We are using Outlook 2016 (365) and getting widespread 'CallerCheck exploit prevented in Microsoft Outlook.'
How do I determine if this is outlook or a 3rd party plugin. We all have one plugin in particular, from Newforma.
We have uninstalled KB4056890 and KB4049411 from the user's laptop. After a reboot he can start Outlook and no longer gets blocked by the CallerCheck exploit prevention.
There is definitely a problem between at least one of these two updates and Sophos Exploit Prevention.
Fortunately, this user's laptop is somehow incorrectly downloading updates directly from Microsoft instead of from our WSUS server but all of our other users are correctly using the WSUS server so we only had this problem with one user this morning instead of with the whole company.
I hope Sophos fix this ASAP.
Sophos has an undocumented issue between Office products and Hitman Pro. I've asked them on the phone if they had a fix for it they were like - uh there is no issue. We've been getting the exploit issue regarding Excel for a while. Office goes "stupid" giving you a "Excel cannot continue" or any number of crashes that don't seem to have a rhyme or reason or any alerts that go off in Sophos so it cannot be excluded. May not work anyways we have Newforma here and its excluded but still fires off the exploit alert for some users. So we have 100% proved in our office that Hitman Pro interferes with Office.
We turn off Hitman pro service (disabling in services.msc snap in) and it will eventually repair itself and turn itself back on and decide one day later to start fouling up Office again.Because the exploit trigger eventually goes away it's hard to catch it in the act. Office stopped generating those error messages at some point around Aug last year, so now the log show the caller check issue. It will fire off more alerts just like Office ceased to work intermittently and eventually stop for a few days. I'm going to try and see if one of our users sees the exploit while his Intercept product is disabled.
Sophos have made some changes and now our Outlook add-in no longer triggers the CallerCheck exploit with Outlook.exe. Instead, the Outlook add-in executable itself now triggers a Lockdown exploit. We have added this to our global scanning exclusions list and we no longer get any problems even after installing the latest Windows updates.
The problem is back again. The case is still being investigated by Sophos. In the meantime we have found that if you wait a minute or two after the CallerCheck exploit has been detected and Outlook has been terminated, Sophos will attempt to clean the exploit, fail, then you can start Outlook without any problems and the add-in will work OK without triggering the CallerCheck exploit.