Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
On the firewall a system was detected trying to establish a connection to a Malicious Domain. Further when drilled down this were automated web requests.
DOMAIN i tried contacting-->
I'm seeing this on a number of computers too. Oddly swi_fc.exe is a Sophos product, part of Endpoint, and if you have computers auto-isolate on red status they will go into isolation because of this. That seems really dumb. On top of it all, there's no Sophos Central remediation for this. So we have to travel to a site, log on to the computer (in my test environment I couldn't even log on without unplugging the network cable, as it "couldn't find the domain controller"), and then get the tamper code, log into the Endpoint software, and click Resolve. Why can't we just resolve this from Sophos Central? Why isn't there the same button there? It's completely insane to require an onsite visit to every computer affected by this issue, and there are a lot, if we used the auto-isolate feature.
I think the auto-isolate feature is great, until a false positive happens like this. Also have a majority of computers across multiple customers go into red status because Endpoint falsely called a Java update malware. If we had auto-isolate on we would have had hundreds of calls and have had to make hundreds of site visits to remediate.
-> Check your Ransomware \ Cryptoguard Events 9\10 would be False Postive
-> Enable Deep Learning all ML\PEA Alerts would be False Positive
-> Exploit Events-again Same
Everything comes down to
Please Share SDU Logs
This Can be a Feature Request.
Many False Positives,
Great Tool with some Promising Features but disappointing bug fixing method: :(