Hello,
I appreciate that you have already Hardened Symantec Endpoint Protection by Application and Device Control.
I alsoAgree with Greg.
Tamper protection is a Protection for the SEP clients itself. Make sure the Tamper Protection Policy is Enabled and locked down from the SEPM. Check the Screenshot.
Tamper Protection can be enabled or disabled in a Group's General settings
1. In the Symantec Endpoint Protection Manager (SEPM), on the left hand side, click Clients.
2. On the Policies tab, under Settings, click General Settings.
3. On the Tamper Protection tab, check (or uncheck) "Protect Symantec security software from being tampered with or shut down".
NOTE: You must lock the lock icon in order to change the client settings or the option is still available on the client machines to enable or disable Tamper Protection.
If FakeAV just calls "taskkill /F /IM smc.exe", The Tamper Protection will protect it and will provided a popup on your Screen in regards to the Tamper Protection.
About the FAKEAV, let me share some Symantec Knowledgebase Articles.
Does Symantec Endpoint Protection protect me from fake anti-virus programs?
http://www.symantec.com/business/support/index?page=content&id=TECH122898&actp=search&viewlocale=en_US&searchid=1301048638543
SEP and Norton Network Threat Protection/IPS Signature Naming Improvements
http://www.symantec.com/business/support/index?page=content&id=TECH152794&actp=search&viewlocale=en_US&searchid=1301048638543
A Good Symantec Forums Thread tells more:
Turning up settings in SEP to deal with fakeav
https://www-secure.symantec.com/connect/forums/turning-settings-sep-deal-fakeav
and Last not the Least, Check this Symantec Article which tells a way out, inworst situation, if anything happens.
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec