An attack occurred on your website that was blocked and logged in the Security Log file. Most likely a POST Request attack. ImunifyAV is a malware scanner. Malware scanners search for matching patterns and virus signatures. So ImunifyAV is seeing a matching pattern in the Security Log text file. I assume that since you are still seeing an ImunifyAV warning then it is showing what it found in the past and not what currently exists (until the next scan occurs).
To prevent this from happening in the future > Go to the Security Log page > POST Request Body Data > select this checkbox > Do Not Log POST Request Body Data (0KB) and uncheck the other 2 checkboxes if they are checked. Save your new settings.
That’s the thing, I can delete the log using the button on the security log page, then manually rescan the site and it pops again for some reason as being infected even though the log is empty. I verified those settings and they are already set as you stated by default. Maybe I’ll have to write a rule to skip this particular file in imunifyav?