This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

I need a resolution for this false positive that does not completely whitelist Excel.

This is directly relevant to the following thread:

https://community.sophos.com/intercept/f/information/82464/microsoft-power-query-for-excel---false-flagging-by-intercept-crashes-excel

This was supposed to be resolved by the end of November. 

We need a resolution now.

 



This thread was automatically locked due to age.
Parents Reply Children
  • Aditya. Please stop suggesting your response that "it should be fixed soon" is an answer, as it is not.

    This is absolutely crazy that this is taking this long.

    This is effecting many more people other than me.

     

     

    this needs to be escalated to Management, as this has been over 2 months now.

  • Hi Aditya,

     

    I know this is currently with the Dev team as i have an open ticket but we need a fix on this as critical priority. People are unable to do their jobs without a fix! Please can you push this along. 

     

    Also just FYI on a 32bit install of Microsoft Office the powerquery addon is located as such "C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\" however when i add this to the Global Scanning Exclusions it still comes up as a callercheck exploit. 

     

    Checking the event log i can see that this is the EXE wanting to run Microsoft.Mashup.Container.NetFX40.exe.

     

    Any ideas why it still comes up even after being added to Global Scanning Exclusions? Is it because the thumbprint changes each time?

     

     

    Thanks,

  • This same issue also is affecting our third party warehousing software.  They are unable to run it without us completely removing Sophos, which a really a great solution.   Why is Sophos being so dark on this?  Can we get a verification that a dev fix is scheduled?  This is pretty ridiculous. 

  • the time to resolution for fixes in Sophos  new "feature" of Cryptoguard which apparently seems broken right out of the box, is unacceptable. 

    I have been promised fixes for the Salesforce for Outlook Toolbar and this Excel issue for over 3 months now.  Guess what... still broken...badly..

    I guess that is what you get for supporting a company by bein an early adopter of a new product :(

  • guess who is still waiting for a fix 3 months plus later...?

  • I may have spoken too soon.  The problem was fixed on one machine, but not another.  This is the error I receive from Hitman Pro, but not sure how to interpret it.  It appears the only two affected had 32-bit office 2016.

     

    Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    - <System>

      <Provider Name="HitmanPro.Alert" />

      <EventID Qualifiers="0">911</EventID>

      <Level>2</Level>

      <Task>9</Task>

      <Keywords>0x80000000000000</Keywords>

      <TimeCreated SystemTime="2017-04-24T17:50:27.887272000Z" />

      <EventRecordID>61083</EventRecordID>

      <Channel>Application</Channel>

      <Computer>name.domain.com</Computer>

      <Security />

      </System>

    - <EventData>

      <Data>C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE</Data>

      <Data>CallerCheck</Data>

      <Data>Mitigation CallerCheck Platform 10.0.14393/x64 v583 06_3c PID 8628 Application C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Description Microsoft Excel 16 Callee Type CreateProcess Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 43A2703B (anonymous; clr.dll) 8b4d90 MOV ECX, [EBP-0x70] 8d6128 LEA ESP, [ECX+0x28] 8b4da8 MOV ECX, [EBP-0x58] c6410801 MOV BYTE [ECX+0x8], 0x1 833d4080547200 CMP DWORD [0x72548040], 0x0 7407 JZ 0x43a27058 50 PUSH EAX e859f8642e CALL 0x720768b0 58 POP EAX c7459400000000 MOV DWORD [EBP-0x6c], 0x0 8bf0 MOV ESI, EAX e89a4a4d2e CALL 0x71efbb00 85f6 TEST ESI, ESI 0f95c0 SETNZ AL 0fb6c0 MOVZX EAX, AL 8945ac MOV [EBP-0x54], EAX 2 43A2638F (anonymous; clr.dll) 3 43A25863 (anonymous; clr.dll) 4 43A2546F (anonymous; clr.dll) 5 43A250FE (anonymous; clr.dll) 6 43A24C65 (anonymous; clr.dll) 7 43A247E0 (anonymous; clr.dll) 8 43A244A3 (anonymous; clr.dll) 9 43A23F32 (anonymous; clr.dll) 10 43A1FF0D (anonymous; clr.dll) Code Injection 00D00000-00D01000 4KB n/a [5580] Process Trace 1 C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [8628] "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /h /dde "https://sharepointsite/file.xlsm" 2 C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exe [7248] "C:\Program Files (x86)\Microsoft Office\Root\Office16\protocolhandler.exe" "ms-excel:ofv|u|sharepointsite/file.xlsm" 3 C:\Program Files\Internet Explorer\iexplore.exe [11400] 4 C:\Windows\explorer.exe [8468] 5 C:\Windows\System32\userinit.exe [10052] 6 C:\Windows\System32\winlogon.exe [2932] C:\WINDOWS\System32\WinLogon.exe -SpecialSession 7 C:\Windows\System32\smss.exe [6412] \SystemRoot\System32\smss.exe 00000104 0000007c C:\WINDOWS\System32\WinLogon.exe -SpecialSession 8 C:\Windows\System32\smss.exe [388] \SystemRoot\System32\smss.exe 9 [4] Thumbprint abc72b2d9f1a173c712f42e6a27e12cfd519f12635e58120747c0ce577cc9baa</Data>

      </EventData>

      </Event>

  • Very disappointed that Sophos don't seem to be responding to anyone on this - having only just moved our system protection over to Sophos - we now find we are in this situation with "CallerCheck exploit preventing MS Excel" - this is critical to our business - and moving 300+ devices back to our previous system would be ......arghhhhhhhh

  • I fixed this by going to Global Settings -> Exploit Mitigation Exclusions then adding Microsoft Excel. There's supposed to be an update forthcoming to address this but I would open a support ticket to make sure your specific use case gets addressed.

  • !!!!!!THIS IS NOT A FIX!!!!!!

     

    Your excel is now open to exploitation. You have removed EXCEL.EXE from exploit mitigation meaning any exploits will be allowed to run.

     

    It is not a fix. It does work, but it is not a fix. 

     

    By the way, it is not a fix. 

  • Thanks gdriggs for your advice, but as Root____ "hinted" at, this is not a fix - to be honest, it would be a disaster waiting to happen, and more-or-less negates system protection - I really don't see why this is such a big deal for Sophos - In our case, we are pulling internally, (nothing coming in via email), so it should be easy to whitelist all files on our systems - (or as you mention - excel - from internal sources) - whilst blocking external sources !!!