Getting started with On-demand malware scan - Amazon GuardDuty
PrerequisitesInitiating On-demand malware scanRe-scanning the same resource
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with On-demand malware scan

As a GuardDuty administrator account, you can initiate an on-demand malware scan on behalf of your active member accounts that have the following prerequisites set up in their accounts. Standalone accounts and active member accounts in GuardDuty can also initiate an on-demand malware scan for their own Amazon EC2 instances.

Prerequisites

  • GuardDuty must be enabled in the Amazon Web Services Regions where you want to initiate the on-demand malware scan.

  • Ensure that the Amazon managed policy: AmazonGuardDutyFullAccess is attached to the IAM user or the IAM role. You will need the access key and secret key associated with the IAM user or the IAM role.

  • As a delegated GuardDuty administrator account, you have the option to initiate an on-demand malware scan on behalf of an active member account.

  • If you're a member account that doesn't have the Service-linked role permissions for Malware Protection, then initiating an on-demand malware scan for an Amazon EC2 instance that belongs to your account, will automatically create the SLR for Malware Protection.

Important

Ensure that no one deletes the SLR permissions for Malware Protection when the malware scan, whether GuardDuty-initiated or on-demand, is still in progress. Doing so will prevent the scan from completing successfully and providing definite scan result.

Before you initiate an on-demand malware scan, make sure that no scan was initiated on the same resource in the past 1 hour; otherwise, it will be de-duped. For more information, see Re-scanning the same resource.

Initiating On-demand malware scan

Choose your preferred access method to initiate an on-demand malware scan.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. Initiate the scan using one of the following options:

    1. Using the Malware Protection page:

      1. In the navigation pane, under Protection plans, choose Malware Protection.

      2. On the Malware Protection page, provide the Amazon EC2 instance ARN1 for which you want to initiate the scan.

    2. Using the Malware Scans page:

      1. In the navigation pane, choose Malware Scans.

      2. Choose Start on-demand scan and provide the Amazon EC2 instance ARN1 for which you want to initiate the scan.

      3. If this is a re-scan, select an Amazon EC2 instance ID on the Malware Scans page.

        Expand the Start on-demand scan dropdown and choose Re-scan selected instance.

  3. After you successfully initiate a scan using either method, a scan ID gets generated. You can use this scan ID to track the progress of the scan. For more information, see Monitoring malware scan statuses and results.

API/CLI

Invoke StartMalwareScan that accepts the resourceArn of the Amazon EC2 instance1 for which you want to initiate an on-demand malware scan.

aws guardduty start-malware-scan --resource-arn "arn:aws-cn:ec2:us-east-1:555555555555:instance/i-b188560f"

After you successfully initiate a scan, StartMalwareScan returns a scanId. Invoke DescribeMalwareScans monitor the progress of the initiated scan.

1For information about the format of your Amazon EC2 instance ARN, see Amazon Resource Name (ARN). For Amazon EC2 instances, you can use the following example ARN format by replacing the values for the partition, Region, Amazon Web Services account ID, and Amazon EC2 instance ID. For information about length of your instance ID, see Resource IDs.

arn:aws-cn:ec2:us-east-1:555555555555:instance/i-b188560f

Re-scanning the same Amazon EC2 instance

Whether a scan is GuardDuty-initiated or on-demand, you can initiate a new on-demand malware scan on the same EC2 instance after 1 hour from the start time of the previous malware scan. If the new malware scan gets initiated within 1 hour of initiation of the previous malware scan, your request will result in the following error, and no scan ID will get generated for this request.

A scan was initiated on this resource recently. You can request a scan on the same resource one hour after the previous scan start time.

For information about how to initiate a new scan on the same resource, see Initiating On-demand malware scan.

To track the status of the malware scans, see Monitoring scan statuses and results in GuardDuty Malware Protection.