From the context, my first thought was something like a centralized server providing anti-virus software and/or updates hosts on the internal portion of the network.

Considering the timeline (within the last month or two) and the recently discovered issues in antivirus products from multiple vendors, I think that this scenario (or something similar) is, at the least, plausible.

A compromised UTM firewall would not be unheard of either.