Monitoring scan statuses and results in Malware Protection for Backup - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring scan statuses and results in Malware Protection for Backup

After a malware scan is initiated, GuardDuty provides a few mechanisms through which you may monitor the status and result of a scan. The following table provides some of the values associated with malware scans.

Category Potential values

Scan status

RUNNING, COMPLETED, COMPLETED_WITH_ISSUES, FAILED, or SKIPPED

Scan Category

FULL_SCAN or INCREMENTAL_SCAN

Scan type

GUARDDUTY_INITIATED, ON_DEMAND or BACKUP_INITIATED

Scan Result Status

NO_THREATS_FOUND or THREATS_FOUND

*Note that Scan Result Status may not be present if the scan was not completed. The Scan Result Status of THREATS_FOUND indicates that GuardDuty detected the presence of malware.

Scans may also be skipped for various reasons. The below table explains the reasons why scans may be skipped:

Scan Skipped Reason Reason

ACCESS_DENIED

Customer Role does not have the required permissions needed for the service to perform the scan

RESOURCE_NOT_FOUND

Resource attempting to be scanned does not exist in the account or was deleted during scanning

SNAPSHOT_SIZE_LIMIT_EXCEEDED

The snapshot size is greater than is currently supported by GuardDuty

INCREMENTAL_NO_DIFFERENCE

The resources specified in the incremental scan request have no difference

RESOURCE_UNAVAILABLE

Resource not in the expected state. If the scan is incremental, base recovery point not in AVAILABLE or COMPLETED state

UNRELATED_RESOURCES

For incremental scans - the base and current resource are not from the same lineage

BASE_RESOURCE_NOT_SCANNED

For incremental scans - the base resource was not previously scanned or no completed scan was found

BASE_CREATED_AFTER_TARGET

For incremental scans - the base resource's creation date is greater than the current resource's creation date

UNSUPPORTED_FOR_INCREMENTAL

The requested resource type does not support incremental scanning

UNSUPPORTED_AMI

Public AMI's, AMI's with only ephemeral storage, and AMI's not in an available state are not eligible for scanning

UNSUPPORTED_SNAPSHOT

Cold storage snapshots are not eligible for scanning

UNSUPPORTED_COMPOSITE_RP

Scanning is not supported for composite resource types

UNSUPPORTED_PRODUCT_CODE_TYPE

The requested resource contains an Amazon Marketplace product code which does not support scanning

AMI_SNAPSHOT_LIMIT_EXCEEDED

AMI's do not support scanning of more than 40 snapshots

NO_EBS_VOLUMES_FOUND

No Ebs block device mappings found for the requested resource

UNRELATED_RESOURCES

For incremental scans - the base resource's arn differs from the expected resource's arn

Scan results have a retention period of 90 days. Choose your preferred access method to track the status of your malware scan.

Monitoring Scans Using the Console

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose Malware scans.

  3. You can filter the malware scans by the following Properties available in the filter search bar.

    • Scan ID – Unique identifier associated with the malware scan.
    • Account ID – Account where the malware scan initiated.
    • Resource ARN – Amazon Resource Name (ARN) associated with the Amazon resource associated with the scan.
    • Resource Type – The type of resource associated with the scan, such as EC2 Instance, EBS Snapshot | EC2 AMI, EBS Recovery Point, EC2 Recovery Point, or S3 Recovery Point.
    • Status – The scan status of the scan, such as Running, Skipped, Completed, Completed with Issues, or Failed.
    • Scan Type – Indicates whether this was an On-demand, GuardDuty-initiated, or Backup-Initiated malware scan.

