1Password chrome extension - CallerCheck Exploit

dixie_tech
dixie_tech
Community Member

Is the following process trace 'normal' for 1password? It seems since the v7 update, out our behavoir analysis (Sophos - Intercept X) is detecting this as an exploit (CallerCheck).

Has this been reported? Any ideas?

Process Trace
1 C:\Users\userj\AppData\Local\1password\app\7\1Password.exe [11988]
C:\Users\userj\AppData\Local\1password\app\7\1Password.exe chrome-extension://aomjjhallfgjeglblehexxxxxxxxxxx/ --parent-window=0
2 C:\Windows\System32\cmd.exe [13844]
C:\WINDOWS\system32\cmd.exe /d /c "C:\Users\userj\AppData\Local\1password\app\7\1Password.exe" chrome-extension://aomjjhallfgjeglblehexxxxxxxxxxxx/ --parent-window=0 < \.\pipe\chrome.nativeMessaging.in.f0edbaadadxxxxx > \.\pipe\chrome.nativeMessaging.
3 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [15092]
4 C:\Windows\explorer.exe [14056]
5 C:\Windows\System32\userinit.exe [10072]
6 C:\Windows\System32\winlogon.exe [14992]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
7 C:\Windows\System32\smss.exe [17212]
\SystemRoot\System32\smss.exe 00000100 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

Thumbprint
d7f8cde6xxxxxxxxx6175b39a99a9567xxxxxxxxx8e9187d50764b67xxxxxxxx


1Password Version: 7.0.558
Extension Version: 4.7.1.90
OS Version: Windows 10 build 1703/1709
Sync Type: teams account
Referrer: forum-search:caller check

Comments

  • Hi @dixie_tech,

    I've checked with our Windows development team and it looks like that's a false positive and should be reported to Sophos as such.

    Rick

  • dixie_tech
    dixie_tech
    Community Member

    Ok, thanks. I have contacted sophos and they say it is exhibiting uncharacteristic behavior. They suggested white-listing the process if 1password confirmed the process trace was legit. Thanks again for the response.

  • You're welcome.

    Rick

This discussion has been closed.