Sophos home: 'CallerCheck' exploit prevented in 1Password for Windows desktop.

Toshen
Toshen
Community Member
edited April 2023 in 1Password 7 for Windows

Received an alert from Sophos Home on Windows 10 about 1Password 7 (latest versions of all three): 'CallerCheck' exploit prevented in 1Password for Windows desktop. Sophos Home then blocked 1Password 7. Had to log into Sophos Home online and log an exception to allow 1Password 7 to function.


1Password Version: 7.0.532
Extension Version: Not Provided
OS Version: Windows 10 Home v1709 OS Build 16299.334
Sync Type: Not Provided
Referrer: forum-search:Sophos home: 'CallerCheck' exploit prevented in 1Password for Windows desktop.

Comments

  • MikeT
    edited April 2018

    Hi @Toshen,

    Thanks for reporting it.

    It's a false positive, we've gotten a few of it from Sophos Home over the year. Please report it to Sophos for them to fix it on their side.

  • Toshen
    Toshen
    Community Member

    Thanks. Yes, I've already reported it to them.

  • Thanks for doing that!

  • cbrendel
    cbrendel
    Community Member

    Hi there,
    I'm running into the same problem with Sophos Central for Enterprise. Did / does / can anybody look into this please?
    Thanks
    Christian

  • cbrendel
    cbrendel
    Community Member
    edited June 2018

    sorry, accidentally posted twice... and I also didn't see that you guys are already aware and have reported it with Sophos, as my adblocker was blocking all replies to Toshen's original post. uuups. Sorry and thanks a lot!

  • AGAlumB
    AGAlumB
    1Password Alumni

    @cbrendel: No worries! Thanks for taking the time to get in touch. Definitely let Sophos know that this is also affecting you as their customer, and we'll continue to work with them to avoid things like this in the future. :)

  • cbrendel
    cbrendel
    Community Member

    excellent, will do!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Much appreciated! :) :+1:

  • Blogbe
    Blogbe
    Community Member

    This is still happening. I have had to deinstall 1 password as the warning just keeps repeating

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Blogbe: Did you try what Toshen did? That can certainly help, and reporting it to Sophos will make a difference since you're their customer and it's their software causing this.

  • Blogbe
    Blogbe
    Community Member

    Sounds like you are passing the buck. Why is it their software and not yours? I am now running Dashlane and no problems.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Blogbe: I hope you'll appreciate that we have zero control over another company incorrectly identifying "1Password" as "CallerCheck", when these are clearly not the same thing. That's not passing the buck; that's reality. Again, we'll continue to work with them try to try to avoid this in the future, but we're not their customer; you are, so you'll have a lot more influence than we do. That's why I suggested reaching out to them.

  • MikeT
    edited June 2018

    Hi @blogbe,

    In addition to what Brenty said, CallerCheck is an aggressive check about a general function that has been exploited by some malware as an attack method. In other words, it's like blocking apps from reading a file just because some random malware also read files. It has a very high risk of false positives and CallerCheck has already been known to falsely flag a lot of apps (here's one thread with dozens of various apps being affected).

    Sophos is being very cautious for you but there is no issue within 1Password at all. The CallerCheck algorithm doesn't like the way 1Password registers itself to start upon reboots and to integrate with browsers, but they're normal functions.

  • wfscot
    wfscot
    Community Member

    FWIW, I had the same problem at boot, with Sophos (Enteprise Endpoint Protection) popping the CallerCheck error contstantly. I was going to add an exception in Sophos which, ironically, required my password stored in 1password. As soon as I started the desktop application manually, the errors stopped and all now appears well, including the browser integration.

    It seems that Sophos does not like the way the 1password service behaves in the background.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Wow. That is ironic. Indeed, glad that did the trick for you. We'll continue to work with Sophos to address issues like this whenever they pop up. :blush:

  • Kara
    Kara
    Community Member

    Just a slightly related heads up, with regards to Outlook and the CallerCheck/Sophos debacle, I found a workaround that if I started Outlook in safe mode it would start. Close and start in normal mode and the CallerCheck/Sophos alarm goes away. As I said, slightly related.

  • Thanks for letting us know.

    CallerCheck is related to how the apps start. In this case, I believe Sophos simply doesn't like the 1Password extension starting 1Password app when the main 1Password app is not set to start on its own during boot up.

  • WT9BIND
    WT9BIND
    Community Member

    Hi, I run Sophos enterprise in my corporate network. The easiest way to stop the message is to head to Sophos Central Admin:
    https://cloud.sophos.com/manage/dashboard

    Click on Endpoint Protection
    Under Configure --> Settings
    Under General --> Exploit Mitigation Exclusions (or once logged in: https://cloud.sophos.com/manage/endpoint/config/settings/exploit-mitigation-exclusions)
    Click Add Exclusion and choose 1Password and 1Password for Windows desktop from the list

    I hope this helps

This discussion has been closed.