Well not necessarily if the file was previously  seen on the endpoint and there is retrospective detection, in another words if previously clean file is now condemned to be malicious retrospective quarantine will happened at the next heart beat.

Further more on Full Scans here is something you might want to consider...

As per the AMP for Endpoints user guide as seen below here are couple highlight that you might want to consider.

- https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

"A full scan will scan the processes running, the registry entries, and all the files on disk. This scan is very resource-intensive and should not be performed on a regular basis."

"WARNING! Running a full Endpoint IOC scan is time consuming and resource intensive. On endpoints with a large number of files, a full scan can take multiple days to run. You should only schedule full scans during periods of inactivity, such as at night or on weekends. The first time you run a full scan on a Connector, the system will be catalogued, which will take longer than a regular full scan"

Full Scan: Scans the entire computer including all attached storage devices (such as USB drives). This scan can be time-consuming and resource-intensive, so should only be performed once when the connector is first installed

Both Flash Scan and Full Scan check the following information:

• Running processes
• Loaded DLLs
• Services
• Drivers
• Task Scheduler
• System information
• User account information
• Browser history and downloads
• Windows event logs
• Network and DNS information

Full Scan adds the following:

• The entire Windows registry using the hives on disk
• All files and directories on the file system
• System restore points

The Endpoint IOC (indication of compromise) feature is a powerful incident response tool for scanning of post-compromise indicators across multiple computers. Endpoint IOCs are imported through the console from open IOC-based files that are written to trigger on file properties, such as name, size, hash, and other attributes, and system properties, such as process information, running services, and Windows Registry entries.

The Endpoint IOC scanner is available in Secure Endpoint Windows connector versions 4 and higher. Running Endpoint IOC scans may require up to 1 GB of free drive space.

WARNING! Running a full Endpoint IOC scan is time consuming and resource intensive. On endpoints with a large number of files, a full scan can take multiple days to run. You should only schedule full scans during periods of inactivity, such as at night or on weekends. The first time you run a full scan on a connector, the system will be cataloged, which will take longer than a regular full scan.

If you select a full scan, you can also choose whether to do a full catalog before the scan, catalog only the changes since the last scan (only available on Secure Endpoint Windows connector 4.4 and higher), or run the scan without cataloging. A full catalog will take the most time to complete, and running the scan without a catalog will take the least amount of time. If you choose to only catalog changes, then only changes to the filesystem since the last full catalog will be cataloged. The amount of time this scan takes will vary based on the number of changes to catalog.

IMPORTANT! If you have not performed a full catalog on a computer yet and choose not to catalog before the scan then nothing will be scanned.

Scheduled Scans

When a schedule scan runs the AMP console sends a query to the connector, when the connector receives the query, it performs the scan. However, if the connector doesn't receive the query the scan doesn't run, and will re-try at the next scheduled event.

This is the reason of why we suggest to customer performed the schedule scans when the users are working but, when the device doesn't have a lot of payload, for example Friday at the end of the day

Now, It is completely your choice if you want to schedule the scans on the policies but scheduled scans are not necessary for the operation of the AMP for Endpoints Connector because files are being reviewed as they are copied, moved, and executed. Files are also reviewed again for 7 days using Retrospective. This allows companies to reduce their energy footprint by eliminating the need for scheduled scans.

Hope this help...