Saw a URL get blocked in EC and after investigation found its caused by malware/spyware BUT

Question

So I recently saw our EC web event log several hits for *.symcb.com and after I googled symcb.com along with Sophos I found several infections that talked about it attempting to make web connections to this domain. So I first went to all the machines that showed blocked hits and ran a full scan, nothing appeared. I ensured it was fully updated and ran again, no infections found. I then went and manually added the rest of the DNS requests I could find that matched the *symcb.com format from Sophos. I then went and checked the web events later and saw even more requests to *.symcb.com being blocked. From the same computers as before. I'm at this point not sure what to do, I believe there is an infection, based on these requests, but I don't know how to find it or get it removed. I figured since Sophos found the attempt to access the website and block it, it would be able to find the infection causing this action. 
 Is there something I can do to submit some logs to get this looked at? 
 For reference here are the articles I found with the DNS/Web requests referenced. 
 https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSILInj-GT/detailed-analysis.aspx 
 https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSIL-BZE/detailed-analysis.aspx 
 https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Fareit-EJ/detailed-analysis.aspx 
 https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSIL-DJW/detailed-analysis.aspx 
 https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MSIL-DNU/detailed-analysis.aspx 
 https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Zbot-IYL/detailed-analysis.aspx 
 
 Any help is greatly appreciated!

GeoffTerry · Accepted Answer

So after more research it turns out that Symantec owns symcb.com and these requests aren't actually malicious. I don't know why they are in a fair amount of virus information pages provided by Sophos, perhaps its some automated feature that just added those requests to the page. I'm also confused why Symantec is even making http requests, since I uninstalled their AV before installing Sophos. Perhaps its just another symptom of how much of a pain uninstalling Symantec AV really is. I'm quoting Jak's post below because the information and suggestions are solid, but will be marking this reply as an answer so anyone who encounters the same will have an answer. 
 
 jak said: 
 Here are a couple of thoughts: 1. Do you have MTD enabled where licensed? https://community.sophos.com/kb/en-us/121607 
 If not enable MTD, that feature is designed to detect processes talking to malicious sites. 
 2. I would run Process Monitor ( technet.microsoft.com/.../processmonitor.aspx) and Wireshark ( https://www.wireshark.org/) on a computer exhibiting the behaviour in the hope to capture it (i.e. events in SEC coincide with the capture). You could filter the PML down to network events in Procmon to see what process is making connections to the site you mention and the network capture from Wireshark can fill in the details. 
 If you have trouble capturing it in a sensible time frame I would suggest installing Sysmon - https://technet.microsoft.com/en-gb/sysinternals/sysmon . This can log network connections for processes to the Sysmon event log. It is a very useful forensic tool and helpful for running a capture over a longer period. It creates hashes of processes so anything you don't recognise you could send to https://www.virustotal.com/ for a second opinion. 
 Hope it helps. 
 Regards, 
 Jak