Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Which of my data do you scan: new or existing?
  • Do I have to scan all the objects in my buckets or can I scan a subset?
  • Can I scan the files before I write them to Amazon S3?
  • Can I scan files even if I don't use Amazon S3?
  • Do you integrate with AWS Transfer Family?
  • Do you have an API for file scanning?
  • Do you have an API for management and configuration?
  • For API, Are the files stored in memory?
  • Can I organize linked accounts into groups?
  • How can I tell if files are being scanned?
  • Will I be notified of infected and other problem files?
  • Can I send Scan Results to Slack / Teams / other services?
  • Can I send Logs/ScanResults to Splunk?
  • Can I only run the scanning agent when needed to save on costs?
  • Can I setup schedules to scan my objects?
  • Do you offer an overview of the Antivirus for Amazon S3 deployment?
  • How do I cleanup certain aspects of the product or do a complete uninstall?
  • How often do you get new signature definitions?
  • Can I switch to 'local' repository for signature updates?
  • Can I eliminate public internet access to the solution? Can I run it completely privately?
  • Can you scan encrypted objects?
  • What AV engine(s) do you scan with?
  • Can you scan with multiple AV engines at the same time?
  • What is the max file size you can process?
  • Can I setup MFA for my user?
  • Can I detonate files? Do you have a cloud sandbox?
  • How can I access the Family Transfer Server created during my deployment?
  • Which storage tiers of S3 do you support scanning for?
  1. Frequently Asked Questions

Product Functionality

Below are some of the most common questions related to product functionality.

PreviousGetting StartedNextArchitecture Related

Last updated 3 months ago

Which of my data do you scan: new or existing?

Both. Brand new objects will be scanned via an event-based trigger as soon as they arrive in the bucket. Existing objects will be scanned via the Retro Scanning feature where you can define to look back at all objects within the bucket or a subset based on date-time.

For more information, check out the overview.

You can also setup scanning (new or existing files) based on a schedule. Review the documentation.

Do I have to scan all the objects in my buckets or can I scan a subset?

You can scan all objects, existing or newly coming in, or you can scan a subset. Antivirus for Amazon S3 provides Scan Lists and Skip Lists that will allow you to create to determine which folders within buckets you'd like to include for scanning (Scan List) or exclude from scanning (Skip List).

You can also pick a subset of items based on time with the feature.

Can I scan the files before I write them to Amazon S3?

Yes, with you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging )

Can I scan files even if I don't use Amazon S3?

Yes, with you can send files for scanning directly. Whether you intend to use this file within Amazon S3 or not. You could have an on-prem workflow or one such that Amazon S3 is not your end destination, you can still leverage the API scan to return a file verdict.

Do you integrate with AWS Transfer Family?

Yes, we integrate with AWS Transfer Family in multiple ways. If you are already using the Transfer Family service, you can deploy our console and enable event-driven bucket protection on the S3 bucket(s) linked to your Transfer Family Sever(s) to ensure its contents are clean.

Do you have an API for file scanning?

Do you have an API for management and configuration?

Yes, it is a limited set at this time, but more will be rolled out as new releases are pushed out. Check out the Management API page for more details, by adding "/swagger" at the end of your Console's URL

The most current list available will be within your own deployment. Navigate to your deployment Console and add /swagger to the end of the URL as seen here: https://<deployment-URL\>/swagger/index.html

For API, Are the files stored in memory?

No, we have found that performance is faster when files are saved to disk (internal Fargate instance/container) in your own AWS account and region. As soon as the file is scanned, it's get deleted from the containers disk.

Can I organize linked accounts into groups?

Yes, Antivirus for Amazon S3 allows for the organization and logical separation of linked accounts. This allows you to create a made-for-you organization structure to ease tracking, usage and where issues are originating. Groups also allow you to tie Antivirus for Amazon S3 users down to views and activities for specific sets of linked accounts.

How can I tell if files are being scanned?

The dashboard is a simple view into how much data you have scanned, how many objects you have scanned and whether you've found any infected files. Often when testing you are using small numbers of objects that are of a smaller size. It can be difficult to see those reflected on the charts, but you will see data points that you can zoom in on. They are there, just hard to see sometimes.

The problem files page is used to identify the infected, unscannable and errored files.

Will I be notified of infected and other problem files?

Can I send Scan Results to Slack / Teams / other services?

