Product Functionality

Below are some of the most common questions related to product functionality.

Which of my data do you scan: new or existing?

Both. Brand new objects will be scanned via an event-based trigger as soon as they arrive in the bucket. Existing objects will be scanned via the Retro Scanning feature where you can define to look back at all objects within the bucket or a subset based on date-time.

For more information, check out the Object Scanning overview.

You can also setup scanning (new or existing files) based on a schedule. Review the Schedule Scanning documentation.

Do I have to scan all the objects in my buckets or can I scan a subset?

You can scan all objects, existing or newly coming in, or you can scan a subset. Antivirus for Amazon S3 provides Scan Lists and Skip Lists that will allow you to create Bucket Path Definitions to determine which folders within buckets you'd like to include for scanning (Scan List) or exclude from scanning (Skip List).

You can also pick a subset of items based on time with the Scan Existing Objects feature.

Can I scan the files before I write them to Amazon S3?

Yes, with API Driven Scanning you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging Amazon S3 Object Lambda)

Can I scan files even if I don't use Amazon S3?

Yes, with API Driven Scanning you can send files for scanning directly. Whether you intend to use this file within Amazon S3 or not. You could have an on-prem workflow or one such that Amazon S3 is not your end destination, you can still leverage the API scan to return a file verdict.

Do you integrate with AWS Transfer Family?

Yes, we integrate with AWS Transfer Family in multiple ways. If you are already using the Transfer Family service, you can deploy our console and enable event-driven bucket protection on the S3 bucket(s) linked to your Transfer Family Sever(s) to ensure its contents are clean.

If you are new to AWS Transfer Family, we have a version of our console that will automatically deploy and protect a Transfer Family Server for you. You can learn more about this specific solution at our Antivirus for Managed File Transfers Marketplace listing.

Do you have an API for file scanning?

Yes, with API Driven Scanning you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging Amazon S3 Object Lambda)

Do you have an API for management and configuration?

Yes, it is a limited set at this time, but more will be rolled out as new releases are pushed out. Check out the Management API page for more details, by adding "/swagger" at the end of your Console's URL

The most current list available will be within your own deployment. Navigate to your deployment Console and add /swagger to the end of the URL as seen here: https://<deployment-URL\>/swagger/index.html

For API, Are the files stored in memory?

No, we have found that performance is faster when files are saved to disk (internal Fargate instance/container) in your own AWS account and region. As soon as the file is scanned, it's get deleted from the containers disk.

Can I organize linked accounts into groups?

Yes, Antivirus for Amazon S3 allows for the organization and logical separation of linked accounts. This allows you to create a made-for-you organization structure to ease tracking, usage and where issues are originating. Groups also allow you to tie Antivirus for Amazon S3 users down to views and activities for specific sets of linked accounts.

Check out the Manage Groups documentation for more details.

How can I tell if files are being scanned?

There are 6 ways to tell files are being scanned: the Dashboard, the Problem Files page, Tags on the objects themselves, CloudWatch Logs, AWS Security Hub integration and Proactive Notifications.

The dashboard is a simple view into how much data you have scanned, how many objects you have scanned and whether you've found any infected files. Often when testing you are using small numbers of objects that are of a smaller size. It can be difficult to see those reflected on the charts, but you will see data points that you can zoom in on. They are there, just hard to see sometimes.

The problem files page is used to identify the infected, unscannable and errored files.

We do not have a page identifying all the clean files, so it is best to look directly at the object itself to see if it has had Object Tags applied to it.

You may also subscribe to the Notifications SNS Topic to be informed in real-time of the scan results.

You can review the CloudWatch Logs - Agent.ScanResults

Will I be notified of infected and other problem files?

Yes. You can always monitor the Dashboard for any updates that come in regarding infected files along with the other scan results: unscannable, error and clean.

Proactively, you can subscribe to the Notifications SNS Topic to get real-time updates sent directly to you or the destination of your choice. More information on Proactive Notifications is located here.

Can I send Scan Results to Slack / Teams / other services?

Yes. It is a simple process (that may sound more complicated than it is) that took under 10 minutes to setup. Simply follow the process laid out in the AWS blogpost talking about how to leverage webhooks seen here: AWS SNS + Slack / Teams / Chime setup

Below is what the notification looks like in Slack:

You can modify the format with Slack Message Layouts.

If you run into any trouble please Contact Us.

Can I send Logs/ScanResults to Splunk?

Yes. It's a very simple process. There's a Lambda BluePrint to set up straight from our CloudWatch Logs to Splunk:

  1. Create a Lambda function > Use a blueprint > Blueprint name "Send CloudWatch logs to a Splunk host" nodejs18.x

  2. Add the following import to the code already present next to the other imports: import { createRequire } from "module"; const require = createRequire(import.meta.url);

  3. Select the Log group CloudStorageSecurity.Agent.ScanResults

  4. Complete the values for the 2 Splunk Keys at the end.

That's it, any scan result you get, will be logged in Cloudwatch and copied into your Splunk space

Can I only run the scanning agent when needed to save on costs?

Yes. You can change all aspects of the scaling setup on the Agent Settings page. There is specifically a Smart Scan option that will change the scaling values for this very configuration with the default Scaling Threshold of 1. With the value being set to 1, that would mean any time an object is placed in the queue the agent would spin up and process it (and whatever other work may show up) and then spin down once the work is completed. If you were to set this value to 50, the agent would wait for 50 new objects to show up before spinning up to process the work. Click here to see how to modify the scaling settings.

There is also a scheduling option that allows you to define when the agents should run. This can be used for new objects or all objects in the bucket(s).

Can I setup schedules to scan my objects?

