IBM Support

Install the Guardium S-TAP for Windows without the File Activity Monitoring (FAM) drivers

Troubleshooting


Problem

You require to install the IBM Security Guardium™ S-TAP ensuring that the File Activity Monitoring (FAM) drivers are not installed during the process.

Symptom

You need to avoid any drivers other than the IBM Guardium™ S-TAP ones are installed.

Cause

The Guardium™ S-TAP for Microsoft Windows™ packages prior to version 11.0 are shipped as bundles. During the installation, the default behavior is that FAM drivers are installed well even if you will not use the feature.

Environment

This document applies to S-TAP versions 10.6 and older.
Starting version 11.0, the FAM module (and all its drivers in consequence) is delivered through an independent installer. It is no longer part of the S-TAP package.

Diagnosing The Problem

By default, the S-TAP bundle installation process installs the FAM drivers and one associated service, even if the FAM module is not used or flagged as disabled.
The presence of the driver can be validated by using the "driverquery | findstr Guardium" command in Windows™.
driverquery | findstr Guardium
Example.
C:\Users\despejel>driverquery | findstr Guardium
Correlator   IBM Security Guardium  Kernel        6/2/2020 3:19:39 AM
DrvTrc       IBM Security Guardium  Kernel        6/2/2020 3:19:24 AM
FsMonitor    IBM Security Guardium  File System   6/2/2020 3:19:46 AM
NmpMonitor   IBM Security Guardium  Kernel        6/2/2020 3:19:49 AM
NmpProxy     IBM Security Guardium  Kernel        6/2/2020 3:19:48 AM
WfpMonitor   IBM Security Guardium  Kernel        6/2/2020 3:19:47 AM
Additionally, one FAM-related service ("StapAT") can be found and queried by running the "sc query StapAT" Windows™ utility.
sc query StapAT
Example.
C:\Users\despejel>sc query StapAT
SERVICE_NAME: StapAT
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Resolving The Problem

There are 3 different ways to install the S-TAP Bundle in Windows without the FAM driver, just select the option you prefer.
Prerequisites.
1. You downloaded an S-TAP bundle package from any of the IBM software download resources available.
Note 1. At the time of writing this document there are two options to obtain IBM software:
Both require you to have a valid IBM ID created. The main difference is that for Passport advantage you must know your IBM Customer Account ID.
2. You must extract the contents of the compressed file obtained. In Windows™ you can perform the task by:
A. Right-clicking on the downloaded file name.
B. Select "Extract All...".
image 5741
C. By using the "Select a Destination and Extract Files" dialog that is open, select a path to place the extracted files with the "Browse..." button.
D. Click "Extract".
image 5742
E. A new folder is created. If there is another compressed file inside, you must decompress it by following the same steps.
image 5743
F.  The expected outcome is to have a folder containing the "Setup.exe" binary and other installation files.
image 5744
Note 2. The previously mentioned process is only an example. You must extract the compressed files using the software tool and process of your choice.
Option 1. Install the S-TAP using the Windows command prompt.
1. Open a Windows™ command prompt ("cmd.exe") with "Administrator" privileges.
image 5745
2. Navigate to the folder where the S-TAP installation files were extracted, by using the "cd" command.
image 5746
3. Execute the "Setup.exe" binary file. Ensure that you include the "-FAM OFF" option as a part of your installation command to have the desired effect.
Example.
setup.exe -UNATTENDED -INSTALLPATH "C:\Program Files\IBM" -APPLIANCE 172.20.20.15 -TAPHOST 172.20.20.11 -FAM OFF
image 5747
Note 3. The command shown is only an example.
The parameter values must reflect your own environment. The key is to use the "-FAM OFF" option.
Option 2. Install the S-TAP using the interactive installer.
1. Right-click the "Setup.exe" binary file and select "Run as Administrator".
image 5753
2. Accept the IBM license agreement and click "Next".
image 5754
3. Optionally, enter your customer information and click "Next".
image 5756
4. Select a "Custom" installation in the "Setup Type" screen.
image 5757
5. Select a target folder for the installation, or leave the default option as you need.
image 5758
6. At the "Services Account" window,  select the "Local System" option to use this system account to execute the Guardium™ software.
image 5759
Note 4. If you are not allowed to run software using the "Local System Account" in Windows™, you can use any other account that has the "Debug Program" privilege assigned as a part of the server's installed security policies.

Check the related links section.
7. Clear the "File System Event Tap" checkbox.
image 5760
8. At the "Software Tap Host Addresses" section, select an IP address the host can use to communicate with a Guardium™ Collector appliance from the drop-down list.
9. Enter the IP address of one or more Guardium™ Collector appliances to send DAM (Data Activity Monitoring) traffic to.
10. Clear the "Start FAM Service" checkbox if present.
image 5725
Option 3. Install the S-TAP using the Guardium Installation Manager (GIM).
1. Log into the Guardium™ system you use as a GIM server machine (typically a Central Manager, but it can be any Guardium™ unit type).
Navigate to "Manage > Module Installation > Upload Modules". Click the "Browse..." button.
image 5726
2. Look for the folder where the S-TAP installation files were extracted. There should be a folder named "Gim-Kits" or similar. Locate and select a file with .gim extension, as that is the S-TAP GIM module file.
image 5762
3. Click "Upload" at the "Upload Module" section of the page.
image 5731
4. At the "Import Uploaded Modules" section, click the "Import this module" button (image 5735).
image 5734
If everything went well, the GIM module should be uploaded and registered at the Guardium™ system
image 5764
 
Note 5. The above 4 steps are only required if the S-TAP module was not previously uploaded and registered to the GIM Server (the Guardium™ system).
5. Navigate to "Manage > Module Installation > Set up by Client" from the GIM server GUI (the Guardium™ System).
At the "Choose clients" section, select the host where the S-TAP is going to be installed.
image 5765
6. In the "Choose bundle" section, you must search for the S-TAP GIM module you want to install.
image 5766
7.  When reaching the "Choose parameters" step, use the "WINSTAP_CMD_LINE" parameter to include the option "-FAM OFF" during the installation.
image 5767
8. Finally, click the "Install" button and enter a relative time to start the installation.
image 5768
image 5769
Expected result.
If the installation was performed successfully, you can use the "diverquery" Windows™command to validate that there are no any Guardium™ FAM drivers:
image 5770

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCJM6A","label":"IBM Security Guardium S-TAP for IMS on z\/OS"},"ARM Category":[{"code":"a8m0z000000Gp0IAAS","label":"STAP"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.6.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 February 2022

UID

ibm16249105

Page Feedback