Seems like you should be able to differentiate between legitimate and malicious behavior. For example, my users can't save attached images or scans to their own folders. That leaves me the choice of either unprotecting the folder or allowing the file which, as you have just observed, can run malicious code.
Same type of thing here. 2 hosts on a network I've been brought in to look after report in on c:\windows\system32\Sihost.exe and a DLL in C:\windows\syswow64
Fsecure seems to detect and block, but doesn't seem to take the process any further, so some days I'll get a flurry of reports, on others, maybe I won't get any. What to do to take the cleaning process to actually rooting this thing out--if an infection-- or determining if it's safe and simply allowing it?
F-Secure Protection Service for Business has identified the following security incidents:
Time|Account|Host|Infection|Action|Type|Infected Object|Infected Object SHA1
Mon, 21 January 2019 16:50:33 UTC|Khorshidi Law Firm, APC|PC||Blocked|infectionalert.type.7|C:\Windows\System32\sihost.exe|
That's all for now. Thanks!