When sending files for scanning through ICAP to SPE, files are still being deleted or removed even though the configuration is set to scan only.  The scan only action may be set in either the ICAP request

SYMCSCANRESPEX-AV/?action=scan

or in the configuration file

<AVActionPolicy value="0"/>

• Symantec Protection Engine 9.x
• Scans sent via ICAP

This behavior is by design.

This is specific to files being sent via ICAP to SPE.  When a file is clean, part of the standard ICAP response can include the item sent for scanning.  When SPE detects a file is malicious, it will not return the file.  This remains true even if the SPE is configured only to scan the file and not detect.  If a scan determines the file is malicious, the file will not be returned via ICAP.  Instead, and file is returned that contains a message stating the file was blocked.  Example of the default message below when testing with Eicar.

<html><title>Content Blocked Notice</title>The content you just requested contains EICAR Test String and was blocked by the Symantec Protection Engine based on local administrator settings.  Contact your local administrator for further information.</html>