Sophos home: 'CallerCheck' exploit prevented in 1Password for Windows desktop.

Received an alert from Sophos Home on Windows 10 about 1Password 7 (latest versions of all three): 'CallerCheck' exploit prevented in 1Password for Windows desktop. Sophos Home then blocked 1Password 7. Had to log into Sophos Home online and log an exception to allow 1Password 7 to function.


1Password Version: 7.0.532
Extension Version: Not Provided
OS Version: Windows 10 Home v1709 OS Build 16299.334
Sync Type: Not Provided
Referrer: forum-search:Sophos home: 'CallerCheck' exploit prevented in 1Password for Windows desktop.

Comments

  • MikeTMikeT Agile Samurai

    Team Member
    edited April 9

    Hi @Toshen,

    Thanks for reporting it.

    It's a false positive, we've gotten a few of it from Sophos Home over the year. Please report it to Sophos for them to fix it on their side.

  • Thanks. Yes, I've already reported it to them.

  • MikeTMikeT Agile Samurai

    Team Member

    Thanks for doing that!

  • Hi there,
    I'm running into the same problem with Sophos Central for Enterprise. Did / does / can anybody look into this please?
    Thanks
    Christian

  • cbrendelcbrendel
    edited June 4

    sorry, accidentally posted twice... and I also didn't see that you guys are already aware and have reported it with Sophos, as my adblocker was blocking all replies to Toshen's original post. uuups. Sorry and thanks a lot!

  • brentybrenty

    Team Member

    @cbrendel: No worries! Thanks for taking the time to get in touch. Definitely let Sophos know that this is also affecting you as their customer, and we'll continue to work with them to avoid things like this in the future. :)

  • excellent, will do!

  • brentybrenty

    Team Member

    Much appreciated! :) :+1:

  • This is still happening. I have had to deinstall 1 password as the warning just keeps repeating

  • brentybrenty

    Team Member

    @Blogbe: Did you try what Toshen did? That can certainly help, and reporting it to Sophos will make a difference since you're their customer and it's their software causing this.

  • Sounds like you are passing the buck. Why is it their software and not yours? I am now running Dashlane and no problems.

  • brentybrenty

    Team Member

    @Blogbe: I hope you'll appreciate that we have zero control over another company incorrectly identifying "1Password" as "CallerCheck", when these are clearly not the same thing. That's not passing the buck; that's reality. Again, we'll continue to work with them try to try to avoid this in the future, but we're not their customer; you are, so you'll have a lot more influence than we do. That's why I suggested reaching out to them.

  • MikeTMikeT Agile Samurai

    Team Member
    edited June 5

    Hi @blogbe,

    In addition to what Brenty said, CallerCheck is an aggressive check about a general function that has been exploited by some malware as an attack method. In other words, it's like blocking apps from reading a file just because some random malware also read files. It has a very high risk of false positives and CallerCheck has already been known to falsely flag a lot of apps (here's one thread with dozens of various apps being affected).

    Sophos is being very cautious for you but there is no issue within 1Password at all. The CallerCheck algorithm doesn't like the way 1Password registers itself to start upon reboots and to integrate with browsers, but they're normal functions.

  • FWIW, I had the same problem at boot, with Sophos (Enteprise Endpoint Protection) popping the CallerCheck error contstantly. I was going to add an exception in Sophos which, ironically, required my password stored in 1password. As soon as I started the desktop application manually, the errors stopped and all now appears well, including the browser integration.

    It seems that Sophos does not like the way the 1password service behaves in the background.

  • brentybrenty

    Team Member

    Wow. That is ironic. Indeed, glad that did the trick for you. We'll continue to work with Sophos to address issues like this whenever they pop up. :blush:

  • Just a slightly related heads up, with regards to Outlook and the CallerCheck/Sophos debacle, I found a workaround that if I started Outlook in safe mode it would start. Close and start in normal mode and the CallerCheck/Sophos alarm goes away. As I said, slightly related.

  • MikeTMikeT Agile Samurai

    Team Member

    Thanks for letting us know.

    CallerCheck is related to how the apps start. In this case, I believe Sophos simply doesn't like the 1Password extension starting 1Password app when the main 1Password app is not set to start on its own during boot up.

  • Hi, I run Sophos enterprise in my corporate network. The easiest way to stop the message is to head to Sophos Central Admin:
    https://cloud.sophos.com/manage/dashboard

    Click on Endpoint Protection
    Under Configure --> Settings
    Under General --> Exploit Mitigation Exclusions (or once logged in: https://cloud.sophos.com/manage/endpoint/config/settings/exploit-mitigation-exclusions)
    Click Add Exclusion and choose 1Password and 1Password for Windows desktop from the list

    I hope this helps

  • MikeTMikeT Agile Samurai

    Team Member

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file