As an aside, while it's worth investigating the Protection Engine, I personally reckon it's more likey that the threat files are being created by one or more infected client machine(s).
If this is the case, then you may want to look into some of the auditing options avialable on the Cellera to help you track down who/what's creating the threat files. Lots of results on the interweb available regarding file auditing and your device.