This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

All / most of my users are getting a pop up that Callercheck exploit was prevented in Outlook

We are using Outlook 2016 (365) and getting widespread 'CallerCheck exploit prevented in Microsoft Outlook.'

How do I determine if this is outlook or a 3rd party plugin.  We all have one plugin in particular, from Newforma.

Please advise!

Thanks,

Phil



This thread was automatically locked due to age.
  • We have one user who installed Security Update for Microsoft Windows (KB4056890) and Update for Microsoft Windows (KB4049411) last night and he can no longer start Outlook because he is now getting exactly the same error -  'CallerCheck' exploit prevented in Microsoft Outlook.

    We don't have the Newforma plugin but we do all have a third party plugin.

  • We have uninstalled KB4056890 and KB4049411 from the user's laptop. After a reboot he can start Outlook and no longer gets blocked by the CallerCheck exploit prevention.

     

    There is definitely a problem between at least one of these two updates and Sophos Exploit Prevention.

     

    Fortunately, this user's laptop is somehow incorrectly downloading updates directly from Microsoft instead of from our WSUS server but all of our other users are correctly using the WSUS server so we only had this problem with one user this morning instead of with the whole company.

     

    I hope Sophos fix this ASAP.

  • Sophos has an undocumented issue between Office products and Hitman Pro. I've asked them on the phone if they had a fix for it they were like - uh there is no issue. We've been getting the exploit issue regarding Excel for a while. Office goes "stupid" giving you a "Excel cannot continue" or any number of crashes that don't seem to have a rhyme or reason or any alerts that go off in Sophos so it cannot be excluded. May not work anyways we have Newforma here and its excluded but still fires off the exploit alert for some users. So we have 100% proved in our office that Hitman Pro interferes with Office.

    We turn off Hitman pro service (disabling in services.msc snap in) and it will eventually repair itself and turn itself back on and decide one day later to start fouling up Office again.Because the exploit trigger eventually goes away it's hard to catch it in the act. Office stopped generating those error messages at some point around Aug last year, so now the log show the caller check issue. It will fire off more alerts just like Office ceased to work intermittently and eventually stop for a few days. I'm going to try and see if one of our users sees the exploit while his Intercept product is disabled. 

  • Sophos have made some changes and now our Outlook add-in no longer triggers the CallerCheck exploit with Outlook.exe. Instead, the Outlook add-in executable itself now triggers a Lockdown exploit. We have added this to our global scanning exclusions list and we no longer get any problems even after installing the latest Windows updates.

  • The problem is back again. The case is still being investigated by Sophos. In the meantime we have found that if you wait a minute or two after the CallerCheck exploit has been detected and Outlook has been terminated, Sophos will attempt to clean the exploit, fail, then you can start Outlook without any problems and the add-in will work OK without triggering the CallerCheck exploit.

  • We also are experiencing this issue. We will be opening a case with Sophos.

  • We had a reply back from Sophos last week saying "We have received an update from the development team that the issue is fixed with a minor update recently released by us". We removed all entries from the global exclusion list and sure enough the problem was fixed. We were also getting a "Lockdown" vulnerability detected for a while for the same Outlook Add-In. This is no longer being triggered either even with all the latest Windows updates applied.

    It took them 2 months but we got there in the end.

  • Thank you for the response! Are you able to share your update/version you are at so I can compare with where we sit?

  • It was Sophos Intercept X (aka HitmanPro) that was causing the problem and seems to have been fixed.

     

    Product version numbers are:-

    Sophos Intercept X 2.0.2

    Core Agent 2.0.2

    Endpoint Advanced 10.8.1.1

     

    Component version numbers are:-

    Sophos Anti-Virus 10.8.1.217

    Sophos AutoUpdate 5.11.155

    Sophos Clean 3.8.3.1

    Sophos Diagnostic Utility 1.20.0.4

    Sophos Endpoint Agent 2.0.2

    Sophos Endpoint Defense 1.3.0.512

    Sophos Endpoint UI 1.4.147

    Sophos File Scanner 1.1.98

    Sophos Health 2.0.6.223

    Sophos HitmanPro Alert 3.7.4.732

    Sophos Management Communications System 4.7.15

    Sophos Network Threat Protection 1.4.540

  • Thank you! I will be verifying our particular setup with Sophos, but I also will confirm that the users' numbers match that.

    I appreciate your input!