In ePO with VSE environment, whenever a USB memory stick is inserted into the system, how can I enforce a complete scan of USB rather than the system giving me a popup for scan or open the content? Is there such a policy?
the only option is to set VSE to scan on read and write. explorer.exe process must be configured to scan on read and write any file.
If the user is browsing the directory on the USB stick the files are automatically scanned.
While I can see your point for increased security, I believe that forcing scans of USB devices simply wastes peoples time, increases frustration, and breaks the trust between user groups and administrators.
The forced full scan adds almost zero protection. Any file Not Read off of the USB device might as well not exist. As long as the On-Access Scanner is set to Scan on Read and Scan on Write, you are protected.
Realize that many other products do not have this level of control over scanning. As a result they 'need' the forced scan on USB devices to maintain protection. I for one do not want that extra scan added to VSE as it is in my opinion not beneficial to security.
This topic gets brought up from time to time. I had a response here https://community.mcafee.com/message/350779#350779 which I hope helps clarify things a bit.