Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Monitoring scan statuses and results in
GuardDuty Malware Protection
You can monitor the scan status of each GuardDuty Malware Protection scan. The possible values for scan
Status are Completed
, Running
, Skipped
,
and Failed
.
After the scan completes, the Scan result is populated for scans that
have the Status as Completed
. Possible values for
Scan result are Clean
and Infected
. Using
Scan type, you can identify if the malware scan was GuardDuty initiated
or On demand
.
Scan results for each malware scan has a retention period of 90 days. Choose your preferred
access method to track the status of your malware scan.
- Console
-
-
Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
-
In the navigation pane, choose Malware
scans.
-
You can filter the malware scans by the following
Properties available in the filter
criteria.
-
Scan ID
-
Account ID
-
EC2 instance ARN
-
Scan type
-
Scan status
For information on properties used for filter criteria, see Finding details.
- API/CLI
-
-
After the malware scan has a scan result, you can filter the malware scans
on the basis of EC2_INSTANCE_ARN
, SCAN_ID
,
ACCOUNT_ID
, SCAN_TYPE
GUARDDUTY_FINDING_ID
,
SCAN_STATUS
, and SCAN_START_TIME
.
The GUARDDUTY_FINDING_ID
filter criteria is available when the SCAN_TYPE
is
GuardDuty initiated. For information about any filter criteria, see Finding details.
-
You can change the example filter-criteria
in the command below. Presently, you can filter on the basis of one
CriterionKey
at a time. The options for
CriterionKey
are EC2_INSTANCE_ARN
,
SCAN_ID
, ACCOUNT_ID
, SCAN_TYPE
GUARDDUTY_FINDING_ID
, SCAN_STATUS
, and
SCAN_START_TIME
.
If you use the same CriterionKey
as below, ensure to
replace the example EqualsValue
with your own valid Amazon
scan-id
.
Replace the example detector-id
with your own valid
detector-id
. You can
change the max-results
(up to 50) and the
sort-criteria
. The
AttributeName
is mandatory and must be
scanStartTime
.
aws guardduty describe-malware-scans --detector-id 60b8777933648562554d637e0e4bb3b2
--max-results 1
--sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC
"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID
", "FilterCondition":{"EqualsValue":"123456789012
"}}] }'
-
The response of this command displays a maximum of one result with
details about the affected resource and malware findings (if
Infected
).