What is the source IP of the attacker? Internal or external?
If internal, there would seem to be an affected machine still on your network somewhere...if external than SEP is doing its job by blocking.
In any case, SEP is still doing its job by blocking the attempted attacks.