The ability to scan all files or new files (since last scan) based on a schedule. Whether it is because compliance is driving you to scan on a regular basis or it is that your workflow allows for non-real-time scanning, scheduled scanning provides flexibility for how you scan your data. You get to decide whether you want real-time, one-off on demand, schedule driven scanning or a combination of all the above.

Scheduled Scanning allows you to determine when your agents run. Your workflow and requirements will determine what you pick. If you need real-time scanning then a schedule is not for you. If you can have delays in your scanning Smart Scan or Scheduled Scans could fit your workflow well.

Do you offer an overview of the Antivirus for Amazon S3 deployment?

Yes. The Deployment Overview page quickly and easily shows you which regions have infrastructure installed and buckets being protected.

How do I cleanup certain aspects of the product or do a complete uninstall?

Yes. The Deployment Overview page gives you the option to uninstall a particular aspect of the product (like event scanning) in a particular region, cleanup the entire region or completely uninstall the product.

How often do you get new signature definitions?

The product pulls new signature updates every 1 hour for the ClamAV engine and every 15 minutes for the Sophos engines and each time the agents come online or reboot. Generally, we have seen ClamAV update once per day (typically mornings) and Sophos about 4 times per day. This is not a hard and fast rule, but what we are seeing regularly.

With the CrowdStrike engine being an ML-based engine, the vendor updates the ML model around 3 times per year. The updated ML model will be included with our product update when released.

Can I switch to 'local' repository for signature updates?

It may be the case where you do not want each scanning agent to reach out to the internet to gather signature updates. Rather, you would like them to be able to retrieve updates locally from within your account. This could be you do not want the agents, that touch your data, to also have an internet connection. The Private Mirror / Local Updates feature supports changing the internet calls to local lookups within a specified S3 bucket. For more information, check out the Private Mirror (local updates) help page.

Can I eliminate public internet access to the solution? Can I run it completely privately?

Yes . . . for the most part. You can eliminate all non-AWS services public internet connections, but there are still three AWS services (Marketplace, AppConfig and Cognito) that you must have outbound internet access to interact with. The Console VPC will require access to these three services, but the agents do not. So you can lock the more prevalent agent VPCs down to have no outbound internet access.

Of course your Subnets can sit behind a NAT Gateway to help control this.

Check out the Deployment Options help page for more details.

Can you scan encrypted objects?

Yes. The Agent Role will need to be granted access to the keys. This can be done in two main ways: one-off direct access or global, but limited access.

One-off access can be given to individual keys. The process can be seen here.

Global access grants the solution access to all KMS keys, but only in the context of Amazon S3. Leveraging the viaService option in the permissions gives us access to the keys, but only while using the Amazon S3 service. Granting access this way will allow the solution to decrypt and encrypt objects even as keys changes. This option is available to set during the CloudFormation deployment. If you'd like to change the value afterwards, please update the stack with the steps found here.

What AV engine(s) do you scan with?

We currently support the following scan engines:

  • Sophos

  • CrowdStrike

  • ClamAV

Check out the Scan Engines section for more details.

Please Contact Us if you'd like to see additional engines added.

Can you scan with multiple AV engines at the same time?

Yes, we do offer multi-engine scanning with two triggers: All Files and By File Size. All Files indicates every file that is event-based scanned or on-demand/schedule scanned will be processed by the enabled engines.

By File Size indicates smaller files (<2GB) will be scanned by ClamAV-only or (<20MB) will be scanned by CrowdStrike-only (since ClamAV and CrowdStrike have a size limitation and can't scan above 2GB or 20MB respectively). Larger files (>2GB or >20MB) will be scanned by Sophos-only. This allows you to take advantage of the scan cost savings offered by ClamAV or ML-based scanning offer by CrowdStrike for part of your files, but still allow for those files that are too big for ClamAV or CrowdStrike to still be scanned.

If scanning files larger than 15gb, you will need to increase the disk size of the scanning agents, either globally or regionally, in the Event Agent Settings page.

Check out more details in the Scan Settings → Scan Engine section.

Please Contact Us if you have additional scenarios for how multiple engines could be used.

What is the max file size you can process?

It depends on which engine you are leveraging. There are three engines that can be used with the Antivirus for Amazon S3 solution. The Sophos engine will currently scan up to the max allowed Amazon S3 object size (5TB). While the ClamAV engine can process up to 2GB for any individual file. CrowdStrike can scan files up to 20MB in size. If you need to process files larger than 20MB or 2GB then you have to go with the Sophos engine.

So depending on the engine any file under the max cap will be scanned. Any file over the cap will be tagged as unscannable.

Can I setup MFA for my user?

Yes, we do support user MFA. Check out the User Management page for details on how to set this up.

Can I detonate files? Do you have a cloud sandbox?

Yes, we have an OEM'd slice of the Sophos Cloud Sandbox where we can do static and dynamic analysis of files. Check out the Static and Dynamic Analysis page for more details.

How can I access the Family Transfer Server created during my deployment?

When deploying the Antivirus for Managed File Transfers solution, you can configure the CloudFormation Template to automatically deploy a Transfer Family Server for you. Once the deployment is complete, you can obtain your Transfer Family Server Id by reviewing the Outputs tab from the CloudFormation Template. Navigate to the Transfer Family service within the AWS console, select the correct server, and review its configuration.

You can connect to the Server using a file transfer service of your choice. Please note:

  • The username and password entered to connect to the console is the same username and password that will be used to connect to the Transfer Family Server.

  • The server's protocol will be SFTP (SSH File Transfer Protocol) - file transfer over Secure Shell.

  • A Lambda function is created during the deployment and will validate authentication for secure file transfers.

Last updated