Huntress relies on survey data coming from the agents to our portal in order to detect malicious activity. Any time the agent detects a change in startup behavior on the host a survey is automatically sent to Huntress, therefore forcing a survey is unnecessary. End users are not able to force a survey. Huntress doesn't use scans since the agent is always watching for changes to startup behavior.
The surveys are only sent to the Huntress cloud for analysis if a change in an startup behavior is detected or every few hours. Many agents will typically only send a few surveys a day.
More information on surveys and the type of data that is collected can be found in the Surveys article.
Surveys following Incident remediation
Users often ask about forcing a survey following remediation of an incident so that it immediately shows as resolved in the dashboard. Once an incident is remediated and the footholds are gone, the agent will recognize that the persistence mechanisms have been removed. It will then send a survey to Huntress to be processed. This results in it sometimes taking up to 30 minutes for an incident to show as resolved.