At the recent re:Inforce security conference, AWS announced the availability of malware detection for Amazon GuardDuty. The new functionality of the managed threat detection service initiates a scan of the EBS volumes when it detects suspicious behavior indicative of malware on EC2 or containers.
Without having to deploy security software or agents, GuardDuty can detect malicious files on an instance or container workload. Danilo Poccia, chief evangelist EMEA at AWS, explains:
When you have GuardDuty Malware Protection enabled, a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious. For example, a malware scan is triggered when an EC2 instance is communicating with a command-and-control server that is known to be malicious or is performing denial of service (DoS) or brute-force attacks against other EC2 instances.
Source: https://aws.amazon.com/blogs/aws/new-for-amazon-guardduty-malware-detection-for-amazon-ebs-volumes/
According to AWS, GuardDuty will scan file formats known to be used to spread or contain malware, including Windows and Linux executables, PDF files, archives, binaries, scripts, installers, email databases, and plain emails. AWS provides a list of findings that initiate Malware Protection scans.
When a malware scan is initiated for an EC2 instance, GuardDuty Malware Protection takes a snapshot of the attached EBS volumes and restores them in a service account to scan them for malware.
There were concerns in the past on the benefits of GuardDuty, with some users considering it a "checkbox for an audit more than a substantive security product". The new malware detection capability has raised some doubts too, with Scott Piper, cloud security consultant, writing:
The big early limitation of GuardDuty's malware detection is it sounds like it only scans once normal GuardDuty has detected an issue, so it's not a nightly scan of all your EC2s like other side scanners.
GuardDuty Malware Protection is not the only option on AWS to scan workloads for software vulnerabilities and unintended network exposure: Amazon Inspector provides protection by identifying and remediating known vulnerabilities used to compromise resources and install malware, while GuardDuty Malware Protection detects existing malware on actively running workloads. Piper adds:
Another oddity is AWS has one service to find vuln libraries this way (Inspector) and this service for malware, instead of looking for both at the same time. We still also do not have a good way of doing memory snapshots for identifying running code.
Customers pay for the amount of GB scanned in the file systems and for the EBS snapshots created by GuardDuty to perform the scans. The first 30 days of Malware Protection are free for existing GuardDuty accounts and part of the 30-day free trial for new customers.