We are getting repeated SEP alerts from a client based on a temp file from Outlook and a file from a flash drive, both of which were deleted last week (flash drive isn’t even in machine), but is triggering alerts every day. We have confirmed that the files are not on the host. A sample of the alert follows. Note the event date/time vs last updated time. We get multiple alerts per week from other machines with same config but have never seen this behavior before. We’ve run multiple full scans and reboots. Ideas?
2019-09-25 08:22:28,Virus found,IP Address: xxxxx,Computer name: xxxx,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number: ,Source: Auto-Protect scan,Risk name: ISB.Downloader!gen279,Occurrences: 1,C:UsersxxxxAppDataLocalPackagesoice_16_974fa576_32c1d314_1abACTempFB8C2FE1.doc,AP realtime deferred scanning,Actual action: Cleaned,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2019-09-19 10:23:17,Inserted: 2019-09-19 10:27:41,End: 2019-09-19 10:23:18,Last update time: 2019-09-25 08:22:28,Domain: Default,Group: My CompanyClient PCsWindows Laptops,Server: symantec,User: xxx,Source computer: ,Source IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: outlook.exe,Prevalence: Unknown,Confidence: This file is untrustworthy.,URL Tracking Status: On,,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Not on the permitted application list,Application hash: 44193897B15E5B25ABD4FDAEC44923B9B44EEF2D49B330934BC47F91D6A82107,Hash type: SHA2,Company name: ,Application name: FB8C2FE1.doc,Application version: ,Application type: 127,File size (bytes): 327040,Category set: Malware,Category type: Heuristic Virus,Location: On Network