Endpoint Protection

I am attempting to use the doscan.exe utility to scan files via a batch file. Batch file is posted at the bottom.The batch file is designed to kick off the doscan /scanfile command and give me an output of 0 or greater to determine if the file is suspicious.  Anything greater than 0 means suspicious.  The error level is thrown into a work flow depending on the output.  Currently, my issue is that doscan just deletes the test virus signatures (EICAR) I scan and always returns a value of 0.  I was able to make this work with McAfee's CLI, but would like to get this to work here.  Is there any switch or anything to get doscan.exe to "log only" and not automatically delete the file?  Any advice is appreciated.  Thanks.

The batch file looks like this:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection>type testscan.bat

@echo off

doscan /ScanFile test.txt

echo %ERRORLEVEL%

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection>testscan.bat

0

Log only option does not exist, it will scan , take action, then logs the activity

http://www.symantec.com/business/support/index?page=content&id=TECH104287

No such ability:

https://www-secure.symantec.com/connect/articles/doscanexe-sep-antivirus-scans-command-prompt-introduction

Does Symantec offer any product that will allow me to scan a file or folder from a command line, but let me specify what action to take depending on what is found in the file or folder?  For example, scan and quarintine or log only.

They do not

I appreciate the feedback.  It sounds like I may be out of luck.  I know I can launch symhelp from a cmd line.  I can then go into Run Threat Analysis Scan > Advanced > and point to a specific file I want to be scanned, but can I turn off the basic scan when I do this?  Basically,  I just want to be able to scan one file or folder and have the product let me know if it is suspicious before deleting it by quariniting it. 

I was reviewing the symhelp cmd line switches and I don't see what "-lpa" and "-spe" do: 

http://www.symantec.com/business/support/index?page=content&id=TECH170732&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D140293117969732LZ4fEI03S129R7VcxGGZCU1pn4i7lx02Xut

lpa is load point analysis and spe is symantec power eraser...they've been superceded by the threat analysis scan.

Correct, there is no way to just "alert" on suspicious files

I may be able to use Symhelp or doScan to scan incoming FTP files, but I am worried about false positives being deleted.  I guess the incidence of that is very low. 

If you're looking for something to scan files being uploaded to you from (potentially) unknown sources, then I'd recommend you look at the protection engine product (for NAS/Cloud Services).

http://www.symantec.com/protection-for-sharepoint-servers
http://www.symantec.com/protection-engine-for-cloud-services
http://www.symantec.com/protection-engine-for-cloud-services

#edit#

BTW, SPE can be leveraged using it's SDK to integrate with lots of stuff:

http://www.symantec.com/docs/DOC7187