I also agree that the last screenie of the settings you posted, looked correct. I'd be more inclined to target the group in which these endpoints reside rather than by name though.
On a related note though, have you tried disabling the "Delete EICAR events" option? This can be found under:
ADMIN -> Servers -> DB Server (localhost if using the embedded DB) -> Edit Database Properties -> Log Settings, the the Risk Logs Settings area
I suspect that might be messing with your tests.