On-demand malware scan - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

On-demand malware scan

On-demand malware scan helps you detect the presence of malware on Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 instances. With no configuration needed, you can initiate an on-demand malware scan by providing the Amazon Resource Name (ARN) of the Amazon EC2 instance that you want to scan. You can initiate an on-demand malware scan either through the GuardDuty console or API. Before initiating an on-demand malware scan, you can set your preferred Snapshots retention setting. The following scenarios can help you identify when to use the On-demand malware scan type with GuardDuty:

  • You want to detect the presence of malware in your Amazon EC2 instances without enabling GuardDuty-initiated malware scan.

  • You have enabled GuardDuty-initiated malware scan and a scan was invoked automatically. After following the recommended remediation for the generated Malware Protection finding type, if you want to initiate a scan on the same resource, you can initiate an on-demand malware scan after 1 hour has passed from the previous scan start time.

    On-demand malware scan doesn't require that 24 hours have passed from the time the previous malware scan was initiated. One hour should have passed before initiating an On-demand malware scan on the same resource. To avoid duplicating a malware scan on the same EC2 instance, see Re-scanning the same Amazon EC2 instance.


On-demand malware scan is not included in the 30-day free trial period with GuardDuty. The usage cost applies to the total Amazon EBS volume scanned for each malware scan. For more information, see Amazon GuardDuty pricing. For information about the cost of creating the Amazon EBS volume snapshots and their retention, see Amazon EBS pricing.

How On-demand malware scan works

With On-demand malware scan, you can initiate a malware scan request for your Amazon EC2 instance even when it is currently in use. After you initiate an On-demand malware scan, GuardDuty creates snapshots of the Amazon EBS volumes attached to the Amazon EC2 instance whose Amazon Resource Name (ARN) was provided for the scan. Next, GuardDuty shares these snapshots with the GuardDuty service account. GuardDuty creates encrypted replica EBS volumes from those snapshots in the GuardDuty service account. For more information about how the Amazon EBS volumes are scanned, see Elastic Block Storage (EBS) volume.


GuardDuty creates the snapshots of the data that has already been written to the Amazon EBS volumes at the point-in-time when you initiate an On-demand malware scan.

If malware is found and you've enabled the snapshots retention setting, the snapshots of your EBS volume are automatically retained in your Amazon Web Services account. On-demand malware scan generates the Malware Protection finding types. If malware is not found, then regardless of the snapshots retention setting, the snapshots of your EBS volumes are deleted.

By default, the snapshots of your EBS volumes get created with a GuardDutyScanId tag. Do not remove this tag because doing so will prevent GuardDuty from accessing the snapshots. Both scan types in Malware Protection do not scan the Amazon EC2 instances or Amazon EBS volumes that have the GuardDutyExcluded tag set to true. If a Malware Protection scan on such a resource, a scan ID will be generated but the scan will be skipped with an EXCLUDED_BY_SCAN_SETTINGS reason. For more information, see Reasons for skipping resource during malware scan.

Amazon Organizations service control policy – Denied access

Using the Service control policies (SCPs) in Amazon Organizations, the delegated GuardDuty administrator account can restrict permissions and deny actions such as initiating an on-demand malware scan for Amazon EC2 instance owned by your accounts.

As a GuardDuty member account, when you initiate an on-demand malware scan for your Amazon EC2 instances, you may receive an error. You can connect with the management account to understand why an SCP was set up for your member account. For more information, see SCP effects on permissions.