Hi,
We are looking into some of the behaviour being observed by Sophos' Web Gateway, and in particular SophosAgentRelay.exe.
It appears a large volume of processes are spawned by this binary (not at once, but the course of day). The processes mainly seem focussed around using "sc.exe" to query for services, or using "tasklist" to query for running tasks. The latter also has its own child processes.
Is anyone able to define the purpose of this binary in the CWG ecosystem? - I always thought it was the proxy/scanning component for capturing and parsing traffic.
Why would this binary need to query services, and query images under task list?
Any thoughts welcome.
Thanks!
This thread was automatically locked due to age.
