Systems running Symantec Endpoint Protection (SEP) with Intrusion Protection enabled log detections for Ghostnet-related traffic. These detections are as follows:

• Ghostnet Backdoor Activity attack
• GhostNet Backdoor Activity 3 

However, further inspection of the system suggest that it is clean based on the following:

1. The system is running the latest definitions, and a full scan of the system does not reveal any file-based risks.
2. A Threat Analysis Scan detects nothing malicious.

The SEP client logs will show either of the following detections:

[SID: 27349] System Infected: GhostNet Backdoor Activity 3 
[SID: 25912] System Infected: Ghostnet Backdoor Activity attack

If nothing suspicious has been detected on the machine, the machine may have been scanned by a vulnerability scanner such as Shodan. See the following article for reference: https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/

Symantec Security Response has reviewed these two signatures and has made adjustments in order to reduce false positives.

Symantec Security Response released updated IPS Signatures on 4/25/2017 which resolves this issue.