Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

I have to day received the callercheck message attempting to connect to a SQL server using excel 2016

I have the latest client 11.5.4

Has anyone found a fix yet?

Thanks

On Office 2016, 64 bit, the error does not happen, at least on the limited amount of machines that we have running 64 bit.  Everyone on 32 bit Office has the issue.  There are considerations that you need to know about when running 64 bit.  See this article:  

https://support.office.com/en-us/article/Choose-between-the-64-bit-or-32-bit-version-of-Office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US

-Rick

On Office 2016, 64 bit, the error does not happen, at least on the limited amount of machines that we have running 64 bit.  Everyone on 32 bit Office has the issue.  There are considerations that you need to know about when running 64 bit.  See this article:  

https://support.office.com/en-us/article/Choose-between-the-64-bit-or-32-bit-version-of-Office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US

-Rick

Thanks for Update Rick -- Will give this a run on one of our machines - and see if all is the same as you - would be super if this works - (Thanks Sophos.....NOT)

Rather than replace all your 64-bit versions of Excel with 32-bit versions or vice versa (we only have 64 bit and have the same problems), you could put in an exploit mitigation exclusion until Sophos release an update to address this. I have been told several times that this is in the works but neither the release notes from the past two months nor the feedback here suggest that current versions are able to distinguish this acceptable traffic from anomalous malicious traffic. We use an app called Axiom EPM that was the first one that brought this to our attention but whitelisting its EXEs and directories were sufficient until some of our business analysts started working with Microsoft Power Query for Excel. You may wish to follow up with your account manager in reference to bug ID WINEP-6445.

Thanks Rick,

We have just completed an uninstall of 32 bit Office, reinstall of 64 bit Office..... And it worked.... We will update all our users to 64 bit.... Sophos should have at least mentioned this months ago.... Thanks again Rick

FWIW, all my problems have been with 64-bit versions of Office. We still have a handful of 32-bit installs in our environment but all the users reporting blocked calls to databases were running 64-bit Excel.

We have only done one system, as a test - and worked fine, we will try getting another one or two done today - will update the results - but maybe your issue and ours, while similar, might be different, hence the solution offered by Rick is working for us, but not you ?!?

I have now removed the 32 bit versions of programs and installed the 64 bit version.

The connection to SQL is working.

Thanks all for the feedback.

From Sophos support as we have a ticket open for this: 

"As I was expecting - Excel is triggering multiple detections for the same behavior with different thumbprints.
Which causes our application to ignore any of the set up exclusions for excel.

- This is being currently investigated with our GES escalation team.
- Patch should be coming out some time soon."

GES = Global Escalated Support, I think  -Rick

Sophos Community Form needs the option, (like facebook) - to have a "laughing emoji" I could only "Like" your reply - :-) LOL