In theory, any of the SEP client versions will detect and remove a CryptLocker variant (depending upon the defs on the client) using the AV Component.
In addition to AV, the below blog suggests IPS blocks how CryptLocker grabs the public key in order to do the encrytion:
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace
This hopefully means that even if you get hit by an unknown variant of Cryptlocker, it cannot execute its payload.
Not to mention the A&DC policy to block executable files from launching if they are in the usual cyptlocker location:
https://www-secure.symantec.com/connect/forums/cryptolocker-and-adc-policies