Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

I need a resolution for this false positive that does not completely whitelist Excel.

This is directly relevant to the following thread:

https://community.sophos.com/intercept/f/information/82464/microsoft-power-query-for-excel---false-flagging-by-intercept-crashes-excel

This was supposed to be resolved by the end of November. 

We need a resolution now.

 

  • HI Rich  ,

    According to the information the issue should been resolved in Nov, Could you log a Ticket with support to check it by our engineer. Also you could also private message me the Service request of the same along to the link of the forum for reference. 

  • I have not received a repsonse from Support regarding this other than "have you whitelisted the Office suite?"   This is a surprisingly dangerous suggestion as it would open up an incredibly dangerous vector for virus transmission to my entire company by doing this.... 

    I have uploaded the SDU fromone of the effected machines.

    I need a resolution for this.

  • In reply to Rich Billard:

    The last i have heard from Sophos on this ticket was December 20th.   Is the Sophos Support department still in operation?

  • In reply to Rich Billard:

    HI Rich, 

    Could you provide the information requested via Private message.

  • In reply to Rich Billard:

    Has any resolution been suggested for this yet?  I'm currently experiencing the very same issue.

  • I'm also experiencing this same issue, anyone have a resolution yet?

  • In reply to Kristi Adams:

    HI Kristi, 

    The issue is pending from the Dev Team and should be released soon . 

  • In reply to Aditya Patel:

    Aditya. Please stop suggesting your response that "it should be fixed soon" is an answer, as it is not.

    This is absolutely crazy that this is taking this long.

    This is effecting many more people other than me.

     

     

    this needs to be escalated to Management, as this has been over 2 months now.

  • In reply to Aditya Patel:

    Hi Aditya,

     

    I know this is currently with the Dev team as i have an open ticket but we need a fix on this as critical priority. People are unable to do their jobs without a fix! Please can you push this along. 

     

    Also just FYI on a 32bit install of Microsoft Office the powerquery addon is located as such "C:\Program Files (x86)\Microsoft Office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\" however when i add this to the Global Scanning Exclusions it still comes up as a callercheck exploit. 

     

    Checking the event log i can see that this is the EXE wanting to run Microsoft.Mashup.Container.NetFX40.exe.

     

    Any ideas why it still comes up even after being added to Global Scanning Exclusions? Is it because the thumbprint changes each time?

     

     

    Thanks,

  • I have this thread bookmarked as I am desperate for a resolution. Any progress yet?

  • In reply to Delvyn Hunter:

    i got the following email last week re: their potential "fix"  given it has taken them 3 months to get this far... i am not holding my breath.

    "The change in build 586 designed for this did not solve the issue in the wild. We have made adjustments and are targeting build 587 to have to the correction for this. I'll let you know as soon as this build is available so you can test and verify that it is no longer detecting."

     

     

    Rich

  • I am having the issue as well with a lot of users, not all spreadsheets but some.  i submitted a sample file and it came back clean.  i have a ticket in sophos support asking for more help.  

  • In reply to Aditya Patel:

    This same issue also is affecting our third party warehousing software.  They are unable to run it without us completely removing Sophos, which a really a great solution.   Why is Sophos being so dark on this?  Can we get a verification that a dev fix is scheduled?  This is pretty ridiculous. 

  • In reply to Rick Cahoon:

    the time to resolution for fixes in Sophos  new "feature" of Cryptoguard which apparently seems broken right out of the box, is unacceptable. 

    I have been promised fixes for the Salesforce for Outlook Toolbar and this Excel issue for over 3 months now.  Guess what... still broken...badly..

    I guess that is what you get for supporting a company by bein an early adopter of a new product :(