Below is what the notification looks like in Slack:

Can I send Logs/ScanResults to Splunk?

Yes. It's a very simple process. There's a Lambda BluePrint to set up straight from our CloudWatch Logs to Splunk:

  1. Create a Lambda function > Use a blueprint > Blueprint name "Send CloudWatch logs to a Splunk host" nodejs18.x

  2. Add the following import to the code already present next to the other imports: import { createRequire } from "module"; const require = createRequire(import.meta.url);

  3. Select the Log group CloudStorageSecurity.Agent.ScanResults

  4. Complete the values for the 2 Splunk Keys at the end.

That's it, any scan result you get, will be logged in Cloudwatch and copied into your Splunk space

Can I only run the scanning agent when needed to save on costs?

There is also a scheduling option that allows you to define when the agents should run. This can be used for new objects or all objects in the bucket(s).

Can I setup schedules to scan my objects?

The ability to scan all files or new files (since last scan) based on a schedule. Whether it is because compliance is driving you to scan on a regular basis or it is that your workflow allows for non-real-time scanning, scheduled scanning provides flexibility for how you scan your data. You get to decide whether you want real-time, one-off on demand, schedule driven scanning or a combination of all the above.

Do you offer an overview of the Antivirus for Amazon S3 deployment?

Yes. The Deployment Overview page quickly and easily shows you which regions have infrastructure installed and buckets being protected.

How do I cleanup certain aspects of the product or do a complete uninstall?

Yes. The Deployment Overview page gives you the option to uninstall a particular aspect of the product (like event scanning) in a particular region, cleanup the entire region or completely uninstall the product.

How often do you get new signature definitions?

The product pulls new signature updates every 1 hour for the ClamAV engine and every 15 minutes for the Sophos engines and each time the agents come online or reboot. Generally, we have seen ClamAV update once per day (typically mornings) and Sophos about 4 times per day. This is not a hard and fast rule, but what we are seeing regularly.

Can I switch to 'local' repository for signature updates?

Can I eliminate public internet access to the solution? Can I run it completely privately?

Yes . . . for the most part. You can eliminate all non-AWS services public internet connections, but there are still three AWS services (Marketplace, AppConfig and Cognito) that you must have outbound internet access to interact with. The Console VPC will require access to these three services, but the agents do not. So you can lock the more prevalent agent VPCs down to have no outbound internet access.

Of course your Subnets can sit behind a NAT Gateway to help control this.

Can you scan encrypted objects?

Yes. The Agent Role will need to be granted access to the keys. This can be done in two main ways: one-off direct access or global, but limited access.

What AV engine(s) do you scan with?

We currently support the following scan engines:

  • Sophos

  • CSS Premium (this is based on a proprietary commercially available engine)

  • ClamAV

Can you scan with multiple AV engines at the same time?

Yes, we do offer multi-engine scanning with two triggers: All Files and By File Size. All Files indicates every file that is event-based scanned or on-demand/schedule scanned will be processed by the enabled engines.

By File Size indicates smaller files (<2GB) will be scanned by ClamAV-only (since ClamAV has a size limitation and can't scan above 2GB). Larger files (>2GB) will be scanned by Sophos-only. This allows you to take advantage of the scan cost savings offered by ClamAV for part of your files, but still allow for those files that are too big for ClamAV to still be scanned.

What is the max file size you can process?

It depends on which engine you are leveraging. There are three engines that can be used with the Antivirus for Amazon S3 solution. The Sophos engine will currently scan up to the max allowed Amazon S3 object size (5TB). While the ClamAV engine can process up to 2GB for any individual file. If you need to process files larger than 2GB then you have to go with the Sophos engine.

So depending on the engine any file under the max cap will be scanned. Any file over the cap will be tagged as unscannable.

Can I setup MFA for my user?

Can I detonate files? Do you have a cloud sandbox?

How can I access the Family Transfer Server created during my deployment?

When deploying the Antivirus for Managed File Transfers solution, you can configure the CloudFormation Template to automatically deploy a Transfer Family Server for you. Once the deployment is complete, you can obtain your Transfer Family Server Id by reviewing the Outputs tab from the CloudFormation Template. Navigate to the Transfer Family service within the AWS console, select the correct server, and review its configuration.

You can connect to the Server using a file transfer service of your choice. Please note:

  • The username and password entered to connect to the console is the same username and password that will be used to connect to the Transfer Family Server.

