Monitoring scan statuses and results in Malware Protection for EC2 - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring scan statuses and results in Malware Protection for EC2

After a malware scan is initiated on an Amazon EC2 instance, GuardDuty provides the status and result fields automatically. You can monitor the status through transitions, and view if malware was detected. The following table provides the possible values associated to the malware scan.

Category Potential values

Scan status

Running, Completed, Skipped, or Failed

Scan result*

Clean or Infected

Scan type

GuardDuty initiated or On demand

*Scan result is populated only when the scan status becomes Completed. The scan result Infected means that GuardDuty detected the presence of malware.

Scan results for each malware scan has a retention period of 90 days. Choose your preferred access method to track the status of your malware scan.

Console

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, choose EC2 malware scans.

  3. You can filter the malware scans by the following Properties available in the filter search bar.

    • Scan ID – Unique identifier associated with the EC2 malware scan.

    • Account ID – Amazon Web Services account ID where the malware scan initiated.

    • EC2 instance ARN – Amazon Resource Name (ARN) associated with the Amazon EC2 instance associated with the scan.

    • Scan status – The scan status of the EBS volume, such as Running, Skipped, and Completed

    • Scan type – Indicates whether this was an On-demand malware scan or a GuardDuty-initiated malware scan.

API/CLI

  • After the malware scan has a scan result, use DescribeMalwareScans to filter the malware scans on the basis of EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    The GUARDDUTY_FINDING_ID filter criteria is available when the SCAN_TYPE is GuardDuty initiated.

  • You can change the example filter-criteria in the command below. Presently, you can filter on the basis of one CriterionKey at a time. The options for CriterionKey are EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, and SCAN_START_TIME.

    You can change the max-results (up to 50) and the sort-criteria. The AttributeName is mandatory and must be scanStartTime.

    In the following example, the values in red are placeholders. Replace them with the values appropriate for your account. For example, replace the example detector-id 60b8777933648562554d637e0e4bb3b2 with your own valid detector-id. If you use the same CriterionKey as below, ensure to replace the example EqualsValue with your own valid Amazon scan-id.

    aws guardduty describe-malware-scans --detector-id 60b8777933648562554d637e0e4bb3b2 --max-results 1 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }'

  • The response of this command displays a maximum of one result with details about the affected resource and malware findings (if Infected).