"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Issue Updates are failing and Security Event 529 is logged on the Domain Controller by local SophosSAU accounts.
Sophos product and version Sophos Anti-Virus for Windows 2000+
Operating system Microsoft Windows Server
HKLM\Software\Sophos\AutoUpdate\Service\ Download User=<DOMAIN>\<USER> with relevant password
Download User=<DOMAIN>\<USER> with relevant password
The following event is logged twice in the Security log in the domain controller:
Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: date Time: time User: NT AUTHORITY\SYSTEM Computer: domain controller computer name Description: Logon Failure: Reason: Unknown user name or bad password User Name: Sophos_ALC_Service Domain: client computer name Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: client computer name For more information, see the Microsoft Help and Support Center at http://support.microsoft.com.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.