cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

I've researched the TiWorker.exe and it is a legit executable. In my environment, it seems to have a unique HASH for each server and it runs from the below folder:

Windows Directory -> WinSxS -> amd64_microsoft-windows-servicingstack_***

The *** denotes that there is a very long, unique string attacked to the folder name after "servicingstack_". The *** is usually 16 numbers/letters, followed by a version, then "none" and then ends with another 16 characters. After all of that, the TiWorker.exe is contained in that folder. Below is an example:

C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.1.14393.2782_none_7ee3347222082816\TiWorker.exe

This shows up fairly often in an environment of about 3,000 servers. It doesn't show up in batches. Over a weekend, I'll get maybe two or three.

Here are the issues I am having. The TiWorker.exe needs to be an updater in order for the events to go away. I've tried using various custom policies for updaters, and just can't seem to get these events to not show up. Below are some of the options I've tried:

I tried making ....\amd64_microsoft-windows-servicingstack_*\ a "trusted directory" with the "run as Updater" option for that trusted directory. I still get the events on servers that have the policy on them. I am not sure if the wildcard is the issue or something else. I know this is not ideal, but I ran this as a test just to see if it was possible, but to no avail.

I've tried making just TiWorker.exe an updater by name; not by HASH and without any folders preceding the executable name. Is it possible to setup an updater this way? If so, do I need to have the entry as "\TiWorker.exe" or would "TiWorker.exe" suffice?

Any ideas on what I can do to suppress these events and allow them? I was able to setup the policies to allow it to execute without getting blocked, but the Updater portion of the policy is what I am having trouble with.

Thanks for your time. Let me know if you need any more information or if I need to clarify any of the above.

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

Just make sure you follow KB91257,

 

1. Apply windows update and mcafee exclusions rule group

2. Upgrade to 8.2.1.143 or 8.0.2.233 

3. Resolidify 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

Just make sure you follow KB91257,

 

1. Apply windows update and mcafee exclusions rule group

2. Upgrade to 8.2.1.143 or 8.0.2.233 

3. Resolidify 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Highlighted

Re: Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

Thank you. I did see this KB article and was working to apply it in my ePO environment.

It doesn't specify the TiWorker.exe as a known issue. Just curious if you have come across the TiWorker.exe issue specifically and know that this KB article has resolved it?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

TIWorker is an updater in the windows update rule group by name. 

TiWorker is replaced by windows updates and should be solidified. So you shouldnt have to allow by hash.

Its broke because of the hard link issue that is solved by this kb

 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

Awesome! Thank you for the information. I'll mark it as an accepted solution. Thank you for your time and have a good day!

Highlighted

Re: Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

Hi, 

How to create exclusion rule group. In Solicore Rules go to Exclusions tab, click New, there are 4 options: "Memory protection", "Installation detection", "Advance", "Deprecated"

Highlighted

Re: Seeing a lot of TiWorker.exe events and can't seem to "allow" them...

Jump to solution

Following KB91257 fixed the problem for a few months, but it appears that this process is being blocked  again after applying the June servicing stack for windows 10 (KB4503537).

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community