All / most of my users are getting a pop up that Callercheck exploit was prevented in Outlook

We are using Outlook 2016 (365) and getting widespread 'CallerCheck exploit prevented in Microsoft Outlook.'

How do I determine if this is outlook or a 3rd party plugin.  We all have one plugin in particular, from Newforma.

Please advise!

Thanks,

Phil

  • We have one user who installed Security Update for Microsoft Windows (KB4056890) and Update for Microsoft Windows (KB4049411) last night and he can no longer start Outlook because he is now getting exactly the same error -  'CallerCheck' exploit prevented in Microsoft Outlook.

    We don't have the Newforma plugin but we do all have a third party plugin.

  • We have uninstalled KB4056890 and KB4049411 from the user's laptop. After a reboot he can start Outlook and no longer gets blocked by the CallerCheck exploit prevention.

     

    There is definitely a problem between at least one of these two updates and Sophos Exploit Prevention.

     

    Fortunately, this user's laptop is somehow incorrectly downloading updates directly from Microsoft instead of from our WSUS server but all of our other users are correctly using the WSUS server so we only had this problem with one user this morning instead of with the whole company.

     

    I hope Sophos fix this ASAP.

  • In reply to David Reed:

    Sophos has an undocumented issue between Office products and Hitman Pro. I've asked them on the phone if they had a fix for it they were like - uh there is no issue. We've been getting the exploit issue regarding Excel for a while. Office goes "stupid" giving you a "Excel cannot continue" or any number of crashes that don't seem to have a rhyme or reason or any alerts that go off in Sophos so it cannot be excluded. May not work anyways we have Newforma here and its excluded but still fires off the exploit alert for some users. So we have 100% proved in our office that Hitman Pro interferes with Office.

    We turn off Hitman pro service (disabling in services.msc snap in) and it will eventually repair itself and turn itself back on and decide one day later to start fouling up Office again.Because the exploit trigger eventually goes away it's hard to catch it in the act. Office stopped generating those error messages at some point around Aug last year, so now the log show the caller check issue. It will fire off more alerts just like Office ceased to work intermittently and eventually stop for a few days. I'm going to try and see if one of our users sees the exploit while his Intercept product is disabled. 

  • In reply to David Reed:

    Sophos have made some changes and now our Outlook add-in no longer triggers the CallerCheck exploit with Outlook.exe. Instead, the Outlook add-in executable itself now triggers a Lockdown exploit. We have added this to our global scanning exclusions list and we no longer get any problems even after installing the latest Windows updates.

  • In reply to David Reed:

    The problem is back again. The case is still being investigated by Sophos. In the meantime we have found that if you wait a minute or two after the CallerCheck exploit has been detected and Outlook has been terminated, Sophos will attempt to clean the exploit, fail, then you can start Outlook without any problems and the add-in will work OK without triggering the CallerCheck exploit.

  • We also are experiencing this issue. We will be opening a case with Sophos.

  • In reply to Josh Van Alstyne:

    We had a reply back from Sophos last week saying "We have received an update from the development team that the issue is fixed with a minor update recently released by us". We removed all entries from the global exclusion list and sure enough the problem was fixed. We were also getting a "Lockdown" vulnerability detected for a while for the same Outlook Add-In. This is no longer being triggered either even with all the latest Windows updates applied.

    It took them 2 months but we got there in the end.

  • In reply to David Reed:

    Thank you for the response! Are you able to share your update/version you are at so I can compare with where we sit?

  • In reply to Josh Van Alstyne:

    It was Sophos Intercept X (aka HitmanPro) that was causing the problem and seems to have been fixed.

     

    Product version numbers are:-

    Sophos Intercept X 2.0.2

    Core Agent 2.0.2

    Endpoint Advanced 10.8.1.1

     

    Component version numbers are:-

    Sophos Anti-Virus 10.8.1.217

    Sophos AutoUpdate 5.11.155

    Sophos Clean 3.8.3.1

    Sophos Diagnostic Utility 1.20.0.4

    Sophos Endpoint Agent 2.0.2

    Sophos Endpoint Defense 1.3.0.512

    Sophos Endpoint UI 1.4.147

    Sophos File Scanner 1.1.98

    Sophos Health 2.0.6.223

    Sophos HitmanPro Alert 3.7.4.732

    Sophos Management Communications System 4.7.15

    Sophos Network Threat Protection 1.4.540

  • In reply to David Reed:

    Thank you! I will be verifying our particular setup with Sophos, but I also will confirm that the users' numbers match that.

    I appreciate your input!

  • Hi Phil Lewis,

    To check the plugin detail that could be causing the exploit alert can be found in the event viewer.

    Open the Event viewer > Win+R > Type "eventvwr" and filter for HitmanPro.Alert Event ID 911. You might see something in the below picture.

  • This happened to a user right after updating to Windows 10 build 1803 today. In the HitmanPro.Alert entry in the Application Log I see:

    Callee Type CreateProcess

    C:\Users\[username]\AppData\Local\Temp\dotnetbrowser-chromium\55.0.2883.87.1.11.0.0.508\dotnetbrowser-chromium32.exe

    Sophos is up to date. The only way I could get him up and running in Outlook was to temporarily turn off exploit scanning. I've opened a case with Sophos as well.

  • In reply to David Schrag:

    We had the same issue with Outlook 2016 until 11 o'clock, with a client being updated to Windows 10 build 1803.

    However the issue disappered, either this is due to the latest Office Update or to a correction made by Sophos.

     

     
  • In reply to Gregor Streng:

    Same here - the problem went away by itself.