"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Issue The following updating error is in the ALC.log file:
There was a problem while establishing a connection to the server. Details: LogonUser ("Sophos<computerName>", ".", ...) failed A Windows API call returned error 1329
First seen in Sophos Anti-Virus for Windows 2000+ 7.6.21
A local security policy or GPO is restricting this account (or accounts) from accessing the network.
The account is created by Sophos AutoUpdate and used for impersonation so that it can access the network to download files from a remote location.
The impersonation account is needed because AutoUpdate normally runs as local SYSTEM, cannot make a network connection and therefore does not have the privileges to access the network. AutoUpdate therefore impersonates the account it creates to get access to the network. It then uses the supplied credentials (if there are any) from the updating policy to access the distribution folder.
1329 Logon failure: user not allowed to log on to this computer
A workaround is to add the Sophos AutoUpdate impersonation account (which is not normally a member of any group) to the 'Users' Windows security group.
However it is recommended that you investigate which GPO is causing the problem (locking down/restricting) the user account (or impersonation of user accounts) and resolve the issue that way.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.