How to enable PIM to intercept events in Windows 2012

Document ID : KB000014675
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

In windows event interception is controlled by two drivers, seosdrv.sys and drveng.sys The drivers protect all the CA ControlMinder files and registry keys by performing the following tasks:

  • Intercepting every request to open a file or registry key, terminate a process, and perform network activities
  • Passing these requests to the CA ControlMinder Engine and receiving the decision of the Engine whether the request should be granted or denied
  • Forwarding the decision to the original system call of the operating system, which then continues its processing based on the answer it received from the drivers.

For file access and other events to be intercepted, the UseFSIDrv value in the registry key:

HKEY_LOCAL_MACHINE\Software\ComputerAssociates\eTrustAccessControl\eTrustAccessControl\UseFsiDrv

Must be set to 1

 

Question:

I have installed CA Control Minder 12.8 PIM-12.81.2129-18-JUL-2015_GA_Kit on OS Win2012R2, but if I have UseFsiDrv  set to 1, PIM will fail to start.

I have set UseFSIDrv to 0 and then it starts, but no file events are intercepted.

How can I solve this problem ?

Environment:
CA PIM 12.8 SP1 on Windows 2012 endpoint
Answer:

To be able to work with Windows 2012, CA PIM 12.8 SP1 requires patch RO9200 as stated in the compatibility matrix

https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/status/compatibility-matrix/ca-privileged-identity-manager-endpoint-compatibility-matrix.html 

Patch can be retrieved from

https://support.ca.com/irj/portal/solncdndtls?aparNo=RO92100&os=NT&fc=3&actionID=3 

Besides this, and as stated in the above matrix, PIM requires Windows 2012 WMI instrumentation to be disabled as it is not yet supported.

So to have a working Windows 2012 environment where interception will work, please install CA PIM 12.8 SP1 plus the above patch

Next you need to enable UseFSIDrv to enable interception, and the drveng and seosdrv drivers to intercept the corresponding events

### LIST SETUP REGISTERS ### 
UseFsiDrv under the registry key 
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\ eTrustAccessControl\eTrustAccessControl\UseFsiDrv to 1 

# Change start type for seosdrv and drvend driver. It means disable them at start time 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Start to 0 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seosdrv\Start to 1 

Finally, since instrumentation is not supported in Windows 2012 R2, it must be disabled

# Disable CAINSTRM driver and instrumentation functionality 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cainstrm\Parameters\OperationMode to 1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cainstrm\Start to 1 

This should enable correct operation of CA PIM in Windows