AMS uses Trend Micro’s Deep Security Platform (anti-malware system) to detect and respond to malware on your AMS-managed instances. By default, the Trend Micro detection agent runs on all Amazon EC2 instances, including those in the shared services and private subnets, for both Windows and Linux operating systems. The anti-malware system is connected to AMS monitoring so that an event is generated whenever malware is detected. If there is customer impact, the event is escalated to the incident management process (for details, see AMS incident response). While AMS assesses the impact, you are notified, and attempts are made to mitigate the impact.
Trend Micro anti-malware definitions are updated automatically when Trend Micro publishes updates.
During application onboarding, you indicate the action you want AMS to take when malware is found on an instance:
Make sure the quarantined file is on the allow list, removing it from the quarantine and releasing it back to the file system.
Delete the quarantined file, removing it from the instance.
Suspend the instance and replace it. The suspended instance is then available to you to mount for forensic research.
After application onboarding:
When the anti-malware system discovers malware on an instance, AMS automatically quarantines the malware. This triggers an event and a follow-up investigation.
AMS notifies you of the event through a service notification and starts following the default mitigation action that you selected.
If you haven't chosen a default action, AMS asks you which action to take. After receiving your instructions, AMS runs the selected action and notifies you. AMS notifies you again after the action is complete, including details needed for forensic analysis, if applicable.
