Malware Protection in Amazon GuardDuty - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Malware Protection in Amazon GuardDuty

Malware Protection helps you detect the potential presence of malware by scanning the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads. Malware Protection provides scan options where you can decide if you want to include or exclude specific Amazon EC2 instances and container workloads at the time of scanning. It also provides an option to retain the snapshots of Amazon EBS volumes attached to the Amazon EC2 instances or container workloads, in your GuardDuty accounts. The snapshots get retained only when malware is found and Malware Protection findings are generated.

Malware Protection offers two types of scans to detect potentially malicious activity in your Amazon EC2 instances and container workloads – GuardDuty-initiated malware scan and On-demand malware scan. The following table shows the comparison between both the scan types.


GuardDuty-initiated malware scan

On-demand malware scan

How the scan gets invoked

After you enable GuardDuty-initiated malware scan, whenever GuardDuty generates a finding that indicates the potential presence of malware in an Amazon EC2 instance or a container workload, GuardDuty automatically initiates an agentless malware scan on the Amazon EBS volumes attached to your potentially impacted resource. For more information, see GuardDuty-initiated malware scan.

You can initiate an On-demand malware scan by providing the Amazon Resource Name (ARN) associated with your Amazon EC2 instance or container workload. You can initiate an On-demand malware scan even when no GuardDuty finding is generated for your resource. For more information, see On-demand malware scan.

Configuration needed

To use GuardDuty-initiated malware scan, you must enable it for your account. For more information, see Configuring GuardDuty-initiated malware scan.

Your account must have GuardDuty enabled. To use On-demand malware scan, there is no configuration required at the feature-level.

Wait time to initiate a new scan

Whenever GuardDuty generates one of the Findings that invoke GuardDuty-initiated malware scan, a malware scan initiates automatically only once every 24 hours.

You can initiate an On-demand malware scan on the same resource any time after 1 hour from the start time of the previous scan.

Availability of the 30-day free trial period

When you enable GuardDuty-initiated malware scan for the first time in your account, you can use a 30-day free trial period*.

There is no free trial period* with On-demand malware scan for new or existing GuardDuty accounts.

Scan options

After you've configured GuardDuty-initiated malware scan, Malware Protection also helps you to select which resources to scan or skip. Malware Protection will not initiate an automatic scan on the resources that you choose to exclude from scanning.

On-demand malware scan supports a global tag – GuardDutyExcluded. Scan options with user-defined tags is not applicable to On-demand malware scan because you provide the resource ARN manually.

*You will incur usage cost for creating EBS volume snapshots and retaining snapshots. For more information about configuring your account to retain snapshots, see Snapshots retention.

Malware Protection is an optional enhancement to GuardDuty, and is designed in a way that it won't affect the performance of your resources. For information about how Malware Protection works within GuardDuty, see Feature in Malware Protection. For information about availability of Malware Protection in different Amazon Web Services Regions, see Regions and endpoints.


GuardDuty Malware Protection doesn't support Fargate with either Amazon EKS or Amazon ECS.