GuardDuty-initiated malware scan - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

GuardDuty-initiated malware scan

With GuardDuty-initiated malware scan enabled, whenever GuardDuty detects malicious activity that indicates the potential presence of malware in your Amazon EC2 instance or container workload and GuardDuty generates Findings that invoke GuardDuty-initiated malware scan, GuardDuty automatically initiates an agentless scan on the Amazon Elastic Block Store (Amazon EBS) volumes attached to the potentially impacted Amazon EC2 instance or container workload to detect the presence of malware. With scan options, you can add inclusion tags associated with the resources that you want to scan or add exclusion tags associated with the resources that you want to skip from the scanning process. An automatic scan initiation will always consider your scan options. You can also choose to turn on the snapshots retention setting to retain the snapshots of your EBS volumes only if Malware Protection detects the presence of malware. For more information, see Customizations in Malware Protection.

For each Amazon EC2 instance and container workload for which GuardDuty generates findings, an automatic GuardDuty-initiated malware scan gets invoked once every 24 hours. For information about how the Amazon EBS volumes attached to your Amazon EC2 instance or container workload are scanned, see Feature in Malware Protection.

The following image describes how GuardDuty-initiated malware scan works.

   To initiate automatic scans on your EC2 containers and EBS volumes, turn on GuardDuty-initiated malware scan
    with a single click. The scan takes place offline with no impact on performance. Similar
    to other GuardDuty findings, you can review malware-related findings by integrating with
    Security Hub, EventBridge, and Detective.

When malware is found, GuardDuty generates Malware Protection finding types. If GuardDuty doesn't generate a finding indicative of malware on the same resource, no GuardDuty-initiated malware scan will be invoked. You can also initiate an On-demand malware scan on the same resource. For more information, see On-demand malware scan.

How 30-day free trial period affects GuardDuty accounts

You can choose to turn on or turn off the GuardDuty-initiated malware scan functionality for any account or available Amazon Web Services Regions, at any time.

  • When you activate GuardDuty for the first time (new GuardDuty account), GuardDuty-initiated malware scan is already turned on and included in the 30-day free trial period.

  • The existing GuardDuty accounts can turn on GuardDuty-initiated malware scan for the first time with a 30-day free trial period.

  • If you've an existing GuardDuty account that has been using Malware Protection before On-demand malware scan was generally available and this GuardDuty account already uses the pricing model for its Amazon Web Services Region, no action is needed to continue using GuardDuty-initiated malware scan.


If you're on a 30-day free trial period, the usage cost for creating the Amazon EBS volume snapshots and their retention will still apply. For more information, see Amazon EBS pricing.

For information about enabling GuardDuty-initiated malware scan, see Configuring GuardDuty-initiated malware scan.