STAS Registry Read Access vs WMI

So as I have stated in multiple other threads, I do not believe STAS WMI polling is working correctly, at least not for me.  It tests ok when I use the test function, but the logs always show the wrong person identified when the STAS client attempts to use WMI to connect and verify the user is still logged in, and so every 10 minutes it logs the person out of the XG incorrectly.  I have even run the manual WMIC query and it shows the right information while STAS shows the wrong information.

So that leads me to ask the following question: is there any reason I cannot use the Read Registry Access method?  The documentation is woefully silent about using it (it always says use WMI).  I am aware that I will have to make sure the Remote Registry service is running on the clients for it to work, but is there any negative impact to using this method?  Thanks in advance.

  • I've been experimenting some more and after switching to Registry Read Access, I later switched back to WMI, and for whatever reason it seems to be working correctly now and actually detecting log offs.  Go figure. 

  • In reply to Bill Roland:

    HI Bill ,

    Could you Verify the settings as per the KB https://sophos.com/kb/123156 as per the issue regarding Logout issue ..

  • In reply to Aditya Patel:

    We use STAS.EXE now - adn int tha pst we used CTAS for UTM also.

    1. When we switched on LOGOFF detection (WMI IS FULLY working, we tested MANY times), some users are disconnected several times in a VERY short time interval. THAN the "learning mode" is activeted in XG firewall (as in https://community.sophos.com/kb/en-us/123156) and  clients are "cut off" for two minutes.

    2. It is possible to disable WMI/registry polling? - WE HAVE information of client LOGIN/LOGOUT from windows events. What is the purpose of "workstion polling"?

  • In reply to Jiri Hadamek:

    I know this is an old thread, but I didn't want STAS doing any sort of WMI polling or logoff detection.  I only wanted to know which users were logged on to which computers using logging on the DC.  Even though I disabled Logoff detection, it was still trying to poll via WMI (I noticed lots of DCOM errors for non-windows devices).

    I actually ended up adding all subnets, even subnets I'm tracking for logons, to the Exclusion List tab under:  Logoff IP Address / Network Subnet mask Exclusion List

    I'm not sure if I will still have the intended behaviour in Sophos XG (time will tell), but no more DCOM errors and no more WMI polling is happening from what I can tell.

  • In reply to hillbillyIT:

    Why do you not want to perform any WMI? 

    The problem is, only login is reliable, there is no real log off event (in case fast switch etc). 

  • In reply to LuCar Toni:

    I don't have any multi-user computers, so really I just need to know who is using which host for easier report reading etc.

  • In reply to hillbillyIT:

    But what happen, if the client simply shutdown? No Report generated, User will be there for ever.

    Basically there is no reason for not using WMI? 

    You could start to implement Clientless User... 

  • In reply to LuCar Toni:

    It was filling up my event log with DCOM errors trying to WMI to printers and mobile devices which I didn't feel like adding as to clientless users or subnetting off.  Too many devices that aren't windows devices to add.  Plus, I only want the user attached to logs - I don't care if they never "log off" of the Sophos XG.

  • In reply to hillbillyIT:

    Are you saying, you have only one subnet with all clients / printer / iot Devices included? Would recommend to not have such a setup at all. Take a look at all those attacks. 

  • In reply to LuCar Toni:

    Not saying that at all - I have a few subnets, but some devices which I control are allowed on the domain's subnet