Product Functionality

Below are some of the most common questions related to product functionality.

Which of my data do you scan: new or existing?

Both. Brand new objects will be scanned via an event-based trigger as soon as they arrive in the bucket. Existing objects will be scanned via the Retro Scanning feature where you can define to look back at all objects within the bucket or a subset based on date-time.
For more information, check out the Object Scanning overview.
You can also setup scanning (new or existing files) based on a schedule. Review the Schedule Scanning documentation.

Do I have to scan all the objects in my buckets or can I scan a subset?

You can scan all objects, existing or newly coming in, or you can scan a subset. Antivirus for Amazon S3 provides Scan Lists and Skip Lists that will allow you to create Bucket Path Definitions to determine which folders within buckets you'd like to include for scanning (Scan List) or exclude from scanning (Skip List).
You can also pick a subset of items based on time with the Scan Existing Objects feature.

Can I scan the files before I write them to Amazon S3?

Yes, with API Driven Scanning you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging Amazon S3 Object Lambda)

Can I scan files even if I don't use Amazon S3?

Yes, with API Driven Scanning you can send files for scanning directly. Whether you intend to use this file within Amazon S3 or not. You could have an on-prem workflow or one such that Amazon S3 is not your end destination, you can still leverage the API scan to return a file verdict.

Do you have an API for file scanning?

Yes, with API Driven Scanning you can send files for scanning directly. This is useful if you have a workflow where the file scan dictates whether the file should be stored in Amazon S3. There are a number of additional useful scenarios where an API comes in handy: scan on read (leveraging Amazon S3 Object Lambda)

Do you have an API for management and configuration?

Yes, it is a limited set at this time, but more will be rolled out as new releases are pushed out. Check out the Management API page for more details.
The most current list available will be within your own deployment. Navigate to your deployment Console and add /swagger to the end of the URL as seen here: https://<deployment-URL\>/swagger/index.html

Can I organize linked accounts into groups?

Yes, Antivirus for Amazon S3 allows for the organization and logical separation of linked accounts. This allows you to create a made-for-you organization structure to ease tracking, usage and where issues are originating. Groups also allow you to tie Antivirus for Amazon S3 users down to views and activities for specific sets of linked accounts.
Check out the Manage Groups documentation for more details.

How can I tell if files are being scanned?

There are 6 ways to tell files are being scanned: the Dashboard, the Problem Files page, Tags on the objects themselves, CloudWatch Logs, AWS Security Hub integration and Proactive Notifications.
The dashboard is a simple view into how much data you have scanned, how many objects you have scanned and whether you've found any infected files. Often when testing you are using small numbers of objects that are of a smaller size. It can be difficult to see those reflected on the charts, but you will see data points that you can zoom in on. They are there, just hard to see sometimes.
The problem files page is used to identify the infected, unscannable and errored files.
We do not have a page identifying all the clean files, so it is best to look directly at the object itself to see if it has had Object Tags applied to it.
You may also subscribe to the Notifications SNS Topic to be informed in real-time of the scan results.

Will I be notified of infected and other problem files?

Yes. You can always monitor the Dashboard for any updates that come in regarding infected files along with the other scan results: unscannable, error and clean.
Proactively, you can subscribe to the Notifications SNS Topic to get real-time updates sent directly to you or the destination of your choice. More information on Proactive Notifications is located here.

Can I send Scan Results to Slack / Teams / other services?

Yes. It is a simple process (that may sound more complicated than it is) that took under 10 minutes to setup. Simply follow the process laid out in the AWS blogpost talking about how to leverage webhooks seen here: AWS SNS + Slack / Teams / Chime setup
Below is what the notification looks like in Slack:
You can modify the format with Slack Message Layouts.
If you run into any trouble please Contact Us.

Can I only run the scanning agent when needed to save on costs?

Yes. You can change all aspects of the scaling setup on the Agent Settings page. There is specifically a Smart Scan option that will change the scaling values for this very configuration with the default Scaling Threshold of 1. With the value being set to 1, that would mean any time an object is placed in the queue the agent would spin up and process it (and whatever other work may show up) and then spin down once the work is completed. If you were to set this value to 50, the agent would wait for 50 new objects to show up before spinning up to process the work. Click here to see how to modify the scaling settings.
There is also a scheduling option that allows you to define when the agents should run. This can be used for new objects or all objects in the bucket(s).

Can I setup schedules to scan my objects?

The ability to scan all files or new files (since last scan) based on a schedule. Whether it is because compliance is driving you to scan on a regular basis or it is that your workflow allows for non-real-time scanning, scheduled scanning provides flexibility for how you scan your data. You get to decide whether you want real-time, one-off on demand, schedule driven scanning or a combination of all the above.
Scheduled Scanning allows you to determine when your agents run. Your workflow and requirements will determine what you pick. If you need real-time scanning then a schedule is not for you. If you can have delays in your scanning Smart Scan or Scheduled Scans could fit your workflow well.

