Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 11 subscribers
  • Views 8863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positive from Sophos - Server 2016, TiWorker.exe blocked when trying to install new roles / features

Bryan Gritton

I was able to work around this by disabling Intercept X, but this seems like a fairly serious problem.  Sophos was blocking any attempt to install a new server role / feature from Windows Server Manager.  Event Viewer details below

Please fix this false positive, as this is a hugely common administrative task in Windows Server.

Thanks.

*******************************************************************

Mitigation   CryptoGuard

Platform     10.0.14393/x64 v610 06_2c$
PID          16848
Application  C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe
Description  Windows Modules Installer Worker 10

Filename     C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe

C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\msdbdata.mdf
C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\master.mdf
C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\model.mdf


Process Trace
1  C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe [16848]
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe -Embedding
2  C:\Windows\System32\svchost.exe [420]
C:\Windows\system32\svchost.exe -k DcomLaunch

Thumbprint
d04005d08ec738a03784b9bcbe53cce699174254b7472569c76254ba2bc6093c

 

  C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe
      CryptoGuard
      Mitigation CryptoGuard Platform 10.0.14393/x64 v610 06_2c$ PID 16848 Application C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe Description Windows Modules Installer Worker 10 Filename C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\msdbdata.mdf C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\master.mdf C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\model.mdf Process Trace 1 C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe [16848] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe -Embedding 2 C:\Windows\System32\svchost.exe [420] C:\Windows\system32\svchost.exe -k DcomLaunch Thumbprint d04005d08ec738a03784b9bcbe53cce699174254b7472569c76254ba2bc6093c


This thread was automatically locked due to age.
Unfiltered HTML