2 ways.

1. the file was copied to the computer before the definitions existed for the threat, later the definitions were updated and caught it.

2. the threat uses a windows vulnerability to copy itself to the machine, we cleanup afterwards.

Thanks Jeremy those are good

The other ideas I could come up with are

1. the threat was multiple layers deep in a compressed file and than extracted

2. an unknown threat created or downloaded the item onto the computer

Yep, those are all potential possibilities, but Jeremy's are probably the most likely.  Though I have seen machines with a primary infection that was unkown that tries to download secondary files that are know.

I would also like to add that these theats are disguised and attach themselves to the core windows folders. Therefore it cannot be cleaned at the initial stage as that could damage the OS.

You also mentioned that if SEP is installed successfully then it should take care of the present infection. This would be possible if the SEP has the latest definitions installed on it. Initially when you install SEP it will have the definitions for the date somewhere near to when the product was released, now if the virus was detected thereafter the subsequent definitions would have a fix to it and therefore we will have to download and install the latest definitions to take care of the infection. Once this is done we need to perform a FULL scan on the infected machine and it should clear the infection. In worst scenario if it still does not clean or detect the infection then you can send the samples of the infection to the Security Response Team, they would analyze it and if required create new definitions for it and release it. The Antivirus & Anti Spyware definitions are updated and released on a daily basis.

This is one of the instances which was given to me as an example to investigate. 

The user instigated the incident by clicking on a spam (phishing) email.  Symantec detected some threats and gave a warning but didn't necessarily stop the entire infection.  The computer began having issues. A full scan detected and deleted  'Infostealer.Banker.C' but could not repair all of the problem.  Additional threats or items were cleaned by a third party anti-malware tool. The users profile had to be deleted and Microsoft Office had to be uninstalled and reinstalled to regain full functionality on this computer.

Obviously SEP isn't perfect especially with users opening emails and clicking on links that are malicious.  However a lot of effort was required to repair the issue. The question that was poised to me which I am trying to get clarification on is why couldn't SEP stop the identified infection in this case?  Is it like  sandip_sali explained above that the risk was attached to a OS file that could not be deleted without harming the system?  We are just trying to understand the process of the infection so we can determine if there are other actions we should take to protect ourselves. Other than just the obvious of trying again to better educate our users.

Symantec Endpoint Protection detected the files but did not remove them.

I also use mailwarebytes to remove stuff SAV/SEP doesn't at home if I have an issue.

But on the whole I am pleased and happy with SEP, that most gets caught before it can do any damage.  It is also a lot more broader than MWB and also in a CORPORATE environment, where we already have mail filtering/scanning, ISA proxies, DMZ's, heavily locked down desktop and Internet usage for users..etc, we had not had a virus outbreakout using the symantec products in approx 5 years.

I am not a fanboy, but the things you mention could be down to that specifi virus your user encountered and your environment.  Other AV products are likely to of given you a simialr outcome depending on the specific virus.

SEP has AV, Spyware, Proactive (device control) and Networtk Threat Protection (firewall..etc) components - malware would be covered to a degree across the AV/spyware segment, but a malare specific app is likely to pick up more malware infected files.  In the same way Spybot for example would pick up more spyware, than a pure AV product such as AVG.

So, this conversation is leading a certain place, YES it would be good if SEP had a wider detection around malware and malware defintions, but jsut look back at SAV, which was only really AV - didn;t do too juch with spyware.  Maybe a future version will have it, but as it stands I don't think ANY product on the market can capture every time of infected file.

Hackers and virus creators also getting more creative, which means AV sofwtare getting heavier, more granualr - also more they have to catch.

Maybe look at your exchange/domino AV/filtering and desktop build as well?  Could give you a  more, compelte proteciton?

I share your pain though - helping some friends out, you end up doing all kind of BS removing some virus - loads of apps, removal stools, hacking reg...etc.