Either the malware modifies the finance software, and is executed as part of the finance software, but the checksum for the software is now different and can't run.
Or: The executable malware code is separate and only triggered by the finance software, which will fail to execute it, because the malware isn't a whitelisted application.
At any rate, the malware would never be able to escape beyond the finance software computers. This means that yes you could have some issues with invoicing, new orders and so on, but you most likely didn't have to shutdown ports, because the computers there aren't allowed to run the finance software.
Either the malware modifies the finance software, and is executed as part of the finance software, but the checksum for the software is now different and can't run.
Or: The executable malware code is separate and only triggered by the finance software, which will fail to execute it, because the malware isn't a whitelisted application.
At any rate, the malware would never be able to escape beyond the finance software computers. This means that yes you could have some issues with invoicing, new orders and so on, but you most likely didn't have to shutdown ports, because the computers there aren't allowed to run the finance software.