Not much to update and in the same boat here as everyone else.
I have logs in my gateway firewall to indicate 61.216.2.13 as the source attempting to scan our external IPs. SEP IPS obviously blocked it so there was nothing going back. I still feel this was initiated from 61.216.2.13 (and is a false positive as the system is not truly infected IMO) but without seeing how the IPS rule is written, I don't have a solid answer.