Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 14 subscribers
  • Views 11642 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

swi_fc.exe connecting to Malicious Domain

skyisbluescreen

On the firewall a system was detected trying to establish a connection to a Malicious Domain. Further when drilled down this were automated web requests. 

DOMAIN i tried contacting--> 

Threat - www-x-nanfpump-x-com.img.abc188.com
Category - Malicious Websites
 
Further Investigated and the File involved was 
swi_fc.exe [Path : "c$\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe"]
 
This shows up on FIREWALL & Other End Point Analytics Tool
 
QUESTIONS : 
- Not sure why Web Intelligence Service is involved in generating this traffic ?
 
 NOTE : 
-No Events on SOPHOS Dashboard for specific client Virus \ Web Events
-The executable swi_fc.exe on the system i checked against VIRUS TOTAL. It is not infected and shows Clean
-The malicious Domain is accessed over PORT 33 and i have verified the Domain is Malicious against other URL Categorization vendors.
 


This thread was automatically locked due to age.
Parents
  • 0

    I'm seeing this on a number of computers too. Oddly swi_fc.exe is a Sophos product, part of Endpoint, and if you have computers auto-isolate on red status they will go into isolation because of this. That seems really dumb. On top of it all, there's no Sophos Central remediation for this. So we have to travel to a site, log on to the computer (in my test environment I couldn't even log on without unplugging the network cable, as it "couldn't find the domain controller"), and then get the tamper code, log into the Endpoint software, and click Resolve. Why can't we just resolve this from Sophos Central? Why isn't there the same button there? It's completely insane to require an onsite visit to every computer affected by this issue, and there are a lot, if we used the auto-isolate feature.

    I think the auto-isolate feature is great, until a false positive happens like this. Also have a majority of computers across multiple customers go into red status because Endpoint falsely called a Java update malware. If we had auto-isolate on we would have had hundreds of calls and have had to make hundreds of site visits to remediate. 

Reply
  • 0

    I'm seeing this on a number of computers too. Oddly swi_fc.exe is a Sophos product, part of Endpoint, and if you have computers auto-isolate on red status they will go into isolation because of this. That seems really dumb. On top of it all, there's no Sophos Central remediation for this. So we have to travel to a site, log on to the computer (in my test environment I couldn't even log on without unplugging the network cable, as it "couldn't find the domain controller"), and then get the tamper code, log into the Endpoint software, and click Resolve. Why can't we just resolve this from Sophos Central? Why isn't there the same button there? It's completely insane to require an onsite visit to every computer affected by this issue, and there are a lot, if we used the auto-isolate feature.

    I think the auto-isolate feature is great, until a false positive happens like this. Also have a majority of computers across multiple customers go into red status because Endpoint falsely called a Java update malware. If we had auto-isolate on we would have had hundreds of calls and have had to make hundreds of site visits to remediate. 

Children
  • 0 in reply to Lowell Picklyk

    Agreed!

    To Add 

    -> Check your Ransomware \ Cryptoguard Events 9\10 would be False Postive 

    -> Enable Deep Learning all ML\PEA Alerts would be False Positive

    -> Exploit Events-again Same


    Everything comes down to 

    Please Share SDU Logs 

    Or 

    This Can be a Feature Request. 

    Many False Positives, 

    Great Tool with some Promising Features but disappointing bug fixing method: :(

Unfiltered HTML