Sophos home: 'CallerCheck' exploit prevented in 1Password for Windows desktop.

Toshen

Received an alert from Sophos Home on Windows 10 about 1Password 7 (latest versions of all three): 'CallerCheck' exploit prevented in 1Password for Windows desktop. Sophos Home then blocked 1Password 7. Had to log into Sophos Home online and log an exception to allow 1Password 7 to function.

---

1Password Version: 7.0.532
Extension Version: Not Provided
OS Version: Windows 10 Home v1709 OS Build 16299.334
Sync Type: Not Provided
Referrer: forum-search:Sophos home: 'CallerCheck' exploit prevented in 1Password for Windows desktop.

MikeT

Hi @Toshen,

Thanks for reporting it.

It's a false positive, we've gotten a few of it from Sophos Home over the year. Please report it to Sophos for them to fix it on their side.

Toshen

Thanks. Yes, I've already reported it to them.

MikeT

Thanks for doing that!

cbrendel

Hi there,
I'm running into the same problem with Sophos Central for Enterprise. Did / does / can anybody look into this please?
Thanks
Christian

cbrendel

sorry, accidentally posted twice... and I also didn't see that you guys are already aware and have reported it with Sophos, as my adblocker was blocking all replies to Toshen's original post. uuups. Sorry and thanks a lot!

AGAlumB

@cbrendel: No worries! Thanks for taking the time to get in touch. Definitely let Sophos know that this is also affecting you as their customer, and we'll continue to work with them to avoid things like this in the future. :)

cbrendel

excellent, will do!

AGAlumB

Much appreciated! :) :+1:

Blogbe

This is still happening. I have had to deinstall 1 password as the warning just keeps repeating

AGAlumB

@Blogbe: Did you try what Toshen did? That can certainly help, and reporting it to Sophos will make a difference since you're their customer and it's their software causing this.

Blogbe

Sounds like you are passing the buck. Why is it their software and not yours? I am now running Dashlane and no problems.

AGAlumB

@Blogbe: I hope you'll appreciate that we have zero control over another company incorrectly identifying "1Password" as "CallerCheck", when these are clearly not the same thing. That's not passing the buck; that's reality. Again, we'll continue to work with them try to try to avoid this in the future, but we're not their customer; you are, so you'll have a lot more influence than we do. That's why I suggested reaching out to them.

MikeT

Hi @blogbe,

In addition to what Brenty said, CallerCheck is an aggressive check about a general function that has been exploited by some malware as an attack method. In other words, it's like blocking apps from reading a file just because some random malware also read files. It has a very high risk of false positives and CallerCheck has already been known to falsely flag a lot of apps (here's one thread with dozens of various apps being affected).

Sophos is being very cautious for you but there is no issue within 1Password at all. The CallerCheck algorithm doesn't like the way 1Password registers itself to start upon reboots and to integrate with browsers, but they're normal functions.

wfscot

FWIW, I had the same problem at boot, with Sophos (Enteprise Endpoint Protection) popping the CallerCheck error contstantly. I was going to add an exception in Sophos which, ironically, required my password stored in 1password. As soon as I started the desktop application manually, the errors stopped and all now appears well, including the browser integration.

It seems that Sophos does not like the way the 1password service behaves in the background.

AGAlumB

Wow. That is ironic. Indeed, glad that did the trick for you. We'll continue to work with Sophos to address issues like this whenever they pop up. :blush:

Kara

Just a slightly related heads up, with regards to Outlook and the CallerCheck/Sophos debacle, I found a workaround that if I started Outlook in safe mode it would start. Close and start in normal mode and the CallerCheck/Sophos alarm goes away. As I said, slightly related.

MikeT

Thanks for letting us know.

CallerCheck is related to how the apps start. In this case, I believe Sophos simply doesn't like the 1Password extension starting 1Password app when the main 1Password app is not set to start on its own during boot up.

WT9BIND

Hi, I run Sophos enterprise in my corporate network. The easiest way to stop the message is to head to Sophos Central Admin:
https://cloud.sophos.com/manage/dashboard

Click on Endpoint Protection
Under Configure --> Settings
Under General --> Exploit Mitigation Exclusions (or once logged in: https://cloud.sophos.com/manage/endpoint/config/settings/exploit-mitigation-exclusions)
Click Add Exclusion and choose 1Password and 1Password for Windows desktop from the list

I hope this helps

MikeT

Thanks!

Sophos also wrote their guide for 1Password customers here: https://support.home.sophos.com/hc/en-us/articles/360001007266--CallerCheck-exploit-prevented-in-1Password-for-Windows-desktop