The only way to control which patches are scanned\deployed is through customized Scan Templates and\or Patch Groups. Judging from your post, a combination of a Scan Template and Patch Group would advisable, the caveat is you would need to add new patches to the Patch Group once you have approved them. How To: Include or Exclude Specific Patches in Scan Results
A non-tested option would be to disable the Auto-Update Definitions under Tools to prevent Scan from looking for new data when they run. You could then go to Tools > Operations > Downloads > Scheduled Automatic Downloads and schedule the Core Engines/Definitions to update the content for Protect. I wouldn't recommend this option since the data could be updated through other actions and cause patches to be installed outside of your control.
Thanks for your explanation, this is what I need