The problem
Full scans on a large drive take hours — sometimes days. The same machine, visited again a week later, gets re-scanned from scratch even though most files have not changed since last time. That cost adds up quickly when the same laptops keep coming back through the facility.
The fix: turn on Differential Scan
Once Differential Scan is enabled, every scan writes its file hashes into a database on the device. Any later scan that uses the same settings — whether you launched it from a Workflow, a Full Scan, or a Custom Scan — hashes each file and only sends the new, changed, or expired ones to the engines.
Drive does not require a specific baseline or even a Workflow to do this. The lookup runs against the cumulative hash database of every previous scan with matching settings. Workflows are simply a convenient way to make sure the same settings are used on the next visit; in fact, when you run a Full Scan that matches a previous one, Drive will reuse that workflow automatically.
Same machine (Dell Latitude 5420, Kali, 1,908,762 files / 887.20 GB), same Full Threat Scanning settings:
| Scan | Duration | Notes |
|---|---|---|
First visit  | 53:23:54 | Every file analyzed and hashed |
Repeat visit  | 02:14:17 | Only new / changed files scanned |
Roughly a 24× speed-up with no loss of coverage.
How to set it up
- Enable it. Settings → Preferences → Scan Settings → tick Enable Differential Scan and set Baseline Hash Valid Period (e.g.
30days). Click Close. - Run a scan as usual. Full Scan, Custom Scan — anything. This first run takes the full time and seeds the hash database.
- Run again later. Any subsequent scan with matching settings becomes a differential scan automatically. Drive shows the date of the cached entry in the scan progress so you can tell when each file was last actually inspected.
Optional: manage runs as a Workflow
The Workflows screen lets you save a scan configuration by name and pin a report to it as a comparison reference. Useful when several operators share the device or when you want a labelled history of each repeat visit.
- From a finished report, click Save as workflow (or use the workflow Drive auto-created from your Full Scan).
- On the Workflows screen, expand the workflow and click Set as baseline on the report you want as the reference. It will be labelled Marked as baseline.
- Next visit: click Run on the workflow.
The marked baseline is only a comparison reference for the UI and OCM — it is not what makes the diff scan work. Changing or removing it does not invalidate any cached hashes.
How the skip decision works
Drive skips engine scanning for a file only when all three are true:
- Same scan settings as the cached entry (engines, archive options, scan paths, etc.).
- Hash is in the database. The DB is cumulative across every previous Differential-Scan run with matching settings — not tied to a single baseline or workflow.
- Entry is within the Valid Period you configured.
Any other case → the file is scanned normally and its fresh result is written back.
Things worth knowing
- A Workflow is convenience, not a requirement. Plain Full Scan / Custom Scan with the same settings as a prior run benefits from the cache too.
- Hashes are physically retained for up to 30 days while the feature is on, regardless of the Valid Period — the period only controls the cutoff used at lookup.
- Un-ticking Enable Differential Scan wipes the hash database. Drive warns first.
- Capacity: 1 TB (Digital Display, Drive 2 and Smart Touch) holds up to 30 days of hashes; the 64 GB build keeps roughly the last 3 scans or 3 days.
- Deleting old reports (manually or via OCM auto-delete) does not delete the hashes behind them.
- Both the seed scan and every differential scan sync to OCM, with diff-scan evidence preserved per report.