How to enable PIM to intercept events in Windows 2012
search cancel

How to enable PIM to intercept events in Windows 2012

book

Article ID: 14675

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

In windows event interception is controlled by two drivers, seosdrv.sys and drveng.sys The drivers protect all the CA ControlMinder files and registry keys by performing the following tasks:

  • Intercepting every request to open a file or registry key, terminate a process, and perform network activities
  • Passing these requests to the CA ControlMinder Engine and receiving the decision of the Engine whether the request should be granted or denied
  • Forwarding the decision to the original system call of the operating system, which then continues its processing based on the answer it received from the drivers.

For file access and other events to be intercepted, the UseFSIDrv value in the registry key:

HKEY_LOCAL_MACHINE\Software\ComputerAssociates\eTrustAccessControl\eTrustAccessControl\UseFsiDrv

Must be set to 1

 



I have installed CA Control Minder 12.8 PIM-12.81.2129-18-JUL-2015_GA_Kit on OS Win2012R2, but if I have UseFsiDrv  set to 1, PIM will fail to start.

I have set UseFSIDrv to 0 and then it starts, but no file events are intercepted.

How can I solve this problem ?

Environment

CA PIM 12.8 SP1 on Windows 2012 endpoint

Resolution

To be able to work with Windows 2012, CA PIM 12.8 SP1 requires patch RO9200 as stated in the compatibility matrix

https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/status/compatibility-matrix/ca-privileged-identity-manager-endpoint-compatibility-matrix.html 

Patch can be retrieved from

https://support.ca.com/irj/portal/solncdndtls?aparNo=RO92100&os=NT&fc=3&actionID=3 

Besides this, and as stated in the above matrix, PIM requires Windows 2012 WMI instrumentation to be disabled as it is not yet supported.

So to have a working Windows 2012 environment where interception will work, please install CA PIM 12.8 SP1 plus the above patch

Next you need to enable UseFSIDrv to enable interception, and the drveng and seosdrv drivers to intercept the corresponding events

### LIST SETUP REGISTERS ### 
UseFsiDrv under the registry key 
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\ eTrustAccessControl\eTrustAccessControl\UseFsiDrv to 1 

# Change start type for seosdrv and drvend driver. It means disable them at start time 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Start to 0 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seosdrv\Start to 1 

Finally, since instrumentation is not supported in Windows 2012 R2, it must be disabled

# Disable CAINSTRM driver and instrumentation functionality 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cainstrm\Parameters\OperationMode to 1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cainstrm\Start to 1 

This should enable correct operation of CA PIM in Windows

 

Powered by Wolken Software