In the Symantec Endpoint Security ICDm console, when reviewing discovered items > Files there are files that are shown as Very Low Risk but with an intensity of 1. If the file is submitted to the Sandbox for additional scrutiny, it is flagged as malicious. Why are these files not flagged initially?

The security summary that displays is completely based on file insight which is information that is collected from multiple sources including threat feeds. If you review the details of the file, the file will not be seen widely and the reputation is unproven, this reputation will change over time if the file is seen more widely. For cases where the file has a low prevalence globally, submitting to Sandbox executes a bunch of tests on the file in a sandbox environment and performs a detailed analysis on the behavior and rerates the file. It is an intensive operation to submit files to the sandbox, so it is not done for every detected file in the environment.