In this mode, the SWG is only able to see the traffic after it has been through the switch. That being the case, it can only tell you about a botnet connection after it has happened and so cannot block it. The same goes for why it cannot block file download and the like in SPAN/TAP mode.
#EDIT#
If it's inconsistent behaviour you're seeing, is it possible your SWG is overloaded? This sort of behaviour is covered for URL filtering in the below article:
http://www.symantec.com/docs/TECH163340
#EDIT2#
Also, some types of botnet traffic are only ever monitored as per the below article:
http://www.symantec.com/docs/TECH138303