Reporting false positives in GuardDuty Malware Protection - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Reporting false positives in GuardDuty Malware Protection

GuardDuty Malware Protection scans may identify a harmless file in your Amazon EC2 instance or container workload as being malicious or harmful. To improve your experience with Malware Protection and the GuardDuty service, you can report false positive results if you believe that a file identified as being malicious or harmful during a scan doesn't actually contain malware.

False positive file submission

  1. Log into the https://console.amazonaws.cn/guardduty/ console.

  2. When you identify what appears to be a false positive result, contact Amazon Web Services Support to initiate the process of false positive file submission.

  3. Choose Malware Scans.

  4. Choose a scan to view its Finding ID.

  5. Provide the Finding ID. You must also provide the SHA-256 hash of the file. This is required to ensure that GuardDuty Malware Protection has received the correct file.

  6. The Amazon Web Services Support team will provide you an Amazon Simple Storage Service (S3) URL that you can use to upload the file and SHA-256 hash. Inform the Amazon Web Services Support team after you have successfully uploaded the file.

    Warning

    Do not directly provide the file or SHA-256 hash to Amazon Web Services Support. You should only upload the file and hash to Amazon S3 through the provided URL. If you fail to upload the file and hash within seven days of receiving the URL, it will become invalid. If the URL becomes invalid, you'll have to reach out to Amazon Web Services Support to receive a new URL.

    GuardDuty keeps your file for no more than 30 days. GuardDuty team members will analyze your submission and take appropriate steps to improve your experience with Malware Protection and the GuardDuty service.