Product Functionality
Below are some of the most common questions related to product functionality.
Both. Brand new objects will be scanned via an event-based trigger as soon as they arrive in the bucket. Existing objects will be scanned via the
Retro Scanning
feature where you can define to look back at all objects within the bucket or a subset based on date-time.You can also setup scanning (new or existing files) based on a schedule. Review the Schedule Scanning documentation.
You can scan all objects, existing or newly coming in, or you can scan a subset. Antivirus for Amazon S3 provides Scan Lists and Skip Lists that will allow you to create Bucket Path Definitions to determine which folders within buckets you'd like to include for scanning (Scan List) or exclude from scanning (Skip List).
Yes, with API Driven Scanning you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging Amazon S3 Object Lambda)
Yes, with API Driven Scanning you can send files for scanning directly. Whether you intend to use this file within Amazon S3 or not. You could have an on-prem workflow or one such that Amazon S3 is not your end destination, you can still leverage the API scan to return a file verdict.
Yes, we integrate with AWS Transfer Family in multiple ways. If you are already using the Transfer Family service, you can deploy our console and enable event-driven bucket protection on the S3 bucket(s) linked to your Transfer Family Sever(s) to ensure its contents are clean.
If you are new to AWS Transfer Family, we have a version of our console that will automatically deploy and protect a Transfer Family Server for you. You can learn more about this specific solution at our Antivirus for Managed File Transfers Marketplace listing.
Yes, with API Driven Scanning you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging Amazon S3 Object Lambda)
Yes, it is a limited set at this time, but more will be rolled out as new releases are pushed out. Check out the Management API page for more details.
The most current list available will be within your own deployment. Navigate to your deployment Console and add /swagger to the end of the URL as seen here:
https://<deployment-URL\>/swagger/index.html
No, we have found that performance is faster when files are saved to disk (internal Fargate instance/container) in your own AWS account and region. As soon as the file is scanned, it's get deleted from the containers disk.
Yes, Antivirus for Amazon S3 allows for the organization and logical separation of linked accounts. This allows you to create a made-for-you organization structure to ease tracking, usage and where issues are originating. Groups also allow you to tie Antivirus for Amazon S3 users down to views and activities for specific sets of linked accounts.
There are 6 ways to tell files are being scanned: the Dashboard, the Problem Files page, Tags on the objects themselves, CloudWatch Logs, AWS Security Hub integration and Proactive Notifications.
The dashboard is a simple view into how much data you have scanned, how many objects you have scanned and whether you've found any infected files. Often when testing you are using small numbers of objects that are of a smaller size. It can be difficult to see those reflected on the charts, but you will see data points that you can zoom in on. They are there, just hard to see sometimes.
The problem files page is used to identify the infected, unscannable and errored files.
We do not have a page identifying all the clean files, so it is best to look directly at the object itself to see if it has had Object Tags applied to it.
You may also subscribe to the Notifications SNS Topic to be informed in real-time of the scan results.
Yes. You can always monitor the Dashboard for any updates that come in regarding
infected
files along with the other scan results: unscannable
, error
and clean
.Proactively, you can subscribe to the
Notifications
SNS Topic to get real-time updates sent directly to you or the destination of your choice. More information on Proactive Notifications is located here.Yes. It is a simple process (that may sound more complicated than it is) that took under 10 minutes to setup. Simply follow the process laid out in the AWS blogpost talking about how to leverage webhooks seen here: AWS SNS + Slack / Teams / Chime setup
Below is what the notification looks like in Slack:

Yes. You can change all aspects of the scaling setup on the Agent Settings page. There is specifically a
Smart Scan
option that will change the scaling values for this very configuration with the default Scaling Threshold of 1. With the value being set to 1, that would mean any time an object is placed in the queue the agent would spin up and process it (and whatever other work may show up) and then spin down once the work is completed. If you were to set this value to 50, the agent would wait for 50 new objects to show up before spinning up to process the work. Click here to see how to modify the scaling settings.There is also a scheduling option that allows you to define when the agents should run. This can be used for new objects or all objects in the bucket(s).
The ability to scan all files or new files (since last scan) based on a schedule. Whether it is because compliance is driving you to scan on a regular basis or it is that your workflow allows for non-real-time scanning, scheduled scanning provides flexibility for how you scan your data. You get to decide whether you want real-time, one-off on demand, schedule driven scanning or a combination of all the above.
