On-demand malware scan in GuardDuty
On-demand malware scan helps you detect the presence of malware on Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 instances. With no configuration needed, you can start an on-demand malware scan by providing the Amazon Resource Name (ARN) of the Amazon EC2 instance that you want to scan. You can start an on-demand malware scan either through the GuardDuty console or API. Before initiating an on-demand malware scan, you can set your preferred Snapshots retention setting. The following scenarios can help you identify when to use the On-demand malware scan type with GuardDuty:
-
You want to detect the presence of malware in your Amazon EC2 instances without enabling GuardDuty-initiated malware scan.
-
You have enabled GuardDuty-initiated malware scan and a scan was invoked automatically. After following the recommended remediation for the generated Malware Protection for EC2 finding type, if you want to start a scan on the same resource, you can start an on-demand malware scan after 1 hour has passed from the previous scan start time.
On-demand malware scan doesn't require that 24 hours have passed from the time the previous malware scan was started. One hour should have passed before initiating an On-demand malware scan on the same resource. To avoid duplicating a malware scan on the same EC2 instance, see Re-scanning previously scanned Amazon EC2 instance.
Note
On-demand malware scan is not included in the 30-day free trial period with GuardDuty. The usage cost
applies to the total Amazon EBS volume scanned for each malware scan. For more information, see Amazon GuardDuty pricing
How On-demand malware scan works
With On-demand malware scan, you can start a malware scan request for your Amazon EC2 instance even when it is currently in use. After you start an On-demand malware scan, GuardDuty creates snapshots of the Amazon EBS volumes attached to the Amazon EC2 instance whose Amazon Resource Name (ARN) was provided for the scan. Next, GuardDuty shares these snapshots with the GuardDuty service account. GuardDuty creates encrypted replica EBS volumes from those snapshots in the GuardDuty service account. For more information about how the Amazon EBS volumes are scanned, see Elastic Block Storage (EBS) volume.
Note
GuardDuty creates the snapshots of the data that has already been written to the Amazon EBS volumes at the point-in-time when you start an On-demand malware scan.
If malware is found and you've enabled the snapshots retention setting, the snapshots of your EBS volume are automatically retained in your AWS account. On-demand malware scan generates the Malware Protection for EC2 finding types. If malware is not found, then regardless of the snapshots retention setting, the snapshots of your EBS volumes are deleted.
GuardDuty uses a global tag key, GuardDutyExcluded, that you can add to your Amazon EC2 resources and set the tag value to true. This
Amazon EC2 resource that has this tag key and value pair will be excluded from the malware scan. Both the scan types (GuardDuty-initiated malware scan and On-demand malware scan) support the global tag. If you start an on-demand malware scan
on an Amazon EC2, a scan ID will be generated. However, the scan will be skipped
with an EXCLUDED_BY_SCAN_SETTINGS reason. For more information, see Reasons for skipping resource during malware
scan.