Monitoring Scans using the API/CLI

  • You can invoke ListMalwareScans to filter malware scans by RESOURCE_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE GUARDDUTY_FINDING_ID, SCAN_STATUS, RESOURCE_TYPE, and SCAN_START_TIME. You may also invoke GetMalwareScan to retrieve more detailed metadata of a scan by providing a scan-id as input. The GUARDDUTY_FINDING_ID filter criteria is available when the SCAN_TYPE is GuardDuty initiated.
  • You may change the example filter-criteria in the command below, and can filter on the basis of one CriterionKey at a time. The options for CriterionKey are Resource_ARN, SCAN_ID, ACCOUNT_ID, SCAN_TYPE, GUARDDUTY_FINDING_ID, SCAN_STATUS, RESOURCE_TYPE, and SCAN_START_TIME. You can change the max-results (up to 50) and the sort-criteria. The AttributeName field is mandatory for sort-criteria and must be set to scanStartTime. In the following example, the values in red are placeholders. Replace them with the values appropriate for your account. If you use the same CriterionKey as below for ListMalwareScans, ensure to replace the example EqualsValue with the resource-type you want to filter by. 
    aws guardduty list-malware-scans --max-results 25 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"RESOURCE_TYPE", "FilterCondition":{"EqualsValue":"EBS_SNAPSHOT"}}] }'
    aws guardduty get-malware-scan --scan-id abc123
  • The response for the above command for ListMalwareScans will return up to 25 scans with some details about the affected resource(s). The response for the above command for GetMalwareScan will return a single scan with detailed metadata about the scan.

Monitoring Scans using EventBridge

Amazon EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and Amazon services and routes that data to targets such as Lambda. This enables you to monitor events that happen in services, and build event-driven architectures. For more information, see the Amazon EventBridge User Guide.

GuardDuty publishes EventBridge notifications to the default event bus once a scan status is determined. You can set up EventBridge rules in your account to send events to other services integrated with Amazon EventBridge. Standard EventBridge pricing will apply. For more information, see Amazon EventBridge pricing.

Many of the values shown below are placeholders for the example and will vary depending on the scan.

Malware Scan Result Events

Potential detail-type values for Backup:

  • “GuardDuty Malware Protection EBS Snapshot Scan Result”
  • “GuardDuty Malware Protection EC2 AMI Scan Result”
  • “GuardDuty Malware Protection S3 Recovery Point Scan Result”
  • “GuardDuty Malware Protection EBS Recovery Point Scan Result”
  • “GuardDuty Malware Protection EC2 Recovery Point Scan Result”

Sample Event Pattern:

{
      "detail-type": ["GuardDuty Malware Protection EC2 AMI Scan Result"],
      "source": ["aws.guardduty"]
}

Sample Notification Schema for EC2 AMI Scan with No Threats Found:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": null,
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
        "scanResultDetails": {
            "scanResultStatus": "NO_THREATS_FOUND",
            "uniqueThreatCount": null
        }
    }
}
Show moreShow less

Sample Notification Schema for EC2 AMI Scan with Threats Found:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "COMPLETED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": null,
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
        "scanResultDetails": {
            "scanResultStatus": "THREATS_FOUND",
            "uniqueThreatCount": 1,
            "threats": {
                "name": "EICAR-Test-File (not a virus)",
                "source": "AMAZON",
                "count": 2,
                "itemDetails": [{
                    "resourceArn": "arn:aws:ec2:us-east-1:1111222233334444:snapshot/snap-abcdef01234567890",
                    "hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
                    "itemPath": "/eicar.txt",
                    "additionalInfo": {
                        "versionId": null,
                        "deviceName": "/dev/sdf"
                    }
                }]
            }
        }
    }
}
Show moreShow less

Sample Notification Schema for Skipped EC2 AMI Scan:

{
    "version": "0",
    "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
    "detail-type": "GuardDuty Malware Protection EC2 AMI Scan Result",
    "source": "aws.guardduty",
    "account": "1111222233334444",
    "time": "2025-11-01T00:00:00Z",
    "region": "us-east-1",
    "resources": ["arn:aws:ec2:us-east-1:1111222233334444:image/ami-1234567890abcdef0"],
    "detail": {
        "schemaVersion": "1.0",
        "scanStatus": "SKIPPED",
        "resourceType": "EC2_AMI",
        "scanId": "d41d8cd98f00b204e9800998ecf8427e",
        "scanStatusReason": "UNSUPPORTED_AMI",
        "scanType": "ON_DEMAND",
        "triggerType": "GUARDDUTY",
        "scanCategory": "FULL_SCAN",
        "scanStartTime": 1234567890123,
        "scanCompleteTime": 2345678901234,
       "scanResultDetails": {
            "uniqueThreatCount": null,
            "threats": null
        }
    }
}
Show moreShow less