Monitoring scan statuses and results in GuardDuty Malware Protection - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring scan statuses and results in GuardDuty Malware Protection

You can monitor the scan status of each GuardDuty Malware Protection scan. The possible values for scan Status are Completed, Running, Skipped, and Failed.

After the scan completes, the Scan result is populated for scans that have the Status as Completed. Possible values for Scan result are Clean and Infected. Using Scan type, you can identify if the malware scan was GuardDuty initiated or On demand.

Scan results for each malware scan has a retention period of 90 days. Choose your preferred access method to track the status of your malware scan.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, choose Malware scans.

  3. You can filter the malware scans by the following Properties available in the filter criteria.

    • Scan ID

    • Account ID

    • EC2 instance ARN

    • Scan type

    • Scan status

    For information on properties used for filter criteria, see Finding details.

API/CLI

  • After the malware scan has a scan result, you can filter the malware scans on the basis of EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    The GUARDDUTY_FINDING_ID filter criteria is available when the SCAN_TYPE is GuardDuty initiated. For information about any filter criteria, see Finding details.

  • You can change the example filter-criteria in the command below. Presently, you can filter on the basis of one CriterionKey at a time. The options for CriterionKey are EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    If you use the same CriterionKey as below, ensure to replace the example EqualsValue with your own valid Amazon scan-id.

    Replace the example detector-id with your own valid detector-id. You can change the max-results (up to 50) and the sort-criteria. The AttributeName is mandatory and must be scanStartTime. 

    aws guardduty describe-malware-scans --detector-id 60b8777933648562554d637e0e4bb3b2 --max-results 1 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }'

  • The response of this command displays a maximum of one result with details about the affected resource and malware findings (if Infected).