Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 17173 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS Registry Read Access vs WMI

Bill Roland

So as I have stated in multiple other threads, I do not believe STAS WMI polling is working correctly, at least not for me.  It tests ok when I use the test function, but the logs always show the wrong person identified when the STAS client attempts to use WMI to connect and verify the user is still logged in, and so every 10 minutes it logs the person out of the XG incorrectly.  I have even run the manual WMIC query and it shows the right information while STAS shows the wrong information.

So that leads me to ask the following question: is there any reason I cannot use the Read Registry Access method?  The documentation is woefully silent about using it (it always says use WMI).  I am aware that I will have to make sure the Remote Registry service is running on the clients for it to work, but is there any negative impact to using this method?  Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    I've been experimenting some more and after switching to Registry Read Access, I later switched back to WMI, and for whatever reason it seems to be working correctly now and actually detecting log offs.  Go figure. 

  • 0 in reply to Bill Roland

    HI Bill ,

    Could you Verify the settings as per the KB https://sophos.com/kb/123156 as per the issue regarding Logout issue ..

  • 0 in reply to Aditya Patel

    We use STAS.EXE now - adn int tha pst we used CTAS for UTM also.

    1. When we switched on LOGOFF detection (WMI IS FULLY working, we tested MANY times), some users are disconnected several times in a VERY short time interval. THAN the "learning mode" is activeted in XG firewall (as in https://community.sophos.com/kb/en-us/123156) and  clients are "cut off" for two minutes.

    2. It is possible to disable WMI/registry polling? - WE HAVE information of client LOGIN/LOGOUT from windows events. What is the purpose of "workstion polling"?

  • 0 in reply to Jiri Hadamek

    I know this is an old thread, but I didn't want STAS doing any sort of WMI polling or logoff detection.  I only wanted to know which users were logged on to which computers using logging on the DC.  Even though I disabled Logoff detection, it was still trying to poll via WMI (I noticed lots of DCOM errors for non-windows devices).

    I actually ended up adding all subnets, even subnets I'm tracking for logons, to the Exclusion List tab under:  Logoff IP Address / Network Subnet mask Exclusion List

    I'm not sure if I will still have the intended behaviour in Sophos XG (time will tell), but no more DCOM errors and no more WMI polling is happening from what I can tell.

Reply
  • 0 in reply to Jiri Hadamek

    I know this is an old thread, but I didn't want STAS doing any sort of WMI polling or logoff detection.  I only wanted to know which users were logged on to which computers using logging on the DC.  Even though I disabled Logoff detection, it was still trying to poll via WMI (I noticed lots of DCOM errors for non-windows devices).

    I actually ended up adding all subnets, even subnets I'm tracking for logons, to the Exclusion List tab under:  Logoff IP Address / Network Subnet mask Exclusion List

    I'm not sure if I will still have the intended behaviour in Sophos XG (time will tell), but no more DCOM errors and no more WMI polling is happening from what I can tell.

Children