Exclusing Netlogon doesn't look a good idea.
As netlogon is shared to everybody if thats infected everybody's infected.
In SAV 10.x you had liberty to do so but not in SEP.Once you put it in centralized exception it is excluded from all scans.
Rather I would suggest you to Edit the IPS policy in SEPM go to Settings and Uncheck "automatically block attackers IP ........"
Run full scan and all make sure this computer is clean and you are not getting any IPS Pop-ups or IPS logs complaining about this server.
Set the IPS policy back to block attackers IP.