Sophos cloud endpoint: Multiple users getting "Caller Check Exploit Prevented in Microsoft Excel" when using custom spreadsheets

I was experiencing the same error and this is how I solved it.

Summary:  Excel 2016 workbook with some basic macros and worksheet tables connected to SharePoint 2013 lists.  When refreshing the data, the Sophos warning appeared and killed Excel.  This was as the spreadsheet was calling the SharePoint list to pull down data.  Affected only one user.  Several other users had no issue.

Solution:  Ran a full repair on Office.  Either the repair fixed the problem, or it was related to the user having a personal OneDrive service connected to exchange.  You can check this in File > Account in Excel.  The repair disconnected the login and after re-linking the user's Office365 account, the error stopped.  one Drive was not reconnected.

What helped me was looking at the details of Root Cause Analysis when triggering the event while only Excel was running.  I noticed the following pattern of network connection details:

1. <company sharepoint url>/<site collection>/<site>/_vti_bin/lists.asmx
2. <company sharepoint url>/<site collection>/<site>
3. login.windows.net/common/UserRealm/<employee username@companydomain>?api-version=1.0

The first two were normal and refer to the SharePoint list being refreshed.  The second one was odd because the user does not have a cloud account.

Hope this helps.

Hi Patrick,

Thank you so much for this information. I tried this first thing when i got to work this morning however it still happens for me. One thing i am going to try is turning off OneDrive being blocked by Sophos and disable OneDrive via GPO and see if this makes a difference. Will edit this comment with an update. 

Glad you've got it working for yourself though. At least someone is trying! 

I may have spoken too soon.  The problem was fixed on one machine, but not another.  This is the error I receive from Hitman Pro, but not sure how to interpret it.  It appears the only two affected had 32-bit office 2016.

Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="HitmanPro.Alert" />

  <EventID Qualifiers="0">911</EventID>

  <Level>2</Level>

  <Task>9</Task>

  <Keywords>0x80000000000000</Keywords>

  <TimeCreated SystemTime="2017-04-24T17:50:27.887272000Z" />

  <EventRecordID>61083</EventRecordID>

  <Channel>Application</Channel>

  <Computer>name.domain.com</Computer>

  <Security />

  </System>

- <EventData>

  <Data>C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE</Data>

  <Data>CallerCheck</Data>

  <Data>Mitigation CallerCheck Platform 10.0.14393/x64 v583 06_3c PID 8628 Application C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Description Microsoft Excel 16 Callee Type CreateProcess Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 43A2703B (anonymous; clr.dll) 8b4d90 MOV ECX, [EBP-0x70] 8d6128 LEA ESP, [ECX+0x28] 8b4da8 MOV ECX, [EBP-0x58] c6410801 MOV BYTE [ECX+0x8], 0x1 833d4080547200 CMP DWORD [0x72548040], 0x0 7407 JZ 0x43a27058 50 PUSH EAX e859f8642e CALL 0x720768b0 58 POP EAX c7459400000000 MOV DWORD [EBP-0x6c], 0x0 8bf0 MOV ESI, EAX e89a4a4d2e CALL 0x71efbb00 85f6 TEST ESI, ESI 0f95c0 SETNZ AL 0fb6c0 MOVZX EAX, AL 8945ac MOV [EBP-0x54], EAX 2 43A2638F (anonymous; clr.dll) 3 43A25863 (anonymous; clr.dll) 4 43A2546F (anonymous; clr.dll) 5 43A250FE (anonymous; clr.dll) 6 43A24C65 (anonymous; clr.dll) 7 43A247E0 (anonymous; clr.dll) 8 43A244A3 (anonymous; clr.dll) 9 43A23F32 (anonymous; clr.dll) 10 43A1FF0D (anonymous; clr.dll) Code Injection 00D00000-00D01000 4KB n/a [5580] Process Trace 1 C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE [8628] "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /h /dde "https://sharepointsite/file.xlsm" 2 C:\Program Files (x86)\Microsoft Office\root\Office16\protocolhandler.exe [7248] "C:\Program Files (x86)\Microsoft Office\Root\Office16\protocolhandler.exe" "ms-excel:ofv|u|sharepointsite/file.xlsm" 3 C:\Program Files\Internet Explorer\iexplore.exe [11400] 4 C:\Windows\explorer.exe [8468] 5 C:\Windows\System32\userinit.exe [10052] 6 C:\Windows\System32\winlogon.exe [2932] C:\WINDOWS\System32\WinLogon.exe -SpecialSession 7 C:\Windows\System32\smss.exe [6412] \SystemRoot\System32\smss.exe 00000104 0000007c C:\WINDOWS\System32\WinLogon.exe -SpecialSession 8 C:\Windows\System32\smss.exe [388] \SystemRoot\System32\smss.exe 9 [4] Thumbprint abc72b2d9f1a173c712f42e6a27e12cfd519f12635e58120747c0ce577cc9baa</Data>

  </EventData>

  </Event>

Very disappointed that Sophos don't seem to be responding to anyone on this - having only just moved our system protection over to Sophos - we now find we are in this situation with "CallerCheck exploit preventing MS Excel" - this is critical to our business - and moving 300+ devices back to our previous system would be ......arghhhhhhhh

I fixed this by going to Global Settings -> Exploit Mitigation Exclusions then adding Microsoft Excel. There's supposed to be an update forthcoming to address this but I would open a support ticket to make sure your specific use case gets addressed.

!!!!!!THIS IS NOT A FIX!!!!!!

Your excel is now open to exploitation. You have removed EXCEL.EXE from exploit mitigation meaning any exploits will be allowed to run.

It is not a fix. It does work, but it is not a fix. 

By the way, it is not a fix. 

Thanks gdriggs for your advice, but as Root____ "hinted" at, this is not a fix - to be honest, it would be a disaster waiting to happen, and more-or-less negates system protection - I really don't see why this is such a big deal for Sophos - In our case, we are pulling internally, (nothing coming in via email), so it should be easy to whitelist all files on our systems - (or as you mention - excel - from internal sources) - whilst blocking external sources !!!

I agree that it's not a long term solution. Even the OS has a hard time determining where these files are sourced from so I'm not sure how other apps should be expected to do the same. I tried going in and white listing every exception that came through but that didn't work so there must be some better way of approaching this aside from whitelisting an entire Office application.

I have to day received the callercheck message attempting to connect to a SQL server using excel 2016

I have the latest client 11.5.4

Has anyone found a fix yet?

Thanks

On Office 2016, 64 bit, the error does not happen, at least on the limited amount of machines that we have running 64 bit.  Everyone on 32 bit Office has the issue.  There are considerations that you need to know about when running 64 bit.  See this article:  

https://support.office.com/en-us/article/Choose-between-the-64-bit-or-32-bit-version-of-Office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US

-Rick