Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +14 person also asked this people also asked this
  • Locked Locked
  • Replies 65 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 293266 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

Rich Billard

I need a resolution for this false positive that does not completely whitelist Excel.

This is directly relevant to the following thread:

https://community.sophos.com/intercept/f/information/82464/microsoft-power-query-for-excel---false-flagging-by-intercept-crashes-excel

This was supposed to be resolved by the end of November. 

We need a resolution now.

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Anthony L

    if this indeed is the case THANK YOU!

  • 0 in reply to Anthony L

    if you can that would be great - we are having this issue as well

  • 0 in reply to Anthony L

    I have noticed some powerquery temp files that could be whitelisted but I haven't gone down this rabbit hole yet. If you have a chance to share your solution I would be most grateful.

    -Gary

  • 0 in reply to gdriggs

    I was experiencing the same error and this is how I solved it.

    Summary:  Excel 2016 workbook with some basic macros and worksheet tables connected to SharePoint 2013 lists.  When refreshing the data, the Sophos warning appeared and killed Excel.  This was as the spreadsheet was calling the SharePoint list to pull down data.  Affected only one user.  Several other users had no issue.

     

    Solution:  Ran a full repair on Office.  Either the repair fixed the problem, or it was related to the user having a personal OneDrive service connected to exchange.  You can check this in File > Account in Excel.  The repair disconnected the login and after re-linking the user's Office365 account, the error stopped.  one Drive was not reconnected.

    What helped me was looking at the details of Root Cause Analysis when triggering the event while only Excel was running.  I noticed the following pattern of network connection details:

    1. <company sharepoint url>/<site collection>/<site>/_vti_bin/lists.asmx
    2. <company sharepoint url>/<site collection>/<site>
    3. login.windows.net/common/UserRealm/<employee username@companydomain>?api-version=1.0

     

    The first two were normal and refer to the SharePoint list being refreshed.  The second one was odd because the user does not have a cloud account.

    Hope this helps.

  • 0 in reply to PatrickMalone

    Hi Patrick,

     

    Thank you so much for this information. I tried this first thing when i got to work this morning however it still happens for me. One thing i am going to try is turning off OneDrive being blocked by Sophos and disable OneDrive via GPO and see if this makes a difference. Will edit this comment with an update. 

     

    Glad you've got it working for yourself though. At least someone is trying! 

Unfiltered HTML