Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

Hi,

The way this problem is handled by Sophos is just mind-blowing!
From time to time we come to tell us "it's coming" and it has been months that it lasts!
This is probably because Excel is a little used software.

I do not understand that you can follow this as badly.

Regards,

We have a case open for this as well - Sophos recommends moving the affected machines over to the Early Access program for 2.0. We have been testing internally for a few weeks without major issues (Just the firefox loadlib known issue), so we are pushing out to some of the affected machines this week.

I would not recommend adding a scanning exclusion for any Office products as they are common methods for ransomware...

We have a case open for this as well - Sophos recommends moving the affected machines over to the Early Access program for 2.0. We have been testing internally for a few weeks without major issues (Just the firefox loadlib known issue), so we are pushing out to some of the affected machines this week.

I would not recommend adding a scanning exclusion for any Office products as they are common methods for ransomware...

Greetings,

Any updates on this issue?  I have some users who are experiencing this also, submitted ticket with Sophos Support.

Andre

Due to the fact that I have users who need to use this feature in Excel, I had to implement this "Workaround".  According to Sophos Support, this issue is being worked by their Dev Team.

I added this location to the Global Scanning exclusion List:

C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel\ Integrated\bin\Microsoft.Mashup.Client.Excel.dll

Seems to be holding up so far :)

Regards,

Hey all! 

I can tell you i have a test version which appears to be working fine now with all users. I have been told the fix should be released with an update in the coming weeks. DON'T GIVE UP HOPE! 

Dear,

We have Version - 3.6.8.604 and Major Issues of such kind are resolved

When We had 3.6.3.583 we had Incident Requests Showered.

Thanks

Neel

Good morning,

How do you upgrade from 3.6.3.583 to 3.6.8.604?

Thanks,

Andre

We had an automatic Upgrade of Sophos Exploit Prevention, Where the Component Self Updated to the newest version. 

As a Workaround in the past we had to create a Separate Group and add an exception to the application for Exploit Prevention which was getting blocked. 

We had issues with many applications getting blocked

Excel

PDFViewer.exe

Powerpoint

3.7.0 is available if you join the early access program but I have not yet tested Power Query with this version.

Ok Thanks for the Info... We are moving on to SOphos Central from our existing Version

Hi Guys,

We are experiencing the same issue with a custom spreadsheet, is there a solution yet, Sophos finds the exploit but it is creating a new instance every time the users works which doesn't help at all. We are using Sophos Cloud Endpoint with Intercept X ..

Thanks

We haven't received a Fix Yet.. This is totally based on the Behavior Pattern i believe for a file being accessed and worked upon. Sophos is capturing all these as an Exp Prv Event.

We have less count of these but still exists with different Lock Messages