Hello,
Could you have the First action as "Leave Alone (log only) and check what happens??
In your case, The First Action is "Clean Risk" and when Symantec detects this Threat and cannot clean it, it "Cleans by Deletion".
Cleaned by Deletion - Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.
Here above the Example is for general cases.
Check this Article:
Explanation of Action field values in Symantec Endpoint Protection 12.1 and 11, and Symantec AntiVirus 10.1
http://www.symantec.com/docs/TECH102052
Hope that helps!!