Skip to content

Frequently Asked Questions

Getting Started

Getting Started

Do my objects ever leave my account?

Object residence?

No. Antivirus for Amazon S3 is designed and deployed in such a way that your Amazon S3 objects never leave your account(s).

Note

If you are utilizing Linked Accounts, the objects will be pulled from Account X to the deployed account for scanning. But these are maintained within your realm of linked accounts.

Is there a free trial?

Free Trial?

Yes, we offer a 30 day period of time or up to 500GB of scanning (whichever comes first) to try the product. Trial extensions may be requested, please Contact Us.

Start a Trial

Warning

Like AWS' trial policy, the trial is good for only one deployment within an account. Any following deployments will result in immediate charges for any data scanned by those deployments. The initial deployment will remain within the trial period and data.

Note

You can see the status of your trial on the Config->License Management page. You will also be warned with a banner warning on the main dashboard when you are within 7 days of the trial ending or within 20% of the trial data allotment.


You can also subscribe to the Proactive Notifications to specifically receive emails when the free trial is approaching its end due to date or data.

How do you charge for the product?

Pricing?

We leverage a true consumption model. We charge for each gigabyte you scan with the product. This may be from one object or one thousand objects.

Review the public pricing on the AWS Marketplace Listing. Please Contact Us for custom pricing.

Do you have a detailed deployment guide?

Deployment Guide?

You can follow allow the Getting Started contained within the Help Docs you are currently within or you can download the PDF Deployment Guide if that is easier to follow. There are a number of topics that are covered in the deployment guide (more details on TCO and recovery strategies if ever needed) that you will not find within the Help Docs.

Detailed Deployment Guide

Is this software as a service (SaaS)?

SaaS?

No, this solution is installed within your AWS account. Please refer to the Architecture section for more details.

We are exploring a SaaS version for those who are willing, but there is still a majority of companies who want their objects to stay "within their 4 walls" (in this case their own VPC) for the scanning process. Cloud Storage Security has delivered the solution to meet this initial need. We do see SaaS as a viable alternative for those that are willing so we are pursuing it.

Note

There is a mechanism where we could offer this to you as a SaaS today. If interested, please contact us. If you're willing to work with us, we can explore delivering it to you this way.

Which browsers are supported?

Browser Support?

Any modern browser (chrome, firefox, edge, safari).

Where can I get the CloudFormation Template to deploy the product?

CloudFormation Template?

As seen in the How to Subscribe section, you'll be directly linked to the deployment CloudFormation Template. You can go to the Manage Subscriptions within the AWS Console and launch additional software from there.

You can also download the CloudFormation Template here or launch it directly here.

Note

You will be able to launch and deploy the Antivirus for Amazon S3 product from the above templates, but the product will not run unless you are subscribed.

What do all the CloudFormation parameters mean?

Cloud Formation Parameters?

Parameter                                                         Description
Stack Name           Name to identify this particular stack
Network Configuration        
Virtual Private Cloud (VPC) ID         Choose which VPC the Console should be deployed to
Subnet A ID             Choose the first Subnet the Console could be deployed to.
Subnet B ID             Choose the second Subnet the Console could be deployed to.
*Make sure the second subnet is different from the first
Console Security Group CIDR Block         The IP address range that can access the Console management website (e.g. X.X.X.X/24 for a single given IP, 0.0.0.0/0 for open access)
It is always a good idea to specify a network tied to your company as opposed to being wide open.
Console Configuration        
Console vCPU           CPU desired for the Console container. There isn't much overhead to this container, so try the minimums and grow up as needed.
Console Memory           Memory desired for the Console container. There isn't much overhead to this container, so try the minimums and grow up as needed.

Memory Requirement: Allowed memory size is a factor of the selected vCPU size. You must pick a value that is 2x - 8x of the vCPU selection.
Example: .5vCPU, then memory must be between 1GB and 4GB in memory.
UserName           Name used to login to the Management Console
Email           This email address will be sent the initial password and all subsequent password reset requests. Ensure you can get to this email address.
Agent Sizing Configuration        
Agent vCPU           CPU desired for the Agent container. Sizing the Agents can vary based on load volumes, object sizes or scan windows. Refer to the Sizing Discussion for more details. The defaults are a good starting point, but you may find you can go smaller or need larger.
If you do go smaller, I'd recommend not going below 1 full vCPU
Agent Memory           Memory desired for the Agent container. Sizing the Agents can vary based on load volumes, object sizes or scan windows. Refer to the Sizing Discussion for more details. The defaults are a good starting point, but you may find you can go smaller or need larger.
If you do go smaller, I'd recommend not going below 2gb in RAM

