
Security and endpoint protection
How live caller identification works technically, what security software may notice, and how to prepare your endpoint protection
Overview
The echo Windows client provides live caller identification: on an incoming Microsoft Teams call it shows the caller's contact details before the call is answered. To do this, the client must detect the Teams call notification and read the caller's phone number from it.
This page explains which system mechanisms the client uses for this, why endpoint protection software (antivirus, EDR) may take notice, and how to prepare your environment so that alerts or false positives do not disrupt operation.
How caller identification works technically
Recent versions of Microsoft Teams render the incoming-call notification in a way that is no longer readable through the Windows accessibility interfaces (UI Automation) that earlier versions of the echo client used. The client therefore reads the phone number directly from the notification as displayed on screen:
| Mechanism | What the client does | Scope |
|---|---|---|
| Window event hook | Registers a system event hook (SetWinEventHook) to be notified when the Teams call notification appears. This is a passive notification mechanism — no code is injected into other processes. | Continuous, passive |
| Screen capture | When the Teams call notification appears, the client captures only the small screen region of that notification (roughly 370 × 250 pixels) to read the phone number from it. | Only while a call is ringing, about 2 captures per second for a few seconds |
| Text recognition (OCR) | The captured image is converted to text with the OCR engine built into Windows and searched for a phone number. | In memory only |
| Accessibility interfaces | For other Teams windows (e.g. the active call window) the client continues to use Windows UI Automation, as before. | Event-driven |
Just as important is what the client does not do:
- No keyboard or mouse hooks — no input is intercepted (no keylogging).
- No continuous screen recording — captures happen only while a Teams call notification is on screen, limited to that notification's area.
- Captured images are never stored or transmitted. They are processed in memory and discarded immediately. Only the extracted phone number is used — it is sent to the echo backend for contact resolution, exactly as in previous versions.
- No code injection into Teams or any other process.
Why security software may take notice
Screen capture APIs are also used by malware (screen grabbers, info stealers). Behavior-based endpoint protection (EDR such as Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, and others) therefore monitors these API patterns. In practice this can lead to:
- Informational or hunting-grade alerts in the EDR console, e.g. "screen capture activity", typically triggered on an incoming call.
- False positives by heuristics, particularly when a build is brand-new or the executable's reputation has not yet been established.
- Questions from your SOC when the behavior is observed without context.
The pattern that security products treat as genuinely malicious — covert continuous capture combined with exfiltration of the images — does not apply to the echo client: captures are event-driven, tiny, local-only, and the application is a visible, signed desktop application.
Recommended preparation
Deploy only the signed original package
Distribute the echo Windows client exactly as delivered by Snapbean. Do not repackage or re-sign the application — the publisher signature is the primary trust signal for SmartScreen and endpoint protection.
Allowlist by publisher
If you use application control (AppLocker, WDAC) or EDR allowlisting, create the rule based on the publisher certificate (Snapbean Software AG) rather than file paths or hashes. Publisher rules survive application updates; hash rules must be renewed with every release.
Inform your SOC / document the expected behavior
Add the following to your SOC runbook or software inventory documentation:
- The echo Windows client captures the screen region of the Microsoft Teams call notification during incoming calls (event-driven, a few seconds, ~370 × 250 pixels) and extracts the caller's phone number with the Windows built-in OCR engine.
- Captured images are processed in memory only and never stored or transmitted.
- Correlated alerts ("screen capture activity" from
echoForTeams.exeat the time of an incoming Teams call) are expected behavior.
If a false positive occurs
- Verify the file signature (publisher: Snapbean Software AG) and the installation path.
- Restore the file from quarantine and add an exclusion (preferably publisher-based, see step 2).
- Report the false positive to your endpoint protection vendor — this improves the verdict for all customers. You may reference this page as the vendor documentation of the behavior.