Thanks for the link to the article. DLP does exclude this directory, SEP found the malware. I was just wondering what was generating the data in the temp\buffer folder (i.e. was this something DLP found on an endpoint and was temporarily storing it in the buffer before the incident was generated, etc.).