We are using Outlook 2016 (365) and getting widespread 'CallerCheck exploit prevented in Microsoft Outlook.'
How do I determine if this is outlook or a 3rd party plugin. We all have one plugin in particular, from Newforma.
We have uninstalled KB4056890 and KB4049411 from the user's laptop. After a reboot he can start Outlook and no longer gets blocked by the CallerCheck exploit prevention.
There is definitely a problem between at least one of these two updates and Sophos Exploit Prevention.
Fortunately, this user's laptop is somehow incorrectly downloading updates directly from Microsoft instead of from our WSUS server but all of our other users are correctly using the WSUS server so we only had this problem with one user this morning instead of with the whole company.
I hope Sophos fix this ASAP.
Sophos have made some changes and now our Outlook add-in no longer triggers the CallerCheck exploit with Outlook.exe. Instead, the Outlook add-in executable itself now triggers a Lockdown exploit. We have added this to our global scanning exclusions list and we no longer get any problems even after installing the latest Windows updates.
The problem is back again. The case is still being investigated by Sophos. In the meantime we have found that if you wait a minute or two after the CallerCheck exploit has been detected and Outlook has been terminated, Sophos will attempt to clean the exploit, fail, then you can start Outlook without any problems and the add-in will work OK without triggering the CallerCheck exploit.