I recieved the following email from our security team about a virus alert they are getting from one of our SP2013 App servers:

I am getting continuous alerts for this.  I mapped a drive and checked via command line and do not see this file, so it must be getting pulled in repeatedly by a process.  Can you tell where this is coming from?

Risk name: Exp.CVE-2017-0199!g1
File path: D:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\Applications\554caeca-460e-4110-b260-91749937a6e1-crawl-0\gthrsvc\ad\0x50dad.docx
Event time: Sep 24, 2018 8:08:30 AM
Database insert time: Sep 24, 2018 8:10:58 AM
Source: Real Time Scan
Description:
User: xxx
Computer: xxx
IP Address: xxx

I assume that this is a file that is getting indexed, and it get's written to that folder as the index processes it, and then it goes away after it was indexed.

Can anyone tell me how I could trace that back to a file in the SP farm?  I assume the "0x50dad.docx" name is a temp name of some kind.  Or is it?  I don't know enough about the inner workings of SP indexing to know how that process works.

He sent me another email saying that this alert has triggered over 50 times now since last week.  

Thanks for your help.

Ted