Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 11 subscribers
  • Views 8864 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positive from Sophos - Server 2016, TiWorker.exe blocked when trying to install new roles / features

Bryan Gritton

I was able to work around this by disabling Intercept X, but this seems like a fairly serious problem.  Sophos was blocking any attempt to install a new server role / feature from Windows Server Manager.  Event Viewer details below

Please fix this false positive, as this is a hugely common administrative task in Windows Server.

Thanks.

*******************************************************************

Mitigation   CryptoGuard

Platform     10.0.14393/x64 v610 06_2c$
PID          16848
Application  C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe
Description  Windows Modules Installer Worker 10

Filename     C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe

C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\msdbdata.mdf
C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\master.mdf
C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\model.mdf


Process Trace
1  C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe [16848]
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe -Embedding
2  C:\Windows\System32\svchost.exe [420]
C:\Windows\system32\svchost.exe -k DcomLaunch

Thumbprint
d04005d08ec738a03784b9bcbe53cce699174254b7472569c76254ba2bc6093c

 

  C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe
      CryptoGuard
      Mitigation CryptoGuard Platform 10.0.14393/x64 v610 06_2c$ PID 16848 Application C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe Description Windows Modules Installer Worker 10 Filename C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\msdbdata.mdf C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\master.mdf C:\Windows\WinSxS\amd64_microsoft-windows-wid-templates_31bf3856ad364e35_10.0.14393.0_none_79c95e74ce871bdf\model.mdf Process Trace 1 C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe [16848] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\TiWorker.exe -Embedding 2 C:\Windows\System32\svchost.exe [420] C:\Windows\system32\svchost.exe -k DcomLaunch Thumbprint d04005d08ec738a03784b9bcbe53cce699174254b7472569c76254ba2bc6093c


This thread was automatically locked due to age.
Parents
  • +1

    Hello Bryan,

    We have a case logged for this false positive, and the team are currently working on a fix. In the meantime, you should be able to add an exclusion for this detection:

    In Sophos Central, open Server Protection and Settings. Under General select 'Global Scanning Exclusions', Add Exclusion and select Detected Exploits from the list. You should see an entry for the FP you note above. 

    I know this is covered at a high level in the KB Christian posted, just adding an update on our support case.

    Stephen

Reply
  • +1

    Hello Bryan,

    We have a case logged for this false positive, and the team are currently working on a fix. In the meantime, you should be able to add an exclusion for this detection:

    In Sophos Central, open Server Protection and Settings. Under General select 'Global Scanning Exclusions', Add Exclusion and select Detected Exploits from the list. You should see an entry for the FP you note above. 

    I know this is covered at a high level in the KB Christian posted, just adding an update on our support case.

    Stephen

Children
No Data
Unfiltered HTML