To determine which application(s) are making the Filr files available offline, you can investigate the %LOCALAPPDATA%NovellFilrServiceProvider.log file.
This file useful to determine if the downloading application indeed is a scanner or an other application. However, please be aware that this log file also contains the regular requested file downloads performed by the Filr Desktop client.
In case the application performing the unsolicited downloads is explorer.exe or svchost.exe and the files are mostly compressed archives have a look at TID 7018138.
An additional advantage of configuring the scanner application to exclude the virtual file system, represented in the Filr folder is that this reduces the amount of REST request made by the desktop, that are required to list the files and folders that are available via the Filr infrastructure. This reduces the load on both the workstation as the Filr appliance(s). Therefor there is no harm in excluding the Filr folder permanently from being scanned.
In case the workstation is configured with the default proposed configuration, the data that has been made available offline is stored under “%LOCALAPPDATA%Filr Storage”.
This folder can be scanned, without impact on files being downloaded or additional load on the Filr infrastructure.
To remove the data that was downloaded unsolicited, right-mouse button click on a top level folder in the Filr Area and select “Make available online-only”.