Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

I need a resolution for this false positive that does not completely whitelist Excel.

This is directly relevant to the following thread:

https://community.sophos.com/intercept/f/information/82464/microsoft-power-query-for-excel---false-flagging-by-intercept-crashes-excel

This was supposed to be resolved by the end of November. 

We need a resolution now.

 

  • In reply to Rick Cahoon:

    I have now removed the 32 bit versions of programs and installed the 64 bit version.

    The connection to SQL is working.

    Thanks all for the feedback.

  • In reply to Richard Mooney:

    From Sophos support as we have a ticket open for this: 

    "As I was expecting - Excel is triggering multiple detections for the same behavior with different thumbprints.
    Which causes our application to ignore any of the set up exclusions for excel.

    - This is being currently investigated with our GES escalation team.
    - Patch should be coming out some time soon."

     

    GES = Global Escalated Support, I think  -Rick

  • In reply to Rick Cahoon:

    Sophos Community Form needs the option, (like facebook) - to have a "laughing emoji" I could only "Like" your reply - :-) LOL

  • Any progress in this case?

  • In reply to Jakub Mikulski:

    This is causing issues for us also.

    Excel 2016 x64

    Have had to create a "wide open" exception. There needs to be a whitelist of allowed "URL's" that Excel can query. 

     

  • In reply to Daniel Epps:

    Just FYI there is a fix coming. I have been working with them to get this working. As it stands the latest version of Sophos includes this fix. The thumbprint of the event stays the same now allowing that exploit itsself to be added to the exceptions list. However for me it still remains an issue. I'm waiting to hear back from Sophos about this. As soon as i've got it working i will share the great news. 

     

  • Hi,

    Has anyone considered creating a new Application Control policy, adding Microsoft Office suite and Excel as allowed applications?

    This seemed to work for me.

    It is just a stop-gap solution until a fix is issued by Sophos.

     

    Thanks,

    Kwame

  • In reply to Kwame Ahenkorah:

    That isn't a fix. You can't add MS Office Suite and Excel as exceptions. (Well you can, but if you do you're opening up a WHOLE bunch of vulnerabilities. ) 

     

    Just FYI there is a fix for this coming in the next few weeks. So far the devs have managed to narrow it down and keep the thumbprint the same, whereas before it would change every time making it impossible to create an exception for. Will let you know when the fix is deployed and if it works. 

     

    It's coming!