GuardDuty Malware Protection for EC2

Malware Protection for EC2 helps you detect the potential presence of malware by scanning the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads running on Amazon EC2. Malware Protection for EC2 provides scan options where you can decide if you want to include or exclude specific Amazon EC2 instances at the time of scanning. It also provides an option to retain the snapshots of Amazon EBS volumes attached to the Amazon EC2 instances or container workloads, in your GuardDuty accounts. The snapshots get retained only when malware is found and Malware Protection for EC2 findings are generated.

Malware Protection for EC2 is designed in a way that it won't affect the performance of your resources. For information about how Malware Protection for EC2 works within GuardDuty, see Elastic Block Storage (EBS) volume. For information about availability of Malware Protection for EC2 in different AWS Regions, see Regions and endpoints.

Note

GuardDuty Malware Protection for EC2 doesn't support Fargate with either Amazon EKS or Amazon ECS.

Malware Protection for EC2 offers two types of scans to detect potentially malicious activity in your Amazon EC2 instances and container workloads – GuardDuty-initiated malware scan and On-demand malware scan. The following table shows the comparison between both the scan types.

Factor	GuardDuty-initiated malware scan	On-demand malware scan
How the scan gets invoked	After you enable GuardDuty-initiated malware scan, whenever GuardDuty generates a finding that indicates the potential presence of malware in an Amazon EC2 instance or a container workload, GuardDuty automatically initiates an agentless malware scan on the Amazon EBS volumes attached to your potentially impacted resource. For more information, see GuardDuty-initiated malware scan.	You can initiate an On-demand malware scan by providing the Amazon Resource Name (ARN) of your Amazon EC2 instance. You can initiate an On-demand malware scan even when no GuardDuty finding is generated for your resource. For more information, see On-demand malware scan in GuardDuty.
Configuration needed	To use GuardDuty-initiated malware scan, you must enable it for your account. To manage multiple accounts by using AWS Organizations or invitation based method, see Enabling GuardDuty-initiated malware scan in multiple-account environments. To enable GuardDuty-initiated malware scan in your own account, see Enabling GuardDuty-initiated malware scan for a standalone account.	Your account must have GuardDuty enabled. To use On-demand malware scan, there is no configuration required at the feature-level.
Wait time to initiate a new scan	Whenever GuardDuty generates one of the Findings that invoke GuardDuty-initiated malware scan, a malware scan initiates automatically only once every 24 hours.	You can initiate an On-demand malware scan on the same resource any time after 1 hour from the start time of the previous scan.
Availability of the 30-day free trial period¹	When you enable GuardDuty-initiated malware scan for the first time in your account, you can use a 30-day free trial period. For more information about GuardDuty-initiated malware scan, see 30-day free trial in GuardDuty-initiated malware scan.	There is no free trial period with On-demand malware scan for new or existing GuardDuty accounts.
Scan options²	After you've configured GuardDuty-initiated malware scan, Malware Protection for EC2 provides the option to scan or skip specific Amazon EC2 resources by using tags. Malware Protection for EC2 will not initiate an automatic scan on the resources that you choose to exclude from scanning. For more information, see Scan options with user-defined tags.	Because you provide the resource ARN to start an on-demand malware scan manually, using Scan options with user-defined tags is not applicable.

¹You will incur usage cost for creating EBS volume snapshots and retaining snapshots. For more information about configuring your account to retain snapshots, see Snapshots retention.

² Both GuardDuty-initiated malware scan and On-demand malware scan support using a global tag to exclude Amazon EC2 resources from malware scans. For more information, see Global GuardDutyExcluded tag.

Elastic Block Storage (EBS) volume

This section explains how Malware Protection for EC2, including both GuardDuty-initiated malware scan and On-demand malware scan, scans the Amazon EBS volumes associated with your Amazon EC2 instances and container workloads. Before proceeding, consider the following customizations:

Scan options – Malware Protection for EC2 offers the capability to specify tags to either include or exclude Amazon EC2 instances and Amazon EBS volumes from the scanning process. Only GuardDuty-initiated malware scan supports scan options with user-defined tags. Both GuardDuty-initiated malware scan and On-demand malware scan support the global GuardDutyExcluded tag. For more information, see Scan options with user-defined tags.
Snapshots retention – Malware Protection for EC2 provides an option to retain the snapshots of your Amazon EBS volumes in your AWS account. By default, this option is turned off. You can opt in for snapshots retention for both GuardDuty initiated and on-demand malware scans. For more information, see Snapshots retention.

When GuardDuty generates one or more Findings that invoke GuardDuty-initiated malware scan, then this activity will be a reason for GuardDuty to initiate a malware scan. If your scan options do not exclude this instance, then GuardDuty will initiate the scan.

To initiate an On-demand malware scan on the Amazon EBS volumes associated with an Amazon EC2 instance, provide the Amazon Resource Name (ARN) of the Amazon EC2 instance.

As a response to starting an on-demand malware scan or an automatic GuardDuty-initiated malware scan, GuardDuty creates snapshots of the relevant EBS volumes attached to the potentially impacted resource, and shares them with the GuardDuty service account. When GuardDuty creates snapshot of your EBS volumes, it adds a default tag called GuardDutyScanId. This tag helps GuardDuty to access the snapshot. Make sure that you don't remove this tag. From these snapshots, GuardDuty creates an encrypted replica EBS volume in the service account.

For information about GuardDuty malware detection methodology and the scan engines that it uses, see GuardDuty malware detection scan engine.

After the scan completes, GuardDuty deletes the encrypted replica EBS volumes and the snapshots of your EBS volumes. If malware is found and you've turned on the snapshots retention setting, the snapshots of your EBS volumes won't get deleted and are automatically retained in your AWS account. When no malware is found, the snapshots of your EBS volumes will not be retained, regardless of the snapshots retention setting. By default, the snapshots retention setting is turned off. For information about the costs of snapshots and their retention, see Amazon EBS pricing.

GuardDuty will retain each replica EBS volume in the service account for up to 55 hours. If there is a service outage, or failure with a replica EBS volume and its malware scan, GuardDuty will retain such an EBS volume for no more than seven days. The extended volume retention period is to triage and address the outage or failure. GuardDuty Malware Protection for EC2 will delete the replica EBS volumes from the service account after the outage or failure is addressed, or once the extended retention period lapses.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cleaning up security agent resources

Supported EBS volumes