Memory Requirement: Allowed memory size is a factor of the selected vCPU size. You must pick a value that is 2x - 8x of the vCPU selection.
Example: 2vCPU, then memory must be between 2GB and 16GB in memory.
Allow Access to All KMS Keys           Allows the solution access to any KMS key only within the context of the Amazon S3 service. Permissions will be put in place so that we can decrypt and encrypt objects as needed during the scanning process.
Agent Auto-Scaling Configuration        
Only Run Scanning Agents When Files are in Queue?            A Yes/No answer that will impact how the scanning agents will run. The default of No will deploy and run the minimum number of agents defined below 24x7 so you have an agent(s) up and running and ready to scan. Setting this to Yes will require you to set the Minimum Number of Running Agents to 0 and agents will spin up only when there is work to do in the queue that surpasses the Number of Messages in Queue to Trigger Auto-Scaling. When select Yes, the number of messages in queue should typically be set to a smaller number like 1. This would indicate any time items come into the queue, meaning any time there is work to do, spin up an agent and scan it. But, when there is no work to be done it will spin all agents down for efficiencies. You can read more about this here.
Agent Auto-Scaling Minimum            Minimum number of Agents you'd like running. This will be determined by scan volumes and scan windows. Refer to the Sizing Discussion for more details.
Setting this above 1 will incur more infrastructure costs as more agents will be running full time
Agent Auto-Scaling Maximum             Maximum number of Agents you'd like running. This will be determined by scan volumes and scan windows. Refer to the Sizing Discussion for more details.
Default value of 12 is an arbitrary number at this time, change this as needed. Smaller if you want to ensure you never scale above a certain number (to lock down on possible costs) and larger if you need more agents running to process the load
Number of Messages in Queue for Auto-Scaling             The number of entries that should sit in the queue for at least 1 minute before more Agents are triggered to scale-up. Based on how long it is taking to process the individual objects, you may make this number larger or smaller so you don't have too much scaling activity. Refer to the Sizing Discussion for more details.
Product Functionality

Product Functionality

Which of my data do you scan: new or existing?

New or Existing data?

Both. Brand new objects will be scanned via an event-based trigger as soon as they arrive in the bucket. Existing objects will be scanned via the Retro Scanning feature where you can define to look back at all objects within the bucket or a subset based on date-time.

For more information, check out the Object Scanning overview.

Do I have to scan all the objects in my buckets or can I scan a subset?

Data - all or subset?

You can scan all objects, existing or newly coming in, or you can scan a subset. Antivirus for Amazon S3 provides Scan Lists and Skip Lists that will allow you to create Bucket Path Definitions to determine which folders within buckets you'd like to include for scanning (Scan List) or exclude from scanning (Skip List).

You can also pick a subset of items based on time with the Scan Existing Objects feature.

Can I organize linked accounts into groups?

Group Organization?

Yes, Antivirus for Amazon S3 allows for the organization and logical separation of linked accounts. This allows you to create a made-for-you organization structure to ease tracking, usage and where issues are originating. Groups also allow you to tie Antivirus for Amazon S3 users down to views and activities for specific sets of linked accounts.

Check out the Manage Groups documentation for more details.

How can I tell if files are being scanned?

Scan Results?

There are 3 main ways to tell files are being scanned: the Dashboard, the Problem Files page and the Tags on the objects themselves.

The dashboard is a simple view into how much data you have scanned, how many objects you have scanned and whether you've found any infected files. Often when testing you are using small numbers of objects that are of a smaller size. It can be difficult to see those reflected on the charts, but you will see data points that you can zoom in on. They are there, just hard to see sometimes.

The problem files page is used to identify the infected, unscannable and errored files.

We do not have a page identifying all the clean files, so it is best to look directly at the object itself to see if it has had Object Tags applied to it.

Bonus!

You may also subscribe to the Notifications SNS Topic to be informed in real-time of the scan results.


You can review the CloudWatch Logs - Agent.ScanResults

Will I be notified of infected and other problem files?

Notifications?

Yes. You can always monitor the Dashboard for any updates that come in regarding infected files along with the other scan results: unscannable, error and clean.

Proactively, you can subscribe to the Notifications SNS Topic to get real-time updates sent directly to you or the destination of your choice. More information on Proactive Notifications is located here.

Can I only run the scanning agent when needed to save on costs?

Cost Optimization?

Yes. You can change all aspects of the scaling setup on the Agent Settings page. There is specifically a Smart Scan option that will change the scaling values for this very configuration with the default Scaling Threshold of 1. With the value being set to 1, that would mean any time an object is placed in the queue the agent would spin up and process it (and whatever other work may show up) and then spin down once the work is completed. If you were to set this value to 50, the agent would wait for 50 new objects to show up before spinning up to process the work. Click here to see how to modify the scaling settings.

Do you offer an overview of the Antivirus for Amazon S3 deployment?

Deployment Overview?

Yes. The Deployment Overview page quickly and easily shows you which regions have infrastructure installed and buckets being protected.

How do I cleanup certain aspects of the product or do a complete uninstall?

Uninstall Product?

