Disk I/O increases significantly for several minutes after a Symantec Endpoint Protection (SEP) client updates it's virus definitions.
SEP 14.x
By default, when the virus definitions are updated on a client, a rescan of the file cache will be initiated.
To work around this issue, modify the SEP client Virus and Spyware Protection policy to disable Rescan cache on new definitions load.
Please note that disabling the rescan of Auto-Protect cache doesn't lower the protection provided by SEP clients.
For more details on this feature see the article:
How does the "Rescan the cache when new definitions load" feature work in SEP?
https://knowledge.broadcom.com/external/article/156652
An alternative resolution is the disable the Auto-Protect cache in the Antimalware policy