Qualys flags SEP (Symantec Endpoint Protection) 12.1 clients as vulnerable to SYM16-013 even though you have confirmed that the SEP clients have the latest IPS (Intrusion Prevention System) definitions and the latest CIDS (Client Intrusion Detection System) engine.
Qualys is checking for the following registry value to check whether a machine is vulnerable or not:
Value: Version = 220.127.116.11
This particular value does not pertain to the version of the CIDS engine.
A more appropriate way to check whether the machine is vulnerable by checking registry keys and file versions is the following:
64 bit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVia64, and find the path to the driver in the ImagePath value.
32-bit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVix86, and find the path to the driver in the ImagePath value.
The ImagePath points directly at the IDS driver file which changes locations each time the machine updates its IPS definitions.
Qualys reportedly resolved this issue in their software early August 2016. Should you observe the issue above then please work with Qualys to update whatever signatures or software responsible for the scan.