While doing an EICAR test on a Symantec Endpoint Protection (SEP) Linux client, it is observed that there is a delay in file risk detection.
It takes around a minute to detect/delete the file in first attempt, however it is detected within seconds in the very next attempt.

Connectivity issue with Symantec's cloud reputation server to query file hash lookups.

During an Auto-Protect (AP) scan, SEP client attempts connection to Symantec reputation servers for file hash lookups.
If a system is without internet or connection to reputation server is failing, the query times out which significantly slows down the scan operations.

On the affected system, connection can be tested with below commands:
curl -v --connect-timeout 10 https://ent-shasta-rrs.symantec.com/ping/stargateping
nslookup ent-shasta-rrs.symantec.com

If there is firewall/proxy used in the network, need to verify that it allows outbound HTTPS (port 443) connection to *.symantec.com

For an air-gapped/isolated network deployments, Antimalware.ini configuration file can be modified as follows to prevent cloud reputation query timeouts.

1. Stop the sisamddaemon.
   systemctl stop sisamddaemon
2. Edit the configuration file
   vi /opt/Symantec/sdcssagent/AMD/etc/Antimalware.ini
3. Change the detection mode setting:
   from
   scanner.detection.mode=4
   to 
   scanner.detection.mode=3
4. Start the sisamddaemon
   systemctl start sisamddaemon

Note: To maintain detection efficacy, it is highly recommended to ensure that Virus definitions are kept up-to-date on the offline system using offline LiveUpdate or manual definition updates.

Sources to update Endpoint Protection clients that are installed on Linux OS