Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Monitoring scan statuses and results in Malware Protection for EC2

PDF
RSS
Focus mode
Monitoring scan statuses and results in Malware Protection for EC2 - Amazon GuardDuty

After a malware scan is initiated on an Amazon EC2 instance, GuardDuty provides the status and result fields automatically. You can monitor the status through transitions, and view if malware was detected. The following table provides the possible values associated to the malware scan.

Category Potential values

Scan status

Running, Completed, Skipped, or Failed

Scan result*

Clean or Infected

Scan type

GuardDuty initiated or On demand

*Scan result is populated only when the scan status becomes Completed. The scan result Infected means that GuardDuty detected the presence of malware.

Scan results for each malware scan has a retention period of 90 days. Choose your preferred access method to track the status of your malware scan.

Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose EC2 malware scans.

  3. You can filter the malware scans by the following Properties available in the filter search bar.

    • Scan ID – Unique identifier associated with the EC2 malware scan.

    • Account ID – AWS account ID where the malware scan initiated.

    • EC2 instance ARN – Amazon Resource Name (ARN) associated with the Amazon EC2 instance associated with the scan.

    • Scan status – The scan status of the EBS volume, such as Running, Skipped, and Completed

    • Scan type – Indicates whether this was an On-demand malware scan or a GuardDuty-initiated malware scan.

API/CLI

  • After the malware scan has a scan result, use DescribeMalwareScans to filter the malware scans on the basis of EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    The GUARDDUTY_FINDING_ID filter criteria is available when the SCAN_TYPE is GuardDuty initiated.

  • You can change the example filter-criteria in the command below. Presently, you can filter on the basis of one CriterionKey at a time. The options for CriterionKey are EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    You can change the max-results (up to 50) and the sort-criteria. The AttributeName is mandatory and must be scanStartTime.

    In the following example, the values in red are placeholders. Replace them with the values appropriate for your account. For example, replace the example detector-id 60b8777933648562554d637e0e4bb3b2 with your own valid detector-id. If you use the same CriterionKey as below, ensure to replace the example EqualsValue with your own valid AWS scan-id.

    aws guardduty describe-malware-scans --detector-id 60b8777933648562554d637e0e4bb3b2 --max-results 1 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }'

  • The response of this command displays a maximum of one result with details about the affected resource and malware findings (if Infected).

anchoranchor

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose EC2 malware scans.

  3. You can filter the malware scans by the following Properties available in the filter search bar.

    • Scan ID – Unique identifier associated with the EC2 malware scan.

    • Account ID – AWS account ID where the malware scan initiated.

    • EC2 instance ARN – Amazon Resource Name (ARN) associated with the Amazon EC2 instance associated with the scan.

    • Scan status – The scan status of the EBS volume, such as Running, Skipped, and Completed

    • Scan type – Indicates whether this was an On-demand malware scan or a GuardDuty-initiated malware scan.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.