Endpoint Protection (SEP) 16 has a command line utility called agentcli.exe which can be used to modify a select few agent settings as well as operate DoScan.  The default location is:

C:\Program Files\Broadcom\Endpoint Security Agent\CurrentVersion\bin64

SEP  16

To run any of the following commands, open a command prompt and navigate to the folder which contains agentcli.exe

C:\Program Files\Broadcom\Endpoint Security Agent\CurrentVersion\bin64

Then run the desired commands below

Disable Deferred Scanning

agentcli policy override malware_protection.autoprotect.deferred.enabled=false

Disable AMSI Scan

To disable Antimalware Scan Interface

agentcli policy override malware_protection.autoprotect.amsi=false

Disable Command Line scanning

agentcli policy override malware_protection.autoprotect.cmd_line=false

Using DoScan

agentcli doscan options

The scan will be logged in the client Security Log.

Options:

-h [ --help ]         Produce this help message
--scan arg            Scan a file and/or folder path.  Repeat this option for additional paths.
--scan_all_volumes    Scan all logical volumes
-c [ --cmdlinescan ]  Run a default active scan
-p [ --poll_scan ]    Reports if a scan is currently running
-q [ --cancelall ]    Cancel all running and scheduled scans

Additional agentcli options

For additional agentcli commands visit this TechDoc

Symantec Endpoint Protection product Windows Command-Line Options

SEP 14.3.x version of these same settings

• Disable AMSI (Antimalware Scan Interface) and/or command-line scanning due to false positive detections
• How to disable deferred scanning feature in Auto-Protect
• Scan Endpoint Protection clients from a command-line with DoScan.exe