Hello MarcoCarlo and other followers of this thread,
Thanks for the query. There have been many detections seen on this signature worldwide in the past many weeks. Brian is correct in comparing this to the Ghostnet IPS detections triggered by Shodan's scan traffic. Though certain malware triggers the IPS signature 28665 "System Infected: Trojan.Backdoor Activity 179" it is also triggered by the traffic of the Jorgee vulnerability scanner. (This is not a False Positive- the traffic that the scanner is sending matches what certain malware does).
Jorgee has been very active lately, as noted by other bloggers, and thus the many IPS SID 28665 events seen.
https://blog.paranoidpenguin.net/2017/04/jorgee-goes-on-a-rampage/
I recommend scanning any computer which is showing any "System Infected" IPS event. A full system scan by SEP should suffice or a Threat Analysis Scan from SymHelp. If there is actual malware on the computer, those scans should bring it to light.
Using Today's SymDiag to Combat Today's Threats
https://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats
If the scan comes back clean, then the most likely explanation for the IPS SID 28665 events is that a vulnerability scan triggered the events.
The following article may help to clear up some confusion, too:
“SEP and Norton Network Threat Protection/IPS Signature Naming Improvements”
http://www.symantec.com/docs/TECH152794
Please do update this thread with any additional queries, or mark it solved if this has answered your question!