You want to protect a file (or multiple files) from being written to or renamed. This can be done using the Application and Device Control policy of Symantec Endpoint Protection using the following steps.
Assign the Application and Device control policy to the groups you want to protect. Once the client checks in and gets the policy it should now protect those files. If Application and Device control was disabled previously the client may prompt for a reboot.