not make any decisions in this case, no UI is displayed to the user:

    RME:2
     
  • To remove the configuration setting, input the following string in the Advanced Configuration Options field. The resulting behavior will be equivalent to RME:0

    RME:-

IMPORTANT: The configuration setting will take effect the next time a USB device is initialized.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.