In the Symantec Endpoint Protection Manager (SEPM), you have configured Centralized Exceptions for Macintosh clients. You find that the exclusions appear to hold for Auto Protect, but not for scheduled, manual or mount scans.

Symptoms

• Exclusion set per Symantec documentation (Centralized Exception Policy and Virus and Spyware Protection policy)
• EICAR test string is not intercepted when saved to excluded directory
• However, other scans--manual, scheduled, contextual--pick the file up.

This is expected behavior in Symantec Endpoint Protection (SEP) for Mac 12.1 RTM to 12.1.6 MP7. Centralized Exceptions do not apply to manual scans (launched manually, by schedule, or by the "Mount Scan" feature); they work only for AutoProtect. This is leftover behavior from Symantec Antivirus for Macintosh (SAV for Mac), where "SafeZones" applied only to AutoProtect. Macintosh scans that are scheduled from the SEPM are also an "all-or-nothing" proposition; you cannot work around the exceptions shortcoming by scheduling a selective scan from the SEPM.

With the release of SEP 14 RTM (14.0.1904.0000), the SEP for Mac client will now honor file and folder exclusions for AutoProtect scans as well as On-Demand (SEPM triggered) and scheduled scans.

A more customizable way of running manual or scheduled scans on SEP for Macintosh is to use the Symantec Scheduler (SEP Client GUI, Utilities menu->Symantec Scheduler) or the NAVX command line. These tools must be run locally on the SEP for Macintosh client and are not configurable from the SEPM:

Command line switches and use of NAVX command line utility for SAV/SEP for Macintosh

Guide to symsched Command-line Switches