Error files are deemed collectively as
Problem Files. They represent files that are infected with malware (Infected), password protected / KMS encrypted / file size limit exceeded (Unscannable) and where the cross account role is broken or the file no longer exists (Error). This page will present the list of problem files found by Antivirus for Amazon S3 whether from new objects coming in or through the evaluation of your existing objects. The list of problem files is a running tally of all issues you've discovered. You may take actions on the files directly in the bucket and in-page actions will be available soon. Whether the file has been cleaned and moved or deleted, the data will tell you whether the file still exists and needs to be dealt with or if it no longer exists.
The files are broken down by bucket and account so you know where the file entered and into which account.
Getting the Results Set¶
You will not see any results when you land on this page. You must first apply filters to get to your working data set. You can then search amongst the results. There are three pieces of data you will provide for the filter: 1 or multiple accounts, the types of problem files and the date range.
Accounts (count in past 24h) is a multi-select picker where you can choose one or more accounts to review. If you have many accounts, you can search by typing into the field to limit the account list further. You are presented the account nickname, the account number and the number of problem files found in the last 24 hours.
Problem File Types is a multi-select picker where you can choose one or more of the problem types to review. By default, all three problem types are chosen, but you can limit this by clearing the undesirable types out. There are three choices of problem file types: Infected, Error and Unscannable.
Date Range is a date/time calendar with presets where you can select the specific time range to evaluate. By default, the time selected is the last 24 hours.
With all three fields populated, the
Apply Filters button will be enabled. Click the button to retrieve the filtered results.
Results may be truncated as follows:
- 5000 results, at most, will be returned.
- 1000 results, at most, will be returned per account
So as not to "spam" you on the Problem Files page or in the scan results notifications, we are throttling the number of entries we write to both for two particular scenarios: 1) the bucket is encrypted (and we do not have permissions to the key), therefore every object would fail to scan and 2) access to a linked account has been broken so we cannot grab the objects and therefore every object would fail to scan.
In both scenarios, you could end up with thousands (or much more) of
unscannable messages depending on the object counts for the given bucket(s) or account(s). We will write one message per hour for each unscannable scenario (per bucket and per account).
Allowing Suspect Files - False Positives / Acceptable Risks¶
It is inevitable that false positives will occur or known and previously identified as risky files will be acceptable to use within your environment. If you are leveraging the default quarantining behavior of the solution you will then need a mechanism to bring the file back to the original production bucket for continued use. You need to restore the file without it immediately being picked up again so it can be used going forward.
You have two restore options: once and permanent.
Once will move the object from the quarantine bucket back to the original bucket and path. The scanning agents will skip this file one time, but if it is processed again (i.e. Scheduled Scan, On-Demand Scan, or upload) it will be caught again. This can be useful if you want to make sure you are checking the file again in case you didn't just accept it, but also fixed it.
Permanent will allow the file for continued use for the problems/infections found indefinitely. If you believe an item to be a false positive and will permanently be in place in the given file then permanent is the right choice. Even if you upload a new version of the object, that particular issue will still be allowed. If new issues are found (different infection) then it will still be processed as an infected file according to your settings.
In either case, the
scan-result tag placed on the object will changed from
If you have any policies or rules in place for object handling that key off of a
scan-result=clean, you will want to augment to include
scan-result=InfectedAllowed as well.
Searching the Data¶
The main data fields are presented within the table: object name, uploaded to bucket, account, result, scan on date, quarantine bucket and file exists check.
File Exists indicates whether that file is still available. The
Search field above the filtered results is a global search across the entire table. Start by typing in the value for any of the fields and it will start filtering the table down to the matching values. You can also space separate search criteria to search by multiple values. For example, you want to search by a particular originating bucket and the infected status. Your search bar might look like
partial-bucket-name infected. That will search by both the bucket name as well as the status of infected. It is very simple to drill down to what you are looking for.
You may see a short delay after typing in your search value since we won't actually trigger the search until typing has stopped for 1 second.
- Match words out of order:
For example if you search for Virus Found it would match a row containing the words Virus and Found, regardless of the order or position that they appear in the table.
- Partial word matching:
As filtering provides immediate feedback, parts of words can be matched in the result set. For example Vir will match Virus.
- Multiple Searches:
The table provides functionality to enter multiple words separated by a space and the search will return all rows containing at least one of those words.
- Preserved text:
This table adds the ability to search for an exact phrase by enclosing the search text in double quotes. For example "Virus Found" will match only text which contains the phrase Virus Found. It will not match Virus is in Found.