Monitoring scan statuses and results in GuardDuty Malware Protection - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Monitoring scan statuses and results in GuardDuty Malware Protection

You can monitor the scan status of each GuardDuty Malware Protection scan. The possible values for scan Status are Completed, Running, Skipped, and Failed.

After the scan completes, the Scan result is populated for scans that have the Status as Completed. Possible values for Scan result are Clean and Infected.

Scan results for each malware scan has a retention period of 90 days. You can view these details using either the GuardDuty console or the API provided below.

Console
  1. Log into the https://console.amazonaws.cn/guardduty/ console.

  2. In the navigation pane, choose Malware scans.

  3. You can filter the malware scans by the following Properties available in the filter criteria.

    • Scan ID

    • Account ID

    • EC2 instance ARN

    • Scan status

    For information on properties used for filter criteria, see Finding details.

API
  • After the malware scan is complete, you can filter the malware scans on the basis of EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    For information on the filter criteria, see Finding details.

  • You can change the example filter-criteria in the command below. Presently, you can filter on the basis of one CriterionKey at a time. The options for CriterionKey are EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    If you use the same CriterionKey as below, ensure to replace the example EqualsValue with your own valid Amazon scan-id.

    Replace the example detector-id with your own valid detector-id. You can change the max-results (up to 50) and the sort-criteria. The AttributeName is mandatory and must be scanStartTime.

    aws guardduty describe-malware-scans --detector-id 60b8777933648562554d637e0e4bb3b2 --max-results 1 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }'
  • The response of this command displays a maximum of one result with details about the affected resource and malware findings (if Infected).