This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A Windows API call returned error 1909 [0x00000070]

 Hi Experts :) ,

 

I am facing an issue with the following ESC. We have Windows 7 and 10 OS installed in our environment. Below is the error I am getting.

Actually the Update is failing with the below error, and sometimes it updates successfully but next moment if I check it says Failed and the reason shows account locked. Whereas I've also checked the account in local machines its not locked. 

Would highly appreciative if I get quick response and support in solving this issue.

 

Please find error attached.

 

Thanks

Best Regards

Faisal



This thread was automatically locked due to age.
Parents
  • Hello Faisal,

    this is strange as the accounts mentioned are apparently the local SophosSAU accounts created by the installer (with User cannot change password and Password never expires set). Does this affect all endpoints and when did this start?

    the account in local machines its not locked
    As only AutoUpdate uses this account and should "know" the correct password I can't see why the lockout should occur in the first place. The lockout time is set with the Account Security Policy (minimum one minute) so they might get unlocked automatically.
    AFAIK AutoUpdate nevertheless tries to make the connection and updates should succeed if there is no other issue. Are the endpoints shown as up to date in the Console? 

    Christian

  • Hello QC,

     

    Regarding the endpoints update, please find attached screen shoot.

    Regards

    Faisal

  • Hello Faisal,

    any policy in Sophos
    no, account lockout is a Windows setting and as said, I don't see how AutoUpdate could cause this behaviour. Could you show the errors in the updating log from an endpoint (local Sophos GUI → View updating log) starting at the end of a successful update like this:

    Christian

  • ++Jak

    In this case I suspect all the update traffic will route to internet, I can't use the internet for big number of machines.

    Please correct me if I am wrong.

    Regards

    Faisal

  • No, you can get the clients to update from your server but rather than using UNC, they can use HTTP.

    So if you have say a single management server, this is maintaining a CID/Distribution point.  If you add the IIS role (you could use any web server), you can share the CID/Distribution point out using that.  The KBA details IIS.

    The clients can then use http://server rather than \\server\ for example.

    Regards,

    Jak

  • QC,

    How to know from the console about the machine account? used for update ? i.e.

    Regards

    Faisal

  • The local machine account (SophosSAU...) is created by the AutoUpdate installer.  

    Note: You can follows this procedure:

    https://community.sophos.com/kb/en-us/48910

    ...if you want to use your own account.  I'm not suggesting this as a fix but knowledge of this maybe useful for troubleshooting as at least you'd have control over the account/password etc..

    The local account is used by the update process (alupdate.exe) to be able to "see" the network as the process is running as SYSTEM.  It then goes on to perform the download from the server using the updating account specified in the updating policy.

    Maybe  can confirm; as I'm sure he has at least one client using HTTP updating and I only have a Mac available to me at the moment, that if you enable auditing of account logon events at the client, with HTTP updating, the SophosSAU account is not used.  For a client which is performing UNC updating, I assume you see the auditing event for the sophossau account.  This could prove if it's not used with HTTP vs UNC.

    Regards,

    Jak

  • Thanks Jak,

     

    Using the link you provided with "http" has solved my issue. My one last question is about the security. Is it secure to use this way or unsafe ? 

     

    Thanks

    Regards

    Faisal

  • Any advise for this issue ?

     

     

    Regards

    Faisal

  • Hello Jak and Faisal,

    Correct, contrary to the SophosSAU article (It checks if the machine can connect to resources via UNC or HTTP) the impersonation account is only used for UNC connections.
    As said, the 1909 should be preceded by some other error but as only the last one during an update is reported to the console the local AutoUpdate log must be checked. Also I still can't see why the update should sometimes work and sometimes not.

    Hmm, in your first screenshot I see that the SophosSAU account and computer names don't always match. Have the machines been renamed or do you have machines which have been cloned from an image?

    Christian

  • Hello Faisal,

    the Download failed errors are usually transient (i.e. a subsequent download/update succeeds)
    Could not find a source might be transient as well (happens for example when an endpoint tries to update when the network connection is not yet established)
    I have a few endpoints that report the correct update location but updating fails with no update source. Have not yet determined the actual cause, a reinstall might fix this
    Finally the Failed to install - you'd have to check the Sophos Anti-Virus logs (Install, Uninstall, MajorActions) in \Windows\Temp\ on the endpoint

    Christian

  • Hello QC,

     

    All the machines were working fine earlier but recently this issue has started. I am also surprised and confused why the machines are getting successful updates and then failing. 

    I will provide you the local log shortly so that can help us to dig down the root cause :)

    Regards

    Faisal

Reply
  • Hello QC,

     

    All the machines were working fine earlier but recently this issue has started. I am also surprised and confused why the machines are getting successful updates and then failing. 

    I will provide you the local log shortly so that can help us to dig down the root cause :)

    Regards

    Faisal

Children
No Data