Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 10 subscribers
  • Views 14762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUpdate has failed: Failed to initialize COM

Luigidef

frequently my server OS windows server 2012r2, don't update the agent and warning message look on central console.

on server ping and connect to http://dci.sophosupd.com/index.html with success. the previous technical support had reinstall software on server

every update from console, on SophosUpdate.log I see:

2018-06-20T10:48:13.875Z [ 5908] INFO WinMain =========================
2018-06-20T10:48:13.875Z [ 5908] INFO WinMain SophosUpdate is starting.
2018-06-20T10:48:13.875Z [ 5908] INFO WinMain AutoUpdate version : 5.8.411
2018-06-20T10:48:13.875Z [ 5908] INFO WinMain SophosUpdate version : 5.8.324
2018-06-20T10:48:13.875Z [ 5908] INFO WinMain Build : 210357
2018-06-20T10:48:13.875Z [ 5908] INFO WinMain =========================
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Platform ID: WIN_81_SVR_X64
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Platform upgraded: 0
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Subscription: WindowsCloudServer RECOMMENDED 1
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Subscription: WindowsCloudServerAV RECOMMENDED 1
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Subscription: WindowsCloudServerHitmanProAlert RECOMMENDED 1
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Subscriptions changed: 1
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW HBT MTD NTP SAV SDU WEBCNTRL XPD
2018-06-20T10:48:13.875Z [ 5908] INFO Environment::Print Features changed: 0
2018-06-20T10:48:13.875Z [ 5908] INFO WinMain Set process security
2018-06-20T10:48:13.875Z [ 5908] INFO WinMain Initialise COM.
2018-06-20T10:48:13.875Z [ 5908] ERROR WinMain SophosUpdate has failed: Failed to initialize COM.



This thread was automatically locked due to age.
  • 0

    Hello Luigi De Franco,

    there are just two posts mentioning this error in the entire community - unfortunately both without a solution.
    Is there perhaps a corresponding entry in the Window Event log which provides the error code?

    Christian

  • 0 in reply to QC

    no event.

    I suppose that for resolve the issue I must reinstall the agent :-(

  • 0 in reply to Luigidef

    Failing to initialize COM seems very fundamental and this must be being called by other applications on the computer.

    As a test to see what's happening, with a tool such as API Monitor (www.rohitab.com/apimonitor) you can monitor the API calls of a process and by default the child processes.

    So running SophosUpdate.exe (C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\) from the x86 tool, you can see the API calls being made.  Of course this is running as you, the logged on user, rather than as Local System as it is when the AutoUpdate service kicks of the SophosUpdate.exe process.

    You could use "psexec -s -i cmd" to generate a command prompt running as Local System, launch API Monitor from that, before launching the SophosUpdate.exe process this should mean it's running as system, albeit in an interactive session rather than non-interactive but it may not matter when generating the error.

    CoInitialize is a function as described here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms678543(v=vs.85).aspx, so we know it's in the DLL ole32.dll.  

    Here is an example from my computer, Windows 10, when launching SophosUpdate.exe monitoring the above API call:

    So it seems it is just being called as: Conitialize(NULL).  If that's the case, I would expect a simple C++ app that calls this API to also fail.

    E.g.

    #include <atlbase.h>
    #include <atlcom.h>'
    #include <iostream>

    int main()
    {
    HRESULT hr = E_FAIL;
    hr = CoInitialize(NULL);

    std::cout << "hr: " << hr << std::endl;

    if SUCCEEDED(hr) {
    std::cout << "OK" << std::endl;
    return 0;
    }
    else {
    std::cout << "Fail" << std::endl;
    return 1;
    }

    return 1;
    }

    That would give you the return code as would API Monitor in the Error column as shown in the screenshot.

    If I had to guess, maybe there is a third party module being loaded into the SophosUpdate.exe process that is causing a problem?  Maybe Process Monitor the run, to see what modules are being loaded.

    Hope it helps.

    Regards,

    Jak

  • 0 in reply to Luigidef

    Was that running as your account rather than system?

    What about perform the same thing but maybe run:

    PsExec.exe -s -i "C:\Program Files\rohitab.com\API Monitor\apimonitor-x86.exe"

    Then perform the same thing?

    Does the error message in the log tie up with the calls to the API you see?  Maybe remove the moudle filter, repeat the same test, then just line up the log file error with the API Monitor trace, does anything fail around that time.  The other option is to run Process Monitor as well, but I would have thought it's the response from an API that's the issue here rather than the ability to perform file or registry access.  Maybe try both in combination.

    Regards,
    Jak

  • 0 in reply to jak

    I Jak,

    thanks in advance, but I opened the case with the support.

Unfiltered HTML