I would strongly check the Event Viewer and find the date & time of the install and also the uninstall - see which service/user is doing the uninstall. Then work from that point. If you think it's SEP doing the uninstall itself, then raise a case with Symantec support with your findings.
However I think it's somethinhg else is going on within your network which you need to investigate and resolve it.
I'm keen to know what you have found, so please report back with your findings.
Good luck.