This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Live query for extracting applications that contacted a blocked domain

Hi,

I'm facing a problem as when I query and endpoint that contacted a denied domain, I only get the sophos proxy service swi_fc.exe as the application involved.

Is there a way to extract the original application invoking that ip/domain?
Tks

This thread was automatically locked due to age.

Top Replies

Sophos User930 over 3 years ago +1

Swi_fc.exe only proxies traffic from browser processes, e.g. Chrome.exe, firefox.exe, etc.. SophosNTPService is responsible for checking if other processes are making connection to C2 servers. The whole…

0 Sophos User930 over 3 years ago

Swi_fc.exe only proxies traffic from browser processes, e.g. Chrome.exe, firefox.exe, etc..

SophosNTPService is responsible for checking if other processes are making connection to C2 servers.

The whole swi_fc.exe proxy is going to be removed shortly so connections from browsers will revert to coming from the browser. I think this is in EAP now for some accounts. You may want to enrol a client in the latest endpoint EAP software.

Live Discover Query - Checking for redirected web traffic to unknown processes - Processes - Intercept X Endpoint - Sophos Community is relevant.
Cancel
Vote Up +1 Vote Down

Cancel
0 Fabio Puricelli over 3 years ago in reply to Sophos User930

Thanks for updating on this. So at the moment there's no way to query for such, right? I can only suppose the domain was contacted by the browser as the process involved was swi_fc
Cancel
Vote Up 0 Vote Down

Cancel