Hi,
Symantec Endpoint Protection Manager (SEPM) is just a management console. SEP client takes an action as per virus definitions.
It's not possible to configure SEPM/SEP client to delete .bat files
If looking to have more control on end user machine, can configure application learning, system lockdown etc.
The Windows Symantec Endpoint Protection client monitors and collects information about the applications and the services that run on each computer. You can configure the client to collect the information in a list and send the list to the management server. The list of applications and their characteristics is called learned applications
Configure the management server to collect information about the applications that the client computers run.
See Configuring the management server to collect information about the applications that the client computers run.