Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
On the firewall a system was detected trying to establish a connection to a Malicious Domain. Further when drilled down this were automated web requests.
DOMAIN i tried contacting-->
The domain mentioned above is identified as uncategorized in the Sophos AV, also it is only identified by two vendors in Virus total.
But still, as you mentioned that swi_fc.exe is trying to contact this URL, I'd recommend you to open a support case here as it needs more detailed troubleshooting for malware analysis and on investigation why Sophos web intelligence service is trying to connect above URL.
Jasmin Community Support Engineer | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link
swi_fc.exe is the endpoint process that proxies browser traffic if web control or web protection features are enabled. I.e. Chrome.exe/iexplore.exe etc talk via loopback to this process and this process makes the outbound connection. So it does make sense that this process is connecting to the site in question.
Okay, let me investigate more in detail. However i am just not convinced the pc from swiz is trying to reach China. I ll investigate further.
True Jak. My understanding was same. However let me check deeper if its some other executable and swi_fc.exe is just tying to lookup the address
I'm seeing this on a number of computers too. Oddly swi_fc.exe is a Sophos product, part of Endpoint, and if you have computers auto-isolate on red status they will go into isolation because of this. That seems really dumb. On top of it all, there's no Sophos Central remediation for this. So we have to travel to a site, log on to the computer (in my test environment I couldn't even log on without unplugging the network cable, as it "couldn't find the domain controller"), and then get the tamper code, log into the Endpoint software, and click Resolve. Why can't we just resolve this from Sophos Central? Why isn't there the same button there? It's completely insane to require an onsite visit to every computer affected by this issue, and there are a lot, if we used the auto-isolate feature.
I think the auto-isolate feature is great, until a false positive happens like this. Also have a majority of computers across multiple customers go into red status because Endpoint falsely called a Java update malware. If we had auto-isolate on we would have had hundreds of calls and have had to make hundreds of site visits to remediate.
-> Check your Ransomware \ Cryptoguard Events 9\10 would be False Postive
-> Enable Deep Learning all ML\PEA Alerts would be False Positive
-> Exploit Events-again Same
Everything comes down to
Please Share SDU Logs
This Can be a Feature Request.
Many False Positives,
Great Tool with some Promising Features but disappointing bug fixing method: :(