Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

I need a resolution for this false positive that does not completely whitelist Excel.

This is directly relevant to the following thread:

https://community.sophos.com/intercept/f/information/82464/microsoft-power-query-for-excel---false-flagging-by-intercept-crashes-excel

This was supposed to be resolved by the end of November. 

We need a resolution now.

 

  • In reply to Rick Cahoon:

    I have now removed the 32 bit versions of programs and installed the 64 bit version.

    The connection to SQL is working.

    Thanks all for the feedback.

  • In reply to Richard Mooney:

    From Sophos support as we have a ticket open for this: 

    "As I was expecting - Excel is triggering multiple detections for the same behavior with different thumbprints.
    Which causes our application to ignore any of the set up exclusions for excel.

    - This is being currently investigated with our GES escalation team.
    - Patch should be coming out some time soon."

     

    GES = Global Escalated Support, I think  -Rick

  • In reply to Rick Cahoon:

    Sophos Community Form needs the option, (like facebook) - to have a "laughing emoji" I could only "Like" your reply - :-) LOL

  • Any progress in this case?

  • In reply to Jakub Mikulski:

    This is causing issues for us also.

    Excel 2016 x64

    Have had to create a "wide open" exception. There needs to be a whitelist of allowed "URL's" that Excel can query. 

     

  • In reply to Daniel Epps:

    Just FYI there is a fix coming. I have been working with them to get this working. As it stands the latest version of Sophos includes this fix. The thumbprint of the event stays the same now allowing that exploit itsself to be added to the exceptions list. However for me it still remains an issue. I'm waiting to hear back from Sophos about this. As soon as i've got it working i will share the great news. 

     

  • Hi,

    Has anyone considered creating a new Application Control policy, adding Microsoft Office suite and Excel as allowed applications?

    This seemed to work for me.

    It is just a stop-gap solution until a fix is issued by Sophos.

     

    Thanks,

    Kwame

  • In reply to Kwame Ahenkorah:

    That isn't a fix. You can't add MS Office Suite and Excel as exceptions. (Well you can, but if you do you're opening up a WHOLE bunch of vulnerabilities. ) 

     

    Just FYI there is a fix for this coming in the next few weeks. So far the devs have managed to narrow it down and keep the thumbprint the same, whereas before it would change every time making it impossible to create an exception for. Will let you know when the fix is deployed and if it works. 

     

    It's coming! 

  • Hi,

    The way this problem is handled by Sophos is just mind-blowing!
    From time to time we come to tell us "it's coming" and it has been months that it lasts!
    This is probably because Excel is a little used software.

    I do not understand that you can follow this as badly.

     

    Regards,

  • In reply to yvesGourle:

    We have a case open for this as well - Sophos recommends moving the affected machines over to the Early Access program for 2.0. We have been testing internally for a few weeks without major issues (Just the firefox loadlib known issue), so we are pushing out to some of the affected machines this week.

     

    I would not recommend adding a scanning exclusion for any Office products as they are common methods for ransomware...

  • In reply to Ashton Momot:

    Greetings,

     

    Any updates on this issue?  I have some users who are experiencing this also, submitted ticket with Sophos Support.

     

    Andre

  • In reply to Andre Butler:

    Due to the fact that I have users who need to use this feature in Excel, I had to implement this "Workaround".  According to Sophos Support, this issue is being worked by their Dev Team.

     

    I added this location to the Global Scanning exclusion List:

     

    C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel\ Integrated\bin\Microsoft.Mashup.Client.Excel.dll

     

    Seems to be holding up so far :)

     

    Regards,

  • In reply to Andre Butler:

    Hey all! 

     

    I can tell you i have a test version which appears to be working fine now with all users. I have been told the fix should be released with an update in the coming weeks. DON'T GIVE UP HOPE! 

     

     

  • In reply to Root___:

    Dear,

    We have Version - 3.6.8.604 and Major Issues of such kind are resolved

    When We had 3.6.3.583 we had Incident Requests Showered.

    Thanks

    Neel

  • In reply to skyisbluescreen:

    Good morning,

     

    How do you upgrade from 3.6.3.583 to 3.6.8.604?

     

    Thanks,

    Andre