Instead of generalizing that all malicious code is stored explicitly in files, why not create a binary or sector-based scan option that scans everything?
Not all malware/viruses/spyware is only in files; there are ways to remotely manipulate the code stored on a hard drive or other storage media without inserting the malicious code into files. If you, Symantec, were to develop a binary full disk scan scan option for Endpoint Protection (SEP), you might discover new threats that normally wouldn't be detected and/or rediscover malicious code in the raw binary readout of the media where malware or viruses were previously removed or never discovered because the file was deleted.
On occassion, such remnants can be implanted traditionally by sending the mailicious file to the target system and letting it get deleted, but the code is still on the storage media. You'd think this would be known as a trojan-horse type of exploit, but guess what, this is far more dangerous than that. Some exploit codes can sit in the invisible binary data stored in the hard drive simply in plaintext, but more sophisticated exploits can be adapted or made to do so by the exploit's creator, to hide in encrypted clusters-- either steganography or matryoshka. Such exploits may not be widespread at the moment as far as we know, but they will be. The next generation of viruses, malware, and spyware will be undetectable encrypted malicious code that can create a decrypted copy of itself long enough to inflict as much damage as desired by the user of such code, and would self-delete after the payload is delivered, leaving the encrypted code behind in case anyone decides to reuse that malicious code, making it unstoppable.
Network security is one thing, but that won't stop what's already there or what slipped through the cracks undetected. The main problem with your endpoint protection program is that your virus prevention capabilities are, just like all antivirus programs, limited at best. If you want to prevent recently detected malicious code from surfacing from a drive's binary structure, here's what you need you implement:
First off, you might consider encrypting the quarantine just in case it becomes necessary through some odd security breach.
Second, when a malicious file is deleted from the storage media, scrub the binary areas and sectors that said malicious file was deleted from, using a DoD 5220.22-M (3-pass) algorithm. (I have other free-space erasing software that does this at the moment, but malware still slips through the cracks even with every security feature in endpoint protection maxed out.)
Finally, I strongly urge you to implement a full disk binary/sector scan that truly does scan everything throughout the the entire storage media, to ensure scan reliability and maximize detection rate.
I'm sure you'll understand that it's in everyone's best interest to put as much effort as possible into stopping even the most unusual or unlikely security breaches from happening.