After upgrading Endpoint Protection manager there are changes in validation used for policy files that can cause older policy files with certain keywords or phrases to no longer be valid. 

Symantec Endpoint Protection Manager 14.3 and newer.

The use of the following phrases in a file path or policy description will cause the policy validation to fail, and prevent it from being edited on the Endpoint Manager.

"<script", "/script", "<script", "%3cscript", "javascript:"

Note: Before following this procedure, it is strongly recommended to create a disaster recovery backup of your SEPM per the Disaster recovery best practices document.

To correct an affected policy file that contains the phrases mentioned, follow the steps below:

1. Login to the SEPM Management console
2. Click Policies and open affected policy type (Antivirus and Spyware, Exceptions, etc...)
3. Right-click the affected policy and select Export...
   • Specify a location to save the .dat and click Export
4. Open File Explorer and navigate to the location you saved the exported policy .dat file
5. Rename the policy from xxxxx.dat to xxxxx.zip then extract the main.xml file from within the newly renamed .zip file
   • Note: If you have a zip utility, such as 7zip installed you can just right-click on the .dat and choose "extract here"
6. Open the main.xml file and locate the entries that contain the invalid phrases: "<script", "/script", "<script", "%3cscript", "javascript:"
7. Remove the entire invalid entry from the policy file
   • For example an entry in an Exceptions policy main.xml will appear as the following:
     

     <OverrideItem Action="IGNORE" _d="false" _i="C465D0C20A9B11DF0071A766932348BC" _t="1626449660516" _v="4">      <SecurityRiskOverride ScanCategories="GESC_AP" _d="false" _i="82B5810D0A9B11DF0071A766613FF686" _t="1626449660516" _v="4">        <DirectoryOverride DirectoryPath="C:\ProgramData\XXXX\XXXX\scripts\" ExcludeSubDirectories="0" OSType="Windows" PrefixVariable="[NONE]" ScanType="GEPT_RISK" _d="false"_i="872FC1480A9B11DF0071A766B439711A" _t="1626449660516" _v="7"/>      </SecurityRiskOverride> </OverrideItem>

     You will remove the entire entry, including the opening and closing tags, from the opening tag "<OverrideItem Action=" to the closing tag of "</OverrideItem>"
8. Save main.xml then zip up the file
9. Rename the file to the original Policy name of the file
10. Rename the file extension from a .zip to a .dat
11. Return to the Policy tab in the SEPM under the correct Policy type
12. Under Tasks, choose Import Policy and navigate to and select the newly edited .dat
13. When prompted that the Policy already exists choose the "Overwrite existing policy" option and click OK

The policy will be updated and you will be able to be edit and save the policy and continue as normal in the SEPM console.