a malicious executable is found on that device, why does the alert show as "Detected (Scanned)" for the file?
Detected (Scanned) means we detected the file as malware during the scan.
Is the endpoint protected from that malicious executable?
Yes, because the default policy is in block mode
Based on the default setting, would that file be blocked if it attempted to execute and since it is dormant, it has only been identified during the scan but no action is necessary (other than an alert)?
yes it will be blocked, there is a setting to change quarantine malicious executable where you can change it to Quarantine Wildfire Malware verdict so that way file that is scanned and if it has WF malware verdict then it will be quarantined. Step 3 --> option 2 from the link below