Preview
echo for Microsoft Teams
Windows client · Administrator

Security and endpoint protection

How live caller identification works technically, what security software may notice, and how to prepare your endpoint protection

Product: echo for TeamsUpdated: June 2026Version: 1.0
💡 This guide is optimized for PDF export. Print → “Save as PDF”, enable background graphics.

Overview

The echo Windows client provides live caller identification: on an incoming Microsoft Teams call it shows the caller's contact details before the call is answered. To do this, the client must detect the Teams call notification and read the caller's phone number from it.

This page explains which system mechanisms the client uses for this, why endpoint protection software (antivirus, EDR) may take notice, and how to prepare your environment so that alerts or false positives do not disrupt operation.

Who is this page for?IT administrators and security teams who roll out the echo Windows client or review it before deployment (e.g. software approval, SOC runbooks, EDR allowlisting).

How caller identification works technically

Recent versions of Microsoft Teams render the incoming-call notification in a way that is no longer readable through the Windows accessibility interfaces (UI Automation) that earlier versions of the echo client used. The client therefore reads the phone number directly from the notification as displayed on screen:

MechanismWhat the client doesScope
Window event hookRegisters a system event hook (SetWinEventHook) to be notified when the Teams call notification appears. This is a passive notification mechanism — no code is injected into other processes.Continuous, passive
Screen captureWhen the Teams call notification appears, the client captures only the small screen region of that notification (roughly 370 × 250 pixels) to read the phone number from it.Only while a call is ringing, about 2 captures per second for a few seconds
Text recognition (OCR)The captured image is converted to text with the OCR engine built into Windows and searched for a phone number.In memory only
Accessibility interfacesFor other Teams windows (e.g. the active call window) the client continues to use Windows UI Automation, as before.Event-driven

Just as important is what the client does not do:

Privacy noteMicrosoft Teams shows chat notifications in the same notification window as call notifications. Text recognition may therefore briefly process a chat notification's preview text in memory. Such text is discarded immediately; it is never stored, logged in production, or transmitted.

Why security software may take notice

Screen capture APIs are also used by malware (screen grabbers, info stealers). Behavior-based endpoint protection (EDR such as Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, and others) therefore monitors these API patterns. In practice this can lead to:

The pattern that security products treat as genuinely malicious — covert continuous capture combined with exfiltration of the images — does not apply to the echo client: captures are event-driven, tiny, local-only, and the application is a visible, signed desktop application.

1

Deploy only the signed original package

Distribute the echo Windows client exactly as delivered by Snapbean. Do not repackage or re-sign the application — the publisher signature is the primary trust signal for SmartScreen and endpoint protection.

2

Allowlist by publisher

If you use application control (AppLocker, WDAC) or EDR allowlisting, create the rule based on the publisher certificate (Snapbean Software AG) rather than file paths or hashes. Publisher rules survive application updates; hash rules must be renewed with every release.

3

Inform your SOC / document the expected behavior

Add the following to your SOC runbook or software inventory documentation:

  • The echo Windows client captures the screen region of the Microsoft Teams call notification during incoming calls (event-driven, a few seconds, ~370 × 250 pixels) and extracts the caller's phone number with the Windows built-in OCR engine.
  • Captured images are processed in memory only and never stored or transmitted.
  • Correlated alerts ("screen capture activity" from echoForTeams.exe at the time of an incoming Teams call) are expected behavior.
4

If a false positive occurs

  1. Verify the file signature (publisher: Snapbean Software AG) and the installation path.
  2. Restore the file from quarantine and add an exclusion (preferably publisher-based, see step 2).
  3. Report the false positive to your endpoint protection vendor — this improves the verdict for all customers. You may reference this page as the vendor documentation of the behavior.
ImportantIf your organization's policy blocks screen capture APIs entirely (e.g. via strict WDAC or attack surface reduction policies), live caller identification cannot work on affected machines. In that case, define an exception for the echo Windows client or contact Snapbean support to evaluate alternatives.