How does Malware Protection for Backup work?
This section describes components of Malware Protection for Backup, how it works, and how you can review the malware scan status and result.
Overview
Malware Protection for Backup is a feature that helps you detect the presence of malware on EBS snapshots, EC2 images (AMI), and Recovery Points belonging to EBS, EC2, and S3 resource types. You can start an on-demand malware scan either through the GuardDuty console or API by passing in an IAM role that provides the permissions required for the scan, along with one or two resource ARNs depending on the scan category. There are two scan categories possible - full scans and incremental scans.
Full scan and Incremental scan
A full scan is where the API will accept a resource ARN and scan all the files within that resource. An incremental scan on the other hand takes two resource ARNs, both belonging to the same resource, and scans the changed files between them. As an example, let's assume we take a snapshot of an EBS volume. Let's call it snapshot-1. If a full scan is done on this snapshot, GuardDuty scans all the files contained with this snapshot. Now let's assume that a few files were added to the same volume, and a new snapshot is taken. Let's call it snapshot-2. Since only a few files have changed between snapshot-1 and snapshot-2, one can trigger an incremental scan with these two snapshots' resource ARNs. In this case snapshot-2 is referred to as the target resource, and snapshot-1 is referred to as the base resource. You will see this terminology used in the rest of the document. This incremental scan will scan the changed files between snapshot-1 and snapshot-2.
Rescanning Previously Infected Files in an Incremental Scan
As part of an incremental scan, GuardDuty will also rescan the previously infected files from the base scan for up to 90 days.
Requirements for an Incremental Scan
The following requirements must be met for GuardDuty to perform an incremental scan. If any of these requirements are not met, GuardDuty will skip the scan.
-
Base resource must be scanned within the last 90 days and the scan result must be in
COMPLETEDorCOMPLETED_WITH_ISSUES. -
Base resource must be have a creation date that is earlier than that of the target resource.
-
The base and target resources must have the same encryption type in case of snapshots.
-
The base and target resources must be from the same lineage.
-
For an EBS snapshot and EBS recovery point, this means that they either come from the same volume, or copies of the same volume, without any change in the encryption type.
-
For a S3 Recovery Point, the base and target resource ARNs must be created from the same underlying S3 bucket.
-
In case of AMIs, pairs of snapshots are compared between the base and target AMI to identify snapshots for an incremental scan. Each pair of snapshots need to meet the above mentioned conditions. Any snapshot within the target AMI that does not have a corresponding matching snapshot in the base AMI will be skipped.
-
Re-scanning previously scanned backup Resources
You can start a new on-demand malware scan on the same resource after 10 minutes from the start time of the previous malware scan. If the new malware scan gets started within 10 minutes of initiation of the previous malware scan, your request will result in the following error, and no scan ID will get generated for this request. The steps to re-scan the instance remain the same as starting an on-demand malware scan for the first time.
IAM Role Required for Scanning
You need to pass in an IAM role in order to start a full or incremental scan. This role provides the permissions required for performing the scan operations. GuardDuty Malware Protection for Backup: IAM Role Permissions provides the exact list of permissions required, along with the relevant trust policy that is needed to perform the scan.
Reviewing Resource scan status and result
GuardDuty publishes the scan result event to Amazon EventBridge default event bus. GuardDuty uses at-least-once delivery, which means you might receive multiple scan results for the same object. We recommend designing your applications to handle duplicate results. You're billed only once for each scanned object.
For more information, see Monitoring scan statuses and results in Malware Protection for Backup.
Reviewing generated findings
Reviewing the findings depends on whether or not you are using Malware Protection for Backup with GuardDuty. Consider the following scenarios:
Using Malware Protection for Backup when you have GuardDuty service enabled (detector ID)
If the malware scan detects a potentially malicious file in a scanned Backup resource, GuardDuty will generate an associated finding. You can view the finding details and use the recommended steps to potentially remediate the finding. Based on your Export findings frequency, the generated finding gets exported to an S3 bucket and Amazon EventBridge event bus.
For information about the finding type that would get generated, see Malware Protection for Backup finding types finding types for Malware Protection for Backup.
Using Malware Protection for Backup as an independent feature (no detector ID)
GuardDuty will not be able to generate findings because there is no associated detector ID. To know the scan status for your backup resource, you can view the scan result that GuardDuty automatically publishes to your default event bus.
For information about the scan status and result, see Monitoring scan statuses and results in Malware Protection for Backup.
Note
If you are also using Malware Protection for S3, there is a possibility that your S3 file was previously tagged as NO_THREATS_FOUND and yet the same file could show up in the list of threats for the Backup Recovery Point that object belongs to. This happens since the service frequently updates its malware signatures, which may have changed the status of the file. Please note that in such cases GuardDuty does not go back and update the tag on the file in the original S3 bucket. The only way to get an updated tag applied on the file is by reuploading the object to the bucket or using the on-demand scan feature for S3.