Here are few steps you can follow and try:
1) Create a .msi package. http://www.symantec.com/docs/TECH165483
2) Edit the setup.ini file within the package and add that option either at the end of the CmdLine option under the [Startup] section to look like:
CmdLine=/l*v "%TEMP%\SEP_INST.LOG DISABLEDEFENDER=0"
3) Push this package to one client to check if the same works:
SEP 11.x - Migration and Deployment Wizard: http://www.symantec.com/docs/TECH102907
SEP 12.1 - Add a Client Wizard: http://www.symantec.com/docs/TECH164327
Symantec Endpoint Protection installation software uses Windows Installer (msi) 3.1 packages for installation and deployment. If you use the command line to deploy a package, you can customize the installation. You can use the standard Windows Installer parameters and the Symantec-specific features and properties.
To use the Windows Installer, elevated privileges are required. If you try the installation without elevated privileges, the installation may fail without notice. For the most up-to-date list of Symantec installation commands and parameters, see the Symantec Support Knowledge Base article, MSI command line reference for Symantec Endpoint Protection
Another way is by checking the above Document.
The last line of the above document gives you an example of the command line:
setup /s /v"/l*v log.txt /qn RUNLIVEUPDATE=0 REBOOT=REALLYSUPPRESS"
you can try changing the same to:
setup /s /v"/l*v log.txt /qn RUNLIVEUPDATE=0 REBOOT=REALLYSUPPRESS DISABLEDEFENDER=0"