When a USB drive is plugged in, Symantec Endpoint Protection (SEP) will scan the whole disk in the system instead of just the USB mounted drive.

The /ScanDrive parameter specifies a scan of only removable drive.
However, the /ScanTemplate "Removable Media Scan Options" is configured by default to scan all drives (Default policy from Cloud). Consequently, the instruction to scan only removable drive is being overridden by the template's instruction to scan all drives.

There is no workaround for this issue as the values are hard coded.

The fix will be included in SEP 14.4 version.