Microsoft Power Query for Excel - False Flagging by Intercept/Crashes Excel

We have a few users that have Microsoft Power Query for Excel installed.  Whenever they enabled the add-in it crashes Excel.  If we disable Sophos Intercept it works just fine.  I can't seem to find where I can whitelist this COM Add-In.  Any ideas?  Sophos continually flags this in RCA as 'Exploit CallerCheck'.

  • I've opened a ticket, pending a response from support.

  • In reply to Kyle Bigelow:

    HI Kyle, 

    Could you share your service request via private message so I may monitor for you ?

    Thanks and Regards
    Aditya Patel | Network and Security Engineer.

  • Sophos support has confirmed a false positive and the ticket has been escalated to dev.

  • In reply to Kyle Bigelow:

    HI  Kyle, 

    Thank You for an update , kindly let us know is there is any further progress. 

    Thanks and Regards

    Aditya Patel 

  • In reply to Aditya Patel:

    There has been no update and I can't get a response from Support.

  • In reply to Kyle Bigelow:

    HI Kyle , 

    Could you Private message me the Service request number followed by the link to this thread for reference. I would like to follow on that issue and provide an accurate answer. 

    Thanks and Regards

    Aditya Patel 

  • In reply to Aditya Patel:

    HI Kyle, 

    We have noted the issue is related False Positive and Will be fixed in the next release by the end of this month. 

    Bug ID WINEP-6445

    Thanks and Regards

    Aditya Patel

  • In reply to Aditya Patel:

    Hi Adita

    Can you confirm this False Positive was fixed?

    We are running version 11.5.4 and getting 'CallerCheck' exploits when trying to use Power Query in Excel 2013, I have also raised a ticket with support.

    Regards

    Stephen

  • In reply to Stephen Cheeseman:

    I have this same problem.  When I try to launch Power Query and connect to my SQL server from Excel 2013 the application closes and I get an alert from Sophos. This disrupts some of our employees who are trying to run reports using our Company Data-cubes in SQL.  

     

    Then Excel closes immediately and I get this:

    This is my installation:

  • In reply to Leo Fridley:

    Sorry I should have said one more thing! 

    If I use the following work-around it allows me to connect to the SQL database, but this is not a good solution because it requires using TAMPER passwords to alter the installation.  We cannot distribute these passwords to the users...

     

  • In reply to Leo Fridley:

    Hey Leo and Stephen!

    Out of interest, have you both tried setting an exclusion for this specific exploit detection in your Threat Protection policy? Some plugins can do things in memory which look quite similar to exploitative malware. While I do recommend you minimise making any exceptions in a policy (and if you do, make periodic checks to confirm whether the exceptions are still necessary), sometimes exceptions have to be made.

    In the event you've not tried this, I've slapped together a quick screenshot showing an exploit detection in a specific application (here, Internet Explorer) being excluded in a Threat Protection policy.

  • In reply to SecBug:

    Hi SecBug

    I have put a Scanning Exclusion in place, which does not fix the issue.

    As I said I do have a ticket open with support, they've sent me a test build (hasn't fixed the issue) and asked for some SDU logs.

    One thing that does work is adding Excel in the Exploit Mitigation Exclusion.

    Given that a lot of viruses are spread through Excel macros this isn't a brilliant solution, also this option is only available as a Global system setting and not as a Policy setting I could apply only to certain users to reduce the risk slightly?

  • In reply to Stephen Cheeseman:

    Same problem here ...  Excel 2010 with Power Query.  Sophos gives a false positive when I try to connect to an internal database.  Adding Excel in exploit exclusion is not an option, this is the reason why we use sophos to discover strange behavour of files.

    Is there already a solution provided ?

     

     

  • Same problem here with Excel 2016 and Power Query.  Is there a solution or work around yet?

  • Same problem here - please provide a resolution.