Reporting S3 object scan result as false positive in Malware Protection for S3
A Malware Protection for S3 scan may identify an object as potentially malicious or harmful. If you believe that the indicated S3 object doesn't contain malware, report this malware scan result as a false positive.
You can submit a false positive report even when you use Malware Protection for S3 independently. In this case, GuardDuty is not designed to generate a finding. For information about checking scan status and result status, see Monitoring S3 object scans.
To report an S3 object malware scan result as false positive
To initiate the process, contact AWS Support. Use the following steps to provide details about the scanned S3 object:
Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/
. -
Depending on your use case, choose the appropriate steps:
-
The AWS Support team will provide you an Amazon Simple Storage Service (Amazon S3) presigned URL that you can use to upload the potentially malicious file and hash. For information about steps to upload the scanned object, see Uploading objects with presigned URLs in the Amazon S3 User Guide.
Warning
You must upload the required details within seven days of receiving the presigned URL. The URL becomes invalid after seven days. If you miss this seven-day window, reach out to AWS Support to request a new presigned URL.
-
After uploading the S3 object, inform the AWS Support team.
The AWS Support will provide an acknowledgment of receiving the object. The GuardDuty service team members will analyze your submission, and take appropriate steps to improve your experience with Malware Protection for S3 and the GuardDuty service. The AWS Support team will continue to provide status update on your case. GuardDuty keeps your S3 object for no more than 30 days.
