That's because doing an 'smc -stop' does not stop the auto-protection function.
What functions of the Symantec Endpoint Protection client are disabled by the smc -stop command?
Issuing the smc -stop command stops the Symantec Management Client (SMC.exe) and the Symantec Endpoint Protection service (ccsvchst.exe).
stopping SMC disables the following features:
- Client-Server communications
- Automatic content updates
- Client notifications
- The Network Threat Protection (NTP) Firewall
- The Client Intrusion Detection System (CIDS)
- Application Control
- Device Control
- Host Integrity
In your AV policy you need to either uncheck the box for auto-protect or open the lock so it can be disabled at the client end. Opening the locks for the various components with all allow you to right click the icon and 'Disable SEP'
When troubleshooting, you're best off creating a group in SEPM that allows you to disable components. When you're ready to troubleshoot just move the client into the custom group. When done then you can move it back to its regular group.