This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

swi_fc.exe connecting to Malicious Domain

On the firewall a system was detected trying to establish a connection to a Malicious Domain. Further when drilled down this were automated web requests. 

DOMAIN i tried contacting--> 

Threat - www-x-nanfpump-x-com.img.abc188.com
Category - Malicious Websites
 
Further Investigated and the File involved was 
swi_fc.exe [Path : "c$\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe"]
 
This shows up on FIREWALL & Other End Point Analytics Tool
 
QUESTIONS : 
- Not sure why Web Intelligence Service is involved in generating this traffic ?
 
 NOTE : 
-No Events on SOPHOS Dashboard for specific client Virus \ Web Events
-The executable swi_fc.exe on the system i checked against VIRUS TOTAL. It is not infected and shows Clean
-The malicious Domain is accessed over PORT 33 and i have verified the Domain is Malicious against other URL Categorization vendors.
 


This thread was automatically locked due to age.
Parents
  • swi_fc.exe is the endpoint process that proxies browser traffic if web control or web protection features are enabled.  I.e. Chrome.exe/iexplore.exe etc talk via loopback to this process and this process makes the outbound connection.  So it does make sense that this process is connecting to the site in question.


  • True Jak. My understanding was same. However let me check deeper if its some other executable and swi_fc.exe is just tying to lookup the address

Reply Children
No Data