This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Microsoft Power Query for Excel - False Flagging by Intercept/Crashes Excel

We have a few users that have Microsoft Power Query for Excel installed.  Whenever they enabled the add-in it crashes Excel.  If we disable Sophos Intercept it works just fine.  I can't seem to find where I can whitelist this COM Add-In.  Any ideas?  Sophos continually flags this in RCA as 'Exploit CallerCheck'.



This thread was automatically locked due to age.
Parents Reply Children
  • There has been no update and I can't get a response from Support.

  • HI Kyle , 

    Could you Private message me the Service request number followed by the link to this thread for reference. I would like to follow on that issue and provide an accurate answer. 

    Thanks and Regards

    Aditya Patel 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • HI Kyle, 

    We have noted the issue is related False Positive and Will be fixed in the next release by the end of this month. 

    Bug ID WINEP-6445

    Thanks and Regards

    Aditya Patel

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Adita

    Can you confirm this False Positive was fixed?

    We are running version 11.5.4 and getting 'CallerCheck' exploits when trying to use Power Query in Excel 2013, I have also raised a ticket with support.

    Regards

    Stephen

  • I have this same problem.  When I try to launch Power Query and connect to my SQL server from Excel 2013 the application closes and I get an alert from Sophos. This disrupts some of our employees who are trying to run reports using our Company Data-cubes in SQL.  

     

    Then Excel closes immediately and I get this:

    This is my installation:

  • Sorry I should have said one more thing! 

    If I use the following work-around it allows me to connect to the SQL database, but this is not a good solution because it requires using TAMPER passwords to alter the installation.  We cannot distribute these passwords to the users...

     

  • Hey Leo and Stephen!

    Out of interest, have you both tried setting an exclusion for this specific exploit detection in your Threat Protection policy? Some plugins can do things in memory which look quite similar to exploitative malware. While I do recommend you minimise making any exceptions in a policy (and if you do, make periodic checks to confirm whether the exceptions are still necessary), sometimes exceptions have to be made.

    In the event you've not tried this, I've slapped together a quick screenshot showing an exploit detection in a specific application (here, Internet Explorer) being excluded in a Threat Protection policy.

  • Hi SecBug

    I have put a Scanning Exclusion in place, which does not fix the issue.

    As I said I do have a ticket open with support, they've sent me a test build (hasn't fixed the issue) and asked for some SDU logs.

    One thing that does work is adding Excel in the Exploit Mitigation Exclusion.

    Given that a lot of viruses are spread through Excel macros this isn't a brilliant solution, also this option is only available as a Global system setting and not as a Policy setting I could apply only to certain users to reduce the risk slightly?

  • Same problem here ...  Excel 2010 with Power Query.  Sophos gives a false positive when I try to connect to an internal database.  Adding Excel in exploit exclusion is not an option, this is the reason why we use sophos to discover strange behavour of files.

    Is there already a solution provided ?