swi_fc.exe connecting to Malicious Domain

On the firewall a system was detected trying to establish a connection to a Malicious Domain. Further when drilled down this were automated web requests. 

DOMAIN i tried contacting--> 

Threat - www-x-nanfpump-x-com.img.abc188.com
Category - Malicious Websites
 
Further Investigated and the File involved was 
swi_fc.exe [Path : "c$\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe"]
 
This shows up on FIREWALL & Other End Point Analytics Tool
 
QUESTIONS : 
- Not sure why Web Intelligence Service is involved in generating this traffic ?
 
 NOTE : 
-No Events on SOPHOS Dashboard for specific client Virus \ Web Events
-The executable swi_fc.exe on the system i checked against VIRUS TOTAL. It is not infected and shows Clean
-The malicious Domain is accessed over PORT 33 and i have verified the Domain is Malicious against other URL Categorization vendors.
 
  • Hi  

    The domain mentioned above is identified as uncategorized in the Sophos AV, also it is only identified by two vendors in Virus total.

    But still, as you mentioned that swi_fc.exe is trying to contact this URL, I'd recommend you to open a support case here as it needs more detailed troubleshooting for malware analysis and on investigation why Sophos web intelligence service is trying to connect above URL.

  • swi_fc.exe is the endpoint process that proxies browser traffic if web control or web protection features are enabled.  I.e. Chrome.exe/iexplore.exe etc talk via loopback to this process and this process makes the outbound connection.  So it does make sense that this process is connecting to the site in question.


  • In reply to Jasmin:

    Okay, let me investigate more in detail. However i am just not convinced the pc from swiz is trying to reach China. I ll investigate further.

  • In reply to jak:

    True Jak. My understanding was same. However let me check deeper if its some other executable and swi_fc.exe is just tying to lookup the address

  • I'm seeing this on a number of computers too. Oddly swi_fc.exe is a Sophos product, part of Endpoint, and if you have computers auto-isolate on red status they will go into isolation because of this. That seems really dumb. On top of it all, there's no Sophos Central remediation for this. So we have to travel to a site, log on to the computer (in my test environment I couldn't even log on without unplugging the network cable, as it "couldn't find the domain controller"), and then get the tamper code, log into the Endpoint software, and click Resolve. Why can't we just resolve this from Sophos Central? Why isn't there the same button there? It's completely insane to require an onsite visit to every computer affected by this issue, and there are a lot, if we used the auto-isolate feature.

    I think the auto-isolate feature is great, until a false positive happens like this. Also have a majority of computers across multiple customers go into red status because Endpoint falsely called a Java update malware. If we had auto-isolate on we would have had hundreds of calls and have had to make hundreds of site visits to remediate. 

  • In reply to Lowell Picklyk:

    Agreed!

    To Add 

    -> Check your Ransomware \ Cryptoguard Events 9\10 would be False Postive 

    -> Enable Deep Learning all ML\PEA Alerts would be False Positive

    -> Exploit Events-again Same


    Everything comes down to 

    Please Share SDU Logs 

    Or 

    This Can be a Feature Request. 

    Many False Positives, 

    Great Tool with some Promising Features but disappointing bug fixing method: :(