Skip to main content
McAfee Enterprise MVISION Cloud

About On-Demand Scans

Use On-Demand Scans to examine cloud services for content that violates your policies and support targeted investigations. Create continuous audits around specific data types for On-Demand Scan collaboration. Run your scan immediately or set a daily or weekly schedule to scan at a convenient time.   

On-Demand Scans provide a great deal of flexibility to inspect different aspects of your deployment. When you first configure your tenant, run an On-Demand Scan to set a baseline for activity in your cloud services. For example, you could limit scans to new or updated files for malware each time it performs a scan, or just for specific users or folders. Another example could be to scan just for specific users before they are off-boarded.

For information about file size, see Maximum File Size for On-Demand Scans

On-Demand Scans are powered by DLP Policies and Malware Policies. You can include more than one policy, which allows for more than one remediation action, to create scans that return results that can be used for a specific purpose. 

During an On-Demand Scan, files are processed in Skyhigh CASB to inspect sensitive content, then the files are deleted immediately after processing. Your files are never stored in Skyhigh CASB.

Supported Cloud Services

On-Demand Scans are only available with API-based deployments. Proxy-based deployments are not compatible with On-Demand Scans. On-Demand Scans are currently available for the following cloud services:

For Amazon S3, since there is no concept of a user, Skyhigh CASB scans documents by S3 bucket. For Azure, we scan Blobs. And for SharePoint we scan Sites. For all other services such as OneDrive, and Box, we scan documents by the user. 

NOTE: Google Drive does not provide file size information, so Skyhigh CASB cannot evaluate file size rules. 

Scans Page

Find the Scans page at Policy > On-Demand Scan


The On-Demand Scan page provides the following information and actions:

  • Search. Search for an On-Demand Scan by name, description, and all available filters. 
  • Filters. Select options on the Filters tab to scope down your search. 
  • Actions. Click Actions to:
  • Scan Name. Click the scan name link to run the scan or to see Scan Details
  • Scan Type. Displays the type of scan, including DLP, Configuration Audit, and Malware.
  • Scan Instances. Click the number to display scan instance details. 
  • Last Scan Errors.  Click the number to display last scan error details. 
  • Last Scan Incidents. Click the number to display last scan incidents details. 
  • Last Scan Status. Includes possible statuses: Pending, Scheduled, Completed, Paused, Stopped, Not yet run, In progress. For In progress, a progress bar is displayed. 
  • Last Run Date. Displays the date that the last scan instance was run. 
  • Actions. In the Actions column, available options are bold. Unavailable options are grayed out. 
    • Edit. Opens the wizard to edit the scan. 
    • Start. Click to start the scan. Depending on the CSP, a dialog may prompt you to Estimate scan? or Is the configuration of your scan correct?. Check your scan configuration or estimate the time your scan will take, then click through to run your scan. For details, see Estimate On-Demand Scan Duration
    • Resume. Resume a paused scan. 
    • Pause. When the scan is running, click pause to pause the scan. 
      NOTE: If a scan is paused, it must be resumed within 30 days. Otherwise, the scan is marked as failed automatically.
    • Stop. When the scan is running, click stop to stop the scan.
    • Delete. Delete the scan. 


If an On-Demand Scan's progress has not updated in a certain amount of time, it automatically pauses, which allows the scan to handle issues like rate limiting and unexpected errors. The status is displayed as auto-paused, with the time that it resumes.  

Full Data Scope

To scan the full contents of a folder, use Full mode as the data scope, but only when needed, as it takes a long time. The first time you run a scan, you must use Full mode. 

NOTE: We do not recommend scheduling content-based scans using the Full data scope, as it takes a long time for the scan to complete, and might generate duplicate incidents because the same content is scanned multiple times. 

Incremental Data Scope

IMPORTANT: Incremental Mode behavior changed in Skyhigh CASB 3.9. Previously, if you modified a policy, the next scan would revert to Full mode automatically. As of Skyhigh CASB 3.9, this no longer happens. Incremental mode always only scans incrementally, except for the first time it is run. 

To scan only changes that have occurred since the last scan, use Incremental mode as the data scope. Incremental scans run faster than Full scans. 

Technically, the first time an Incremental scan is run, it always runs as a Full scan. Then after the first scan, each Incremental will always scan new documents from last scan's start time. It does not pick up earlier documents. 

For example, if you ran an On-Demand Scan in Incremental mode within the last 7 days, the first scan picks up documents from the last 7 days. Going forward, the scan always picks up newly added documents. It does not pick up documents from the last 30 days, even if you change the scan's data scope configuration.

NOTE: For Amazon S3 scans, the first time a scan is run, it uses Full mode. Subsequent scans always use Incremental mode. If new documents in a previously scanned S3 bucket are found during the scan, the scan continues as Incremental. If new S3 buckets are found during the scan, the new S3 buckets are scanned in Full mode. Subsequent scans of the new S3 buckets always use Incremental mode.

Secure Collaboration

You can use On-Demand Scans to detect folder/file collaboration events and make sure the proper remediation action occurs, supporting collaboration/sharing related remediation actions. In addition to removing shared links and modifying permissions, scans can support the following workflows:

  • Folder Collaboration rules can be defined with File Content rules. That means if a user shares a folder, and then a file is uploaded with forbidden content, then any DLP policies are triggered and remediation actions are executed. Also, if a folder (or any of its subfolders) already contains a file with sensitive content, and then the folder is shared by the user, a DLP policy can be executed
  • If a Shared Link rule is defined along with a File Content rule, DLP policies are executed if a user shares a file link and then updates the file with sensitive content, or if a user uploads a file with sensitive content and then shares the link for the file.

Maximum File Size for On-Demand Scans

The maximum file size supported for content-based DLP rules in On-Demand Scans is 50 MB. 


  • If the original file size is greater than 50 MB, Skyhigh CASB skips content extraction. So, content-based DLP rules are not evaluated. But, DLP rules based on file metadata are evaluated. For example, file size rules and collaboration rules.
  • If the original file size is less than 50 MB, Skyhigh CASB performs content extraction. 
    • If the extracted content is greater than 30 MB, Skyhigh CASB scans only 30 MB of content. 
    • If the extracted content is less than 30 MB, Skyhigh CASB scans all content. 

Scan Details

On the Scans page, click the Scan Name in the list to go to the Scan Details page.


Here you can perform the following actions:

  • Estimate Scan Duration. Click to estimate the time a scan will take based on empirical data, historical performance for a service on an Skyhigh CASB tenant, and other data.
  • Run Scan Now. Click to run the scan immediately. 
  • Scan Details. View details of the scan. 
  • Actions. 
    • Edit. Opens the wizard to edit the scan. 
    • Delete. Delete the scan.