During the upgrade, the policies that are currently in place will be saved and transitioned over without issue. All policies will stay in place in fact.
Assuming the attacker didn't disable or remove SEP then yes, whatever policy it has applied to it would remain in place.