PDM:Exploit.Win32.Generic and untreated object

[fragileFish]

Hello All,

I am currently using Kaspersky Endpoint Security for Windows 10 (10.3.3.275) (business advanced).  

The virus report (trimmed by IT admin) has below log for a VIP user--

To  further understanding the behaviour of the KES product, we have the following interference from only limited piece of information.

1. User tried to download a .doc file from Internet (in Downloads folder)
2. Eventually, the PDM module in KES was triggered due to the .doc file contains code to exploit the system.
3. The exploit action in the doc was made use of wmiprvse.exe and it was actually “BLOCKED” as shown in actual action of the first row. 
4. The second row of actual action shows “untreated” means that the user clicked “SKIP” (Advanced Disinfection is ON) and hence the file is unprocessed and remain in original location. (p.s. Console log showed user clicked “SKIP”)
5. Subsequent full scheduled scan does not have any finding.

 

My questions are:

1. Please confirm my understanding and if they are correct? 
2. Do the logs (Row 1 and Row 2) has connection? (they just occurred in 1 sec.)
3. Why KES will allow user to click “SKIP” ?  Is there any system settings that allow user to do so?  or is that by default allows user to select action? 
4. In this case, if that doc file is not opened, the system will not get infected anyways?  
5. Such unprocessed file will be included in next full system scan? 
6. Subsequent full scheduled scan does not have any finding (no threat detected). Is that means the PC has no further risk at all? 
7. What are the best recommended handling procedure for this case? 
8. “Unknown application” means KES unable to recognize the file type (not in black list nor white list application)?

 

I am looking forward to Kaspersky Expert to give any insight on my case. Thank you very much.