Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 38 replies
  • Subscribers 3 subscribers
  • Views 66771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A Windows API call returned error 1909 [0x00000070]

KAR AAR

 Hi Experts :) ,

 

I am facing an issue with the following ESC. We have Windows 7 and 10 OS installed in our environment. Below is the error I am getting.

Actually the Update is failing with the below error, and sometimes it updates successfully but next moment if I check it says Failed and the reason shows account locked. Whereas I've also checked the account in local machines its not locked. 

Would highly appreciative if I get quick response and support in solving this issue.

 

Please find error attached.

 

Thanks

Best Regards

Faisal



This thread was automatically locked due to age.
  • 0 in reply to KAR AAR

    Hello Faisal,

    the Download failed errors are usually transient (i.e. a subsequent download/update succeeds)
    Could not find a source might be transient as well (happens for example when an endpoint tries to update when the network connection is not yet established)
    I have a few endpoints that report the correct update location but updating fails with no update source. Have not yet determined the actual cause, a reinstall might fix this
    Finally the Failed to install - you'd have to check the Sophos Anti-Virus logs (Install, Uninstall, MajorActions) in \Windows\Temp\ on the endpoint

    Christian

  • 0 in reply to QC

    Hello QC,

     

    All the machines were working fine earlier but recently this issue has started. I am also surprised and confused why the machines are getting successful updates and then failing. 

    I will provide you the local log shortly so that can help us to dig down the root cause :)

    Regards

    Faisal

  • 0 in reply to jak

    Hi QC and Jak,

     

    Why there's an error "Differs from policy" with some of the machines ? Any idea.

     

    Regards.

    Faisal

  • 0 in reply to jak

    Hello Jak,

     

    Is there any procedure to set IIS as https rather than http for security ?

    Thanks for your best support.

     

    Regards

    Faisal

  • 0 in reply to KAR AAR

    I don't believe that version of SAU supports HTTPS at least from a non Sophos update location.  I know that the Sophos Central AutoUpdate client can pull files using HTTPS.

    That said, the files being downloaded over that channel are just Sophos files.  Unless you put your own custom files in the CID (configcid.exe [https://community.sophos.com/kb/en-us/13112] would need to be used), then you're only downloading.  SUM on the server is pulling the same set of files using HTTP also.

    There is no chance of tampering with the files as they all have content derived names and signatures are used.

    As for differs from policy, which component differs?  This article is a good starting point: https://community.sophos.com/kb/en-us/113069

    Regards,

    Jak

  • 0 in reply to jak

    Hi Jak / QC,

     

    Having an issue with some machines as below screen shoot. Also the way http has started generating the traffic on network as we are using QRadar for log monitoring there we can see that Sophos is using "user" account and Authentication failures messages being generated :( . Any tip to resolve this issue ?

    Regards

    Faisal

  • 0 in reply to KAR AAR

    Given the screenshot, there are potentially a number of issues.

    The "Not since x" updating messages, these could be fine, without seeing the connected state of the endpoint or last message time it's hard to say if these are OK.

    There are a number of errors of course but I can't see the details.  You might have to focus on one error/computer initially.

    As for the QRadar log monitoring, which user account are you seeing issue with?  The local sophossau account or the account defined in the updating policy?

     

     

  • 0 in reply to jak

    Hello Jak,

    The screenshot I've sent you is of connected state machines.

    In QRadar its showing as following.

    Username SophosSAUPxyz
    Description Multiple Login Failures for the Same User
    preceded by Login failure to a disabled account.
    containing Failure Audit: An account failed to log on

    Regards

    Faisal

  • 0 in reply to KAR AAR

    The referenced account SophosSAUPxyz presumably has been altered by you to obscure the machine name or part of it?

    Based on the machine name or part of it, can you check that that computer has received the updating policy and is now using a HTTP path?

    Could it be that the one (or more?) clients which are causing the alerts in QRadar just haven't received the updating policy?

    The connected state for a computer in SEC, should be maintained (RMS issues) aside by the Sophos Management Service as per this article:
    https://community.sophos.com/kb/en-us/113293

    There is also a last message time column in SEC just to confirm that it is indeed messaging in.  The last message time will be updated when either an event takes place or when there is a status message.  A status happens at Sophos Agent startup and when a managed component changes in some way.  An ide update for example would cause a new status message. 

    I just want to be sure that these computer are messaging.

    For a computer that is showing as Not since, can you check that under: \program files (x86)\sophos\sophos anti-virus\ there is a recent .ide file.  This would prove that the client is updating and is in sync with the distribution point it is updating from.  There are install logs under \windows\temp\ also for Sophos.

    Beyond that, I'd probably check the RMS logs (Agent and Router) to see that Status messages are being sent to the management server.

    Regards,

    Jak

  • 0 in reply to jak

    Dear Jak,

    Here's the screenshot of the IDE file. Why this is not generating the updated IDE file ? The path is also Program Files.

    Regards

    Faisal

Unfiltered HTML