Malware Protection in Amazon GuardDuty
Malware Protection helps you detect the potential presence of malware by scanning the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads. Malware Protection provides scan options where you can decide if you want to include or exclude specific Amazon EC2 instances and container workloads at the time of scanning. It also provides an option to retain the snapshots of Amazon EBS volumes attached to the Amazon EC2 instances or container workloads, in your GuardDuty accounts. The snapshots get retained only when malware is found and Malware Protection findings are generated.
Malware Protection offers two types of scans to detect potentially malicious activity in your Amazon EC2 instances and container workloads – GuardDuty-initiated malware scan and On-demand malware scan. The following table shows the comparison between both the scan types.
Factor |
GuardDuty-initiated malware scan |
On-demand malware scan |
|---|---|---|
How the scan gets invoked |
After you enable GuardDuty-initiated malware scan, whenever GuardDuty generates a finding that indicates the potential presence of malware in an Amazon EC2 instance or a container workload, GuardDuty automatically initiates an agentless malware scan on the Amazon EBS volumes attached to your potentially impacted resource. For more information, see GuardDuty-initiated malware scan. |
You can initiate an On-demand malware scan by providing the Amazon Resource Name (ARN) associated with your Amazon EC2 instance or container workload. You can initiate an On-demand malware scan even when no GuardDuty finding is generated for your resource. For more information, see On-demand malware scan. |
Configuration needed |
To use GuardDuty-initiated malware scan, you must enable it for your account. For more information, see Configuring GuardDuty-initiated malware scan. |
Your account must have GuardDuty enabled. To use On-demand malware scan, there is no configuration required at the feature-level. |
Wait time to initiate a new scan |
Whenever GuardDuty generates one of the Findings that invoke GuardDuty-initiated malware scan, a malware scan initiates automatically only once every 24 hours. |
You can initiate an On-demand malware scan on the same resource any time after 1 hour from the start time of the previous scan. |
Availability of the 30-day free trial period |
When you enable GuardDuty-initiated malware scan for the first time in your account, you can use a 30-day free trial period*. |
There is no free trial period* with On-demand malware scan for new or existing GuardDuty accounts. |
Scan options |
After you've configured GuardDuty-initiated malware scan, Malware Protection also helps you to select which resources to scan or skip. Malware Protection will not initiate an automatic scan on the resources that you choose to exclude from scanning. |
On-demand malware scan supports a global tag – |
*You will incur usage cost for creating EBS volume snapshots and retaining snapshots. For more information about configuring your account to retain snapshots, see Snapshots retention.
Malware Protection is an optional enhancement to GuardDuty, and is designed in a way that it won't affect the performance of your resources. For information about how Malware Protection works within GuardDuty, see Feature in Malware Protection. For information about availability of Malware Protection in different Amazon Web Services Regions, see Regions and endpoints.
Note
GuardDuty Malware Protection doesn't support Fargate with either Amazon EKS or Amazon ECS.