If you start to think a CN-supported device might have malware on it, always stop and ask the customer if they handle PII (personally identifiable information) before doing any scans. If they do handle PII, we have to follow a different process.
For details, see the workflow document linked on this article (the article itself hasn’t been written yet, but the diagram is done): https://oregonstate.teamdynamix.com/TDClient/KB/ArticleDet?ID=30821
If they handle PII, the InfoSec office wants to look at their machine to see how it was compromised, and whether any PII was disclosed. If it was, the university is obligated by law to notify the people impacted, and in some cases to pay damages. If we run anti-malware software, it causes problems for InfoSec’s forensics.
Let me know if you have any questions.