Do you offer an overview of the Antivirus for Amazon S3 deployment?

Yes. The Deployment Overview page quickly and easily shows you which regions have infrastructure installed and buckets being protected.

How do I cleanup certain aspects of the product or do a complete uninstall?

Yes. The Deployment Overview page gives you the option to uninstall a particular aspect of the product (like event scanning) in a particular region, cleanup the entire region or completely uninstall the product.

How often do you get new signature definitions?

The product pulls new signature updates every 1 hour for the ClamAV engine and every 15 minutes for the Sophos engines and with each time the agents come online or reboot. Generally, we have seen ClamAV update once per day (typically mornings) and Sophos about 4 times per day. This is not a hard and fast rule, but what we are seeing regularly.

Can I switch to 'local' repository for signature updates?

It may be the case where you do not want each scanning agent to reach out to the internet to gather signature updates. Rather, you would like them to be able to retrieve updates locally from within your account. This could be you do not want the agents, that touch your data, to also have an internet connection. The Private Mirror / Local Updates feature supports changing the internet calls to local lookups within a specified S3 bucket. For more information, check out the Private Mirror (local updates) help page.

Can I eliminate public internet access to the solution? Can I run it completely privately?

Yes . . . for the most part. You can eliminate all non-AWS services public internet connections, but there are still three AWS services (Marketplace, AppConfig and Cognito) that you must have outbound internet access to interact with. The Console VPC will require access to these three services, but the agents do not. So you can lock the more prevalent agent VPCs down to have no outbound internet access.
Of course your Subnets can sit behind a NAT Gateway to help control this.
Check out the Deployment Options help page for more details.

Can you scan encrypted objects?

Yes. The Agent Role will need to be granted access to the keys. This can be done in two main ways: one-off direct access or global, but limited access.
One-off access can be given to individual keys. The process can be seen here.
Global access grants the solution access to all KMS keys, but only in the context of Amazon S3. Leveraging the viaService option in the permissions gives us access to the keys, but only while using the Amazon S3 service. Granting access this way will allow the solution to decrypt and encrypt objects even as keys changes. This option is available to set during the CloudFormation deployment. If you'd like to change the value afterwards, please update the stack with the steps found here.

What AV engine(s) do you scan with?

We support both ClamAV and Sophos!
Check out the Scan Engines section for more details.
Please Contact Us if you'd like to see additional engines added.

Can you scan with multiple AV engines at the same time?

Yes, we do offer multi-engine scanning with two triggers: All Files and By File Size. All Files indicates every file that is event-based scanned or on-demand/schedule scanned will be processed by both engines. By File Size indicates smaller files (<2gb) will be scanned by ClamAV-only (since ClamAV has a size limitation and can't scan above 2gb) and larger files (>2gb) will be scanned by Sophos-only. This allows you to take advantage of the scan cost savings offered by ClamAV for part of your files, but still allow for those files that are too big for ClamAV to still be scanned.
If scanning files larger than 15gb, you will need to increase the disk size of the scanning agents, either globally or regionally, in the Event Agent Settings page.
Check out more details in the Scan Settings → Scan Engine section.
Please Contact Us if you have additional scenarios for how multiple engines could be used.

What is the max file size you can process?

It depends on which engine you are leveraging. There are two engines that can be used with the Antivirus for Amazon S3 solution. The Sophos engine will currently scan up to the max allowed Amazon S3 object size (5TB). While the ClamAV engine can process up to 2GB for any individual file. If you need to process files larger than 2GB then you have to go with the Sophos engine. So depending on the engine any file under the max cap will be scanned. Any file over the cap will be tagged as unscannable.
Update June 2021 As AWS Fargate increases its native disk size, we will increase the overall scanned file size to match accordingly. With the 200GB bump that happened in May, we can comfortably do 195GB file sizes. Please Contact Us if this is important to you so we can understand the urgency of the need.
Update December 2021 We have now added support for multi-TB sized files with our Extra Large File Scanning feature. Files over 195GB will not be treated as individual jobs that can be monitored on the Jobs page.
Note: we know we can leverage EFS to do even larger file sizes, but testing and development work done so far reveals this isn't the best route to take for performance to cost ratio.

Can I setup MFA for my user?

Yes, we do support user MFA. Check out the User Management page for details on how to set this up.

Can I detonate files? Do you have a cloud sandbox?

Yes, we have an OEM'd slice of the Sophos Cloud Sandbox where we can do static and dynamic analysis of files. Check out the Static and Dynamic Analysis page for more details