Well, it gets quite a bit less embarrassing when you consider that a triggered scan, after the initial install, is basically not necessary with AMP. Because we're continually monitoring the activity on the endpoint, anything bad should get picked up. Stuff that initially passed muster and later is identified as malicious is handled by AMP's retrospection feature.
AMP does an initial scan at install time (by default) to pick up anything that was already lurking on the endpoint prior to AMP installation. Once you've done that the first time, there is very little benefit in continually re-scanning clean files over and over. All it really does is chew up system resources.
For customers who need to scan because of overly-restrictively-written policy requirements, scans can be scheduled via the admin console. But we pretty much never recommend doing so unless you absolutely have to.
What's the scenario you have in mind for API-initiated scans?
I completely agree with Orlith. We've had numerous cases of failed quarantines and we must use a follow-up scan to determine what our next steps will be-- If the threat is removed on the follow-up scan, we are good to go. If not, and we can't manually remove the threat either, then it's time to re-image the machine.
We are moving to a SOAR based approach and having the ability to initiate a scan via API would help in multiple ways-
1. Reduce the manual workload for our Service Desk Team.
2. Speed up our MTTR when it comes to endpoint infections/threats.
I agree with Orlith as well, I can tell you definitively that the install scan misses things that should have been caught if it were truly doing a full system scan. Things got picked up and quarantined on endpoints after scheduling a full system scan (they were false positives though) that should have also triggered on the install scan if the install scan was truly scanning the entire endpoint.
Triaging things needs the ability to force a manual scan instead of having to use a separate policy and set the scheduled scan settings on the separate policy. That's too cumbersome when you are trying to investigate something immediately due to alerts from other security products.