Yes. The Deployment Overview page gives you the option to uninstall a particular aspect of the product (like event scanning) in a particular region, cleanup the entire region or completely uninstall the product.

How often do you get new signature definitions?

Virus Signature Updates?

The product pulls new signature updates every 6 hours and with each time the agents come online or reboot.

Can I switch to 'local' repository for signature updates?

Local Virus Signature Updates?

It may be the case where you do not want each scanning agent to reach out to the internet to gather signature updates. Rather, you would like them to be able to retrieve updates locally from within your account. This could be you do not want the agents, that touch your data, to also have an internet connection. The Private Mirror / Local Updates feature supports changing the internet calls to local lookups within a specified S3 bucket. For more information, check out the Private Mirror (local updates) help page.

Can I eliminate public internet access to the solution? Can I run it completely privately?

Private Deployment?

Yes . . . for the most part. You can eliminate all non-AWS services public internet connections, but there are still three AWS services (Marketplace, AppConfig and Cognito) that you must have outbound internet access to interact with. The Console VPC will require access to these three services, but the agents do not. So you can lock the more prevalent agent VPCs down to have no outbound internet access.

Check out the Deployment Options help page for more details.

Can you scan encrypted objects?

Scan Encrypted Objects?

Yes. The Agent Role will need to be granted access to the keys. This can be done in two main ways: one-off direct access or global, but limited access.

One-off access can be given to individual keys. The process can be seen here.

Global access grants the solution access to all KMS keys, but only in the context of Amazon S3. Leveraging the viaService option in the permissions gives us access to the keys, but only while using the Amazon S3 service. Granting access this way will allow the solution to decrypt and encrypt objects even as keys changes. This option is available to set during the CloudFormation deployment. If you'd like to change the value afterwards, please update the stack with the steps found here.

What is the max file size you can process?

Max File Size?

Currently, the max file size we can process is 2GB for any individual file. Anything 2GB or smaller will be scanned. Anything greater than 2GB will be tagged as unscannable. The one exception to this is for archive files, they can be larger than 2GB and will be processed as long as no individual file inside of the archive is greater than 2GB (all files smaller than 2GB inside archive will be scanned though and the ones greater than 2GB will be skipped).

Architecture Related
Do I need to make any changes to my application to use the product?

Application Changes?

No. The Antivirus for Amazon S3 solution will fit into your existing workflow. You do not have to make any changes to your current workflow.

Can I scan S3 objects from more than one account from within the same deployment?

Cross Account Scanning?

Yes, Antivirus for Amazon S3 supports cross-account scanning. This means you can centrally install the console and scanning agents to protect not only the account you are deployed within, but also any other AWS account where you can install a cross-account role.

Check out the Linked Accounts documentation for more details.

What ports do I need open for the product to function properly?

Ports and Protocols?

Port 443 for:

  • Outbound for Lambda calls
  • Outbound Console and Agent access to Elastic Container Repository (ECR)
  • Inbound access to Console for public access
    • Public access is not required as long as you have access via private IP

Port 80, 53 and high range (1024:65535) ports for:

  • AV signature updates

    Note

    You can now setup local signature updates rather than reach out over the internet. This will allow you to setup an Amazon S3 bucket for the solution to look at.

You can get a more detailed view and additional options for routing on the Deployment Details page. In either the standard deployment or the VPC Endpoints deployment, with local signature updates you can remove all non-AWS calls from the application run space. With VPC Endpoint you can remove almost all public calls as well.

Can I change the cidr, vpc or subnets post deployment for the console and agents?

Task Settings?

Yes. The Console Settings page gives you the option to modify the inboud Security Group rules, the VPC and Subnets and the specs of the task (vCPU and Memory). The Agent Settings page allows you to change the VPC and Subnets the agents run in, the specs of the task (vCPU and Memory) as well as all the scaling configuration aspects.

Do you use AWS Lambdas or EC2 Instances?

Container, Lambda or EC2?

Neither. Antivirus for Amazon S3 infrastructure is built around AWS Fargate containers. We wanted to be serverless like Lambda and faster and more flexible than EC2s. Fargate containers give you a persistance and other benefits that Lambdas aren't prepared to give you yet. We explored Lambda and do see some advantages there, but not enough to win out over AWS Fargate containers.

We do leverage two lambdas for the subdomain registration, but not for any of the workload at this time. If you are interested in a lambda-driven solution, please Contact Us to let us know. We are always exploring the best way to build and run our solution.

Do you support AWS Control Tower or Landing Zone?

Control Tower and Landing Zone?

A landing zone is a well-architected, multi-account AWS environment that's based on security and compliance best practices. AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure.

Antivirus for Amazon S3 is not currently tightly integrated with AWS Control Tower, but is designed to work within the landing zone context. Antivirus for Amazon S3 can be centrally deployed in a Security Services account while leveraging Linked Accounts to scan all other accounts.


Last update: December 1, 2020