Symantec Endpoint Protection (SEP) clients installed on a 64-bit Operating System do not honor Tamper Protection exclusions when a path variable such as [PROGRAM_FILES] is used.

This problem is fixed in Symantec Endpoint Protection 12.1 Release Update 3 (12.1 RU3). For information on how to obtain the latest build of Symantec Endpoint Protection, read ‘Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control’

Should it not be possible to upgrade immediately, do not use the predefined variable in the Exceptions policy.  Use instead the full location path to the file that needs to be excluded.