I'm going to go against the flow here and say that, unfortunately, you cannot prevent access to the network without some form of enforcement.
While SNAC on it's own can easily detect if there is an AV client installed (as per the above posts), it cannot (by itself) block network access. For the blocking of network access, you need at least one of the below:
- SEP Client (including the Firewall) installed, but this immediately negates the SNAC check anyway so is irrelevant
- DHCP Enforcer
- Gateway Enforcer
- LAN Enforcer
- Integrated Enforcer for NAP
What SNAC can do, without any of the above, is to kick off an install of your preferred AV (in your case SEP), but it does mean you'd need to be in the odd position of having the SNAC client installed, but not the SEP Client.
The more common scenario admins look to remediate, is if neither SNAC nor SEP are installed. In which case, an enforcer (Gateway/Lan/etc.) is required. This kind of check and remediation requires you look into the full SNAC license.
Is this an option?