Installing BMC Defender File Integrity Monitor Adapter

The BMC Defender FIM Adapter is usually delivered as a self-extracting WinZip file and contains install and uninstall programs, residing in the wintools directory of the BMC Defender root directory. The install program normally starts after the files are extracted. To uninstall the system, the operator accesses the Windows Add / Remove programs application, and clicks on the CorreLog Syslog Agent entry.

The 32-bit version can be executed on a 64-bit platform and accesses the system32 folder (normally accessible only to 64-bit applications) using the standard sysnative path, as documented by Microsoft in various locations.

BMC Defender FIM Adapter is specifically designed not to scatter DLL or other files into system directories. All files within the BMC Defender directory reside in the BMC Defender root directory, by default the directory C:\installationDirectory (although this directory might be specified differently when extracting files).

BMC Defender is uninstalled via the standard Windows Add / Remove programs screen (or Program Features screen on Vista platforms). Additionally, if you can stop a BMC Defender syslog message service, the entire BMC Defender directory can be simply dragged and dropped into the Windows recycle bin, and this effectively discards the entire installation.

Note

However, this still leaves the service entry for BMC Defender, within the Windows Service Manager, that is normally cleaned up by the uninstall procedure.

Basic installation steps

There are various ways to install the FMON agent and BMC Defender Server. The following steps provide one basic method of installing the software on various managed platforms. As part of the installation planning, you are encouraged to contact BMC Support engineers for discussion and recommendations of alternative installation techniques.

First, you must install the software at the BMC Defender Server. Once this software is installed, the operator then installs each FMON Agent package on the various managed platforms, using a technique similar to the Windows WTS installation, described as follows:

  1. Obtain the Main File Integrity Monitor installation package. This package is provided in the s-doc directory of the BMC Defender Server as a self-extracting WinZip archive.
    The s-doc\fi-agent.exe program is a 32-bit version of the program, appropriate for both x32 and x64 architectures. If executing on an X64 platform, the operating system must be Windows 2008 or later.
  2. Log into the BMC Defender Server platform with administrative permissions and transfer the correct executable to a target platform, such as via a shared disk, or using the following URL at the target platform:
    http://server/s-doc/fi-agent.exe
    The s-doc directory of the BMC Defender Server can be accessed via the BMC Defender HTTP server. The directory corresponds to the /s-doc URL. This allows you to download any file in the s-doc directory to a machine using a standard web browser.
  3. After copying or downloading the appropriate BMC Defender FMON Agent package, execute the self-extracting WinZip file, and extract files to the target directory, by default the C:\.installationDirectory.
  4. When the self-extracting WinZip file completes, the automatic installation procedure starts.
    Review the license agreement, select the Click if you agree to the terms of the license check box, and click Next to proceed to the next screen.
  5. Follow the prompts of the automatic installation procedure. On the second screen of the dialog box, type the host name or IP address of the computer running the syslog server (normally the BMC Defender Server).
  6. When the installation is complete, the CO-Fmon.exe program is installed and running. On startup, this process sends a single syslog message to the configured destination host. Check that host to verify that a message was correctly sent and received.

The entire installation process normally takes only one minute or so. No other steps are needed to install and start the program.

Important differences between x32 and x64 operating systems

FIM supports both a 32-bit and 64-bit Windows host architecture. The following notes apply:

  1. The x32 version can run on either a 32-bit or 64-bit architecture. However, due to constraints of the Microsoft Windows operating system, the 32-bit version actually monitors the SysWow64 directory rather than the system32 directory. This might be confusing to you.
  2. The system32 directory is accessed via the sysnative path (that corresponds to the regular system32 path for 64-bit applications.) This occurs transparently to you as it might be important when testing or demonstrating FIM operation. So, if you specify system32 in the configuration file as a target directory for monitoring, this folder is accessed via the sysnative folder.

These factors can be confusing. Normally, a 32-bit application cannot access 64-bit executables or DLLs. As a further limitation, all 32-bit executables automatically and silently redirect programs to the syswow64 directory whenever an attempt is made to access the system32 directory.

Therefore, although the x32 version of the program appears to be operating in the system32 directory, the program is actually operating on the syswow64 directory.

Note

Although the x32 version executes on x64 platforms, the x32 version automatically and silently redirects file scans to the sysnative directory if the system32 directory is specified to the agent. This is a very common source of confusion during the test and demonstration of the software.

This section provides information about the following topics:


Related topics

Overview-of-BMC-Defender-File-Integrity-Monitor-Adapter

BMC-Defender-File-Integrity-Monitor-Adapter-installation-requirements

Using-BMC-Defender-File-Integrity-Monitor-Adapter

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*