We are facing several problems with STAS Logoff detection method - WMI after the lasted Windows updates mid of June.All computers are returned Access Denied when we execute WMI test over STAS. This is causing a big problem with discnnection users.
Is there any Sophos Staff or someone that has the solution for this ?
We already try change several Regedit entries, but without sucess.
Vivek, all communications are OK.From STAS and Windows. As I told, there are other hosts that are working. Is not a general problem. This problem happen after Windows Update, there are other vendros facing…
If WMI gives you access deny, you should consult Microsoft to get this resolved. The WMIc Test is a basic Microsoft tool
Hi LuCar Toni
I agree with you, but I already contact Microsft and dot WMIC tests before ask here, and the WMIC test it works, so Im asking here, because SOPHOS will be aware about it and had a possible solution.
So you did a wmic test from the same client with the STAS Collector installed and this WMIC gives you a result? Can you post a screenshot of those results?
It is in PT_BR language,
And if you do wimc?
I have some end customers that are facing this problem since a week or two to now. And the only change it was done Windows Update :)
Hey Carlos Cesario,Troubleshoot WMI connectivity issue with Sophos STAS - https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/126817/troubleshoot-wmi-connectivity-issue-with-sophos-stas
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
You can look at a tcpdump at the level of the firewall and compare both WMI requests.
WMI uses dynamic ports but simply dump both types with tcpdump -ni any host server_ip and host Client_ip -b -w /tmp/wmi.pcap
Then download this dump from the firewall and check both requests.
You can also check the accounts you are using to run the STAS. Is there a change? Do you run STAS as an admin?
Hi Vivek Jagad, sure, I already check it. As I told, this is not a new deploy and a several customers reporting this kind of problem in a environment that it was working. But Im continue checking...
LuCar Toni, Yes, Im using the same user. But I already tested with Administrator, without success.
I will try investigate it.