  • The server's protocol will be SFTP (SSH File Transfer Protocol) - file transfer over Secure Shell.

  • A Lambda function is created during the deployment and will validate authentication for secure file transfers.

Which storage tiers of S3 do you support scanning for?

Currently, we only support scanning for:

  • S3 Standard

  • Intelligent-Tiering

  • Reduced Redundancy

We do not support scanning for the following S3 storage types:

  • Standard-IA

  • One Zone-IA

  • Glacier Instant Retrieval

  • Glacier Flexible Retrieval (formerly Glacier)

  • Glacier Deep Archive

If you have a need to scan files in the non-supported storage types please let us know.

If you are new to AWS Transfer Family, we have a version of our console that will automatically deploy and protect a Transfer Family Server for you. You can learn more about this specific solution at our .

Yes, with you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging )

Check out the documentation for more details.

There are 6 ways to tell files are being scanned: the Dashboard, the page, Tags on the objects themselves, CloudWatch Logs, AWS Security Hub integration and .

We do not have a page identifying all the clean files, so it is best to look directly at the object itself to see if it has had applied to it.

You may also to be informed in real-time of the scan results.

You can review the

Yes. You can always monitor the for any updates that come in regarding infected files along with the other scan results: unscannable, error and clean.

Proactively, you can subscribe to the Notifications SNS Topic to get real-time updates sent directly to you or the destination of your choice. More information on is located here.

Yes. It is a simple process (that may sound more complicated than it is) that took under 10 minutes to setup. Simply follow the process laid out in the AWS blogpost talking about how to leverage webhooks seen here:

You can modify the format with .

If you run into any trouble please .

Yes. You can change all aspects of the scaling setup on the page. There is specifically a option that will change the scaling values for this very configuration with the default Scaling Threshold of 1. With the value being set to 1, that would mean any time an object is placed in the queue the agent would spin up and process it (and whatever other work may show up) and then spin down once the work is completed. If you were to set this value to 50, the agent would wait for 50 new objects to show up before spinning up to process the work. Click to see how to modify the scaling settings.

Scheduled Scanning allows you to determine when your agents run. Your workflow and requirements will determine what you pick. If you need real-time scanning then a schedule is not for you. If you can have delays in your scanning or could fit your workflow well.

It may be the case where you do not want each scanning agent to reach out to the internet to gather signature updates. Rather, you would like them to be able to retrieve updates locally from within your account. This could be you do not want the agents, that touch your data, to also have an internet connection. The Private Mirror / Local Updates feature supports changing the internet calls to local lookups within a specified S3 bucket. For more information, check out the help page.

Check out the help page for more details.

One-off access can be given to individual keys. The process can be seen .

Global access grants the solution access to all KMS keys, but only in the context of Amazon S3. Leveraging the viaService option in the permissions gives us access to the keys, but only while using the Amazon S3 service. Granting access this way will allow the solution to decrypt and encrypt objects even as keys changes. This option is available to set during the CloudFormation deployment. If you'd like to change the value afterwards, please update the stack with the steps found .

Check out the section for more details.

Please if you'd like to see additional engines added.

If scanning files larger than 15gb, you will need to increase the disk size of the scanning agents, either globally or regionally, in the page.

Check out more details in the section.

Please if you have additional scenarios for how multiple engines could be used.

Yes, we do support user MFA. Check out the page for details on how to set this up.

Yes, we have an OEM'd slice of the Sophos Cloud Sandbox where we can do static and dynamic analysis of files. Check out the page for more details.

Antivirus for Managed File Transfers Marketplace listing
Manage Groups
Problem Files
Proactive Notifications
AWS SNS + Slack / Teams / Chime setup
Slack Message Layouts
Contact Us
Deployment Options
here
Contact Us
Contact Us
Object Scanning
Amazon S3 Object Lambda
API Driven Scanning
Amazon S3 Object Lambda
Agent Settings
Scheduled Scans
Dashboard
API Driven Scanning
Schedule Scanning
API Driven Scanning
subscribe to the Notifications SNS Topic
Proactive Notifications
User Management
Static and Dynamic Analysis
here
CloudWatch Logs - Agent.ScanResults
Scan Engines
Smart Scan
here
Smart Scan
Event Agent Settings
Object Tags
Private Mirror (local updates)
Scan Settings → Scan Engine
Bucket Path Definitions
Scan Existing Objects