Scheduled Scanning allows you to determine when your agents run. Your workflow and requirements will determine what you pick. If you need real-time scanning then a schedule is not for you. If you can have delays in your scanning Smart Scan or Scheduled Scans could fit your workflow well.
Yes. The Deployment Overview page quickly and easily shows you which regions have infrastructure installed and buckets being protected.
Yes. The Deployment Overview page gives you the option to uninstall a particular aspect of the product (like event scanning) in a particular region, cleanup the entire region or completely uninstall the product.
The product pulls new signature updates every 1 hour for the ClamAV engine and every 15 minutes for the Sophos engines and each time the agents come online or reboot. Generally, we have seen ClamAV update once per day (typically mornings) and Sophos about 4 times per day. This is not a hard and fast rule, but what we are seeing regularly.
With the CrowdStrike engine being an ML-based engine, the vendor updates the ML model around 3 times per year. The updated ML model will be included with our product update when released.
It may be the case where you do not want each scanning agent to reach out to the internet to gather signature updates. Rather, you would like them to be able to retrieve updates locally from within your account. This could be you do not want the agents, that touch your data, to also have an internet connection. The Private Mirror / Local Updates feature supports changing the internet calls to local lookups within a specified S3 bucket. For more information, check out the Private Mirror (local updates) help page.
Yes . . . for the most part. You can eliminate all non-AWS services public internet connections, but there are still three AWS services (Marketplace, AppConfig and Cognito) that you must have outbound internet access to interact with. The Console VPC will require access to these three services, but the agents do not. So you can lock the more prevalent agent VPCs down to have no outbound internet access.
Of course your Subnets can sit behind a NAT Gateway to help control this.
Yes. The Agent Role will need to be granted access to the keys. This can be done in two main ways: one-off direct access or global, but limited access.
Global access grants the solution access to all KMS keys, but only in the context of Amazon S3. Leveraging the
viaService
option in the permissions gives us access to the keys, but only while using the Amazon S3 service. Granting access this way will allow the solution to decrypt and encrypt objects even as keys changes. This option is available to set during the CloudFormation deployment. If you'd like to change the value afterwards, please update the stack with the steps found here.We currently support the following scan engines:
- Sophos
- CrowdStrike
- ClamAV
Yes, we do offer multi-engine scanning with two triggers:
All Files
and By File Size
. All Files
indicates every file that is event-based scanned or on-demand/schedule scanned will be processed by the enabled engines.By File Size
indicates smaller files (<2GB) will be scanned by ClamAV-only or (<20MB) will be scanned by CrowdStrike-only (since ClamAV and CrowdStrike have a size limitation and can't scan above 2GB or 20MB respectively). Larger files (>2GB or >20MB) will be scanned by Sophos-only. This allows you to take advantage of the scan cost savings offered by ClamAV or ML-based scanning offer by CrowdStrike for part of your files, but still allow for those files that are too big for ClamAV or CrowdStrike to still be scanned.If scanning files larger than 15gb, you will need to increase the disk size of the scanning agents, either globally or regionally, in the Event Agent Settings page.
It depends on which engine you are leveraging. There are three engines that can be used with the Antivirus for Amazon S3 solution. The Sophos engine will currently scan up to the max allowed Amazon S3 object size (5TB). While the ClamAV engine can process up to 2GB for any individual file. CrowdStrike can scan files up to 20MB in size. If you need to process files larger than 20MB or 2GB then you have to go with the Sophos engine.
So depending on the engine any file under the max cap will be scanned. Any file over the cap will be tagged as
unscannable
.Yes, we have an OEM'd slice of the Sophos Cloud Sandbox where we can do static and dynamic analysis of files. Check out the Static and Dynamic Analysis page for more details.
When deploying the Antivirus for Managed File Transfers solution, you can configure the CloudFormation Template to automatically deploy a Transfer Family Server for you. Once the deployment is complete, you can obtain your Transfer Family Server Id by reviewing the Outputs tab from the CloudFormation Template. Navigate to the Transfer Family service within the AWS console, select the correct server, and review its configuration.
You can connect to the Server using a file transfer service of your choice. Please note:
- The username and password entered to connect to the console is the same username and password that will be used to connect to the Transfer Family Server.
- The server's protocol will be SFTP (SSH File Transfer Protocol) - file transfer over Secure Shell.
- A Lambda function is created during the deployment and will validate authentication for secure file transfers.
Last modified 1mo ago