When a file is selected for deletion in Advanced Threat Protection (ATP), it is not actually deleted, but will be Quarantined by the selected Endpoint.
The "Delete File From Endpoints" dialog mentions this:
When a file is selected to be deleted in ATP, the following will occur:
The Client's Symantec Endpoint Protection Manager (SEPM) will issue an Evidence of Compromise (EoC) Scan to find the selected file:
The SEP Client receives the command on its next heartbeat:
The Client sends the first results back to SEPM. SEPM issues the Quarantine command via the same EoC mechanism:
The SEP Client runs the second EoC command and Quarantines the file:
If the file was Quarantined in error, it can be restored from the SEP Client's Quarantine: