In the Virus and Spyware Protection settings of Symantec Endpoint Protection (SEP), you have set the action when a risk is detected to Leave alone (Log only). However, when you right-click the folder or file, and then click Scan for Viruses, the manual scan deletes malicious files, regardless of your predefined action setting.

This behavior is by design.

Symantec Endpoint Protection has several types of scans, which fall into two categories:

• Simple scan: A simple scan performs an immediate check against the system when you request it manually on the Symantec Endpoint Protection client computer. This category of scan has no configuration options, and includes manual (right-click) scans, and the Active Scan and Full Scan that you launch from the Scan for Threats pane on the client.
   
• Configurable scan: As the name suggests, a configurable scan performs a check against the system, and has configuration options associated with it. This category includes on-demand scans, scheduled scans, startup scans, and Auto-Protect scans.

While the Virus and Spyware Protection Settings show some global settings that are shared among all types of scans, such as the exception list and log retention, some actions only apply to specific types of scans. For example, on the Auto-Protect tab, the settings you see when you click Actions only affect the Auto-Protect scan.

Since a manual scan is a simple scan, you cannot customize the actions it takes when it detects a risk. The default values are always Clean risk for primary action, and Quarantine risk for secondary action.

A simple scan is meant to be the most basic of scans, but this intent may cause some confusion. A future release may introduce global settings for all scan types.