NetApp logs indicate an authentication rejection of the Symantec Protection Engine (SPE) domain computer account despite the Symantec Protection Engine service being configured to use your designated privileged user account for scanning.
SPE is not configured to use local system and the computer account is not a privileged user for the Vserver active scanner pools.
You need to determine if Protection Engine is creating this rejected request.
<netapp device> ERROR Nblade.vscanBadUserPrivAccess: For Vserver "SPE-SCANNER", the attempt to connect to the privileged ONTAP_ADMIN$ share by the client "10.10.10.10" is rejected because its logged-in user "DOMAIN\SPE-SCANNER$" is not configured in any of the Vserver active scanner pools.
Gather a packet capture/trace and Procmon log of the authentication attempt. You can download procmon from Microsoft's website.
Packet Capture/Trace Analysis (instructions based off Wireshark)
Following these steps, you should be able to determine if Protection Engine is making authentication requests using the server's domain computer account. If a program other than symcscan.exe is accessing the file using the "SYSTEM" user account, please contact the program's creator to determine why it is doing so.