Saw a URL get blocked in EC and after investigation found its caused by malware/spyware BUT

Here are a couple of thoughts:

1. Do you have MTD enabled where licensed?  https://community.sophos.com/kb/en-us/121607

If not enable MTD, that feature is designed to detect processes talking to malicious sites.

2. I would run Process Monitor (technet.microsoft.com/.../processmonitor.aspx) and Wireshark (https://www.wireshark.org/) on a computer exhibiting the behaviour in the hope to capture it (i.e. events in SEC coincide with the capture). You could filter the PML down to network events in Procmon to see what process is making connections to the site you mention and the network capture from Wireshark can fill in the details.

If you have trouble capturing it in a sensible time frame I would suggest installing Sysmon - https://technet.microsoft.com/en-gb/sysinternals/sysmon.  This can log network connections for processes to the Sysmon event log.  It is a very useful forensic tool and helpful for running a capture over a longer period.  It creates hashes of processes so anything you don't recognise you could send to https://www.virustotal.com/ for a second opinion.

Hope it helps.

Regards,

Jak

So after more research it turns out that Symantec owns symcb.com and these requests aren't actually malicious. I don't know why they are in a fair amount of virus information pages provided by Sophos, perhaps its some automated feature that just added those requests to the page. I'm also confused why Symantec is even making http requests, since I uninstalled their AV before installing Sophos. Perhaps its just another symptom of how much of a pain uninstalling Symantec AV really is. 

I'm quoting Jak's post below because the information and suggestions are solid, but will be marking this reply as an answer so anyone who encounters the same will have an answer.

jak said:

Here are a couple of thoughts:

1. Do you have MTD enabled where licensed?  https://community.sophos.com/kb/en-us/121607

If not enable MTD, that feature is designed to detect processes talking to malicious sites.

2. I would run Process Monitor (technet.microsoft.com/.../processmonitor.aspx) and Wireshark (https://www.wireshark.org/) on a computer exhibiting the behaviour in the hope to capture it (i.e. events in SEC coincide with the capture). You could filter the PML down to network events in Procmon to see what process is making connections to the site you mention and the network capture from Wireshark can fill in the details.

If you have trouble capturing it in a sensible time frame I would suggest installing Sysmon - https://technet.microsoft.com/en-gb/sysinternals/sysmon.  This can log network connections for processes to the Sysmon event log.  It is a very useful forensic tool and helpful for running a capture over a longer period.  It creates hashes of processes so anything you don't recognise you could send to https://www.virustotal.com/ for a second opinion.

Hope it helps.

Regards,

Jak

 

So after more research it turns out that Symantec owns symcb.com and these requests aren't actually malicious. I don't know why they are in a fair amount of virus information pages provided by Sophos, perhaps its some automated feature that just added those requests to the page. I'm also confused why Symantec is even making http requests, since I uninstalled their AV before installing Sophos. Perhaps its just another symptom of how much of a pain uninstalling Symantec AV really is. 

I'm quoting Jak's post below because the information and suggestions are solid, but will be marking this reply as an answer so anyone who encounters the same will have an answer.

jak said:

Here are a couple of thoughts:

1. Do you have MTD enabled where licensed?  https://community.sophos.com/kb/en-us/121607

If not enable MTD, that feature is designed to detect processes talking to malicious sites.

2. I would run Process Monitor (technet.microsoft.com/.../processmonitor.aspx) and Wireshark (https://www.wireshark.org/) on a computer exhibiting the behaviour in the hope to capture it (i.e. events in SEC coincide with the capture). You could filter the PML down to network events in Procmon to see what process is making connections to the site you mention and the network capture from Wireshark can fill in the details.

If you have trouble capturing it in a sensible time frame I would suggest installing Sysmon - https://technet.microsoft.com/en-gb/sysinternals/sysmon.  This can log network connections for processes to the Sysmon event log.  It is a very useful forensic tool and helpful for running a capture over a longer period.  It creates hashes of processes so anything you don't recognise you could send to https://www.virustotal.com/ for a second opinion.

Hope it helps.

Regards,

Jak