Re: CSCvm37634 - [ENH] Request to add TiWorker.exe to default Windows exclusions

imm_baker · ‎10-22-2018

To clarify - this also occurs when using SCCM to deploy Windows updates, despite the notes in the bug report.

We have 10,000+ PCs currently being affected by this bug, with all updates being deployed by SCCM.

On testing, updates are taking at least 30-40% longer to install (even greater on non SSD PCs). Without manual configuration on the individual update settings, many of the updates don't install with our maintenance windows and the SCCM client will abandon checking for the installation outcome.

This is a really poor design, please fix it properly. We've never had this issue with any other AV. TiWorker.exe is a normal Windows function.

Orlith · ‎11-20-2018

I had to do a Wilcard exclusion to solve this issue. Can't use Process exclusion as the path/hash may vary a lot

imm_baker · ‎11-20-2018

Yes, the path/hash varies a lot, it's very annoying.

However we weren't comfortable using a wildcard exception of TiWorker.exe as it has too many security implications.

It's a very common Microsoft executable, and renaming any virus executable to TiWorker.exe as a means to circumvent all of Cisco AMP's functionality if detected is too great of a risk for our organisation.

nmatese0420 · ‎11-28-2018

What exactly did you use for the wildcard exclusion to make this stop?