Is it possible to create a rule in SEP to prevent users from writing binary files to a network share? i.e. Deny writes to \\server1\shared for *.exe, etc.
See if this helps:
https://www.symantec.com/connect/forums/sep-121-application-and-device-control#comment-11641471