v7
A list of features and releases for version 6 and prior.
Last updated
A list of features and releases for version 6 and prior.
Last updated
We released v8.00.000 of our solution in August 2024. If you haven't already updated and are running an older version you can review release details for previous versions on this page.
We recommend you upgrade your deployment to the latest version to receive the latest features, improvements, and bug fixes. Please note you'll need to upgrade to the latest current version you're on before you can upgrade to the next major version.
If you need to find the release notes for v8 you can click here.
In this release:
Console API User and Account Creation
While group creation via Console API has been possible, the Console API now supports the creation of users and accounts
Multifactor Authentication Improvement
MFA is now enforced in the AV console when enabled in your Cognito User Pool
If MFA is not already set up, users are requested to set up MFA through the AV console
ALB Security Improvements
ALBs now drop invalid HTTP headers. This is done to prevent HTTP desync attacks
First Time Deployment Welcome Experience
A new welcome experience will now allow you to get started upon first deployment of our solution
Various Improvements and Bug Fixes
Job Details console page fixes, and indication of unscannable storage classes
FSx Scanning fixes
Findings page fix and proactive notification SNS improvements
Scheduled Scan page Fix
API Agent DNS Fix
v7.11.000 CloudFormation Template
In this release:
A fix for FSx scanning functionality
v7.10.001 CloudFormation Template
In this release:
AWS GuardDuty Integration
GuardDuty users can leverage us to:
Scan against our engines for increased efficacy
Quarantine findings without having to stand up additional handling through GuardDuty
Initiate on-demand and scheduled Retro Scans on their pre-existing data
The GuardDuty, Security Hub, and CloudTrail Lake Integrations have been added to a separate AWS Integrations page in the Management Console.
Amazon Bedrock Integration for Custom Classification Rules
Leverages RegEx for pattern matching
Once enabled through the CloudFormation Template, you can integrate Bedrock to help build complex regex expressions using AI
Amazon Bedrock Integration for Malware Definitions & Remediation
When Malware is discovered you can “Ask Bedrock” for more information on the finding
The console must be deployed in one of the following regions to have access to Bedrock:
US East (N. Virginia)
US West (Oregon)
Asia Pacific (Tokyo)
Europe (Frankfurt)
AWS GovCloud (US-West)
There is a new Bedrock parameter in the CFT which is disabled by default.
World Threat Map & S3 Storage Map added to the Dashboard
The Dashboard has a world threat map which shows the regions you have S3 buckets in and surfaces any infections/classification matches in those regions
Security Hub Integration Improvement
You can now send linked account findings to Security Hub
Sophos Scanning Engine Update
Sophos scanning engine updated to v3.91
Various Improvements and Bug Fixes
Auto Scaling issue resolved when Smart Scan is turned off
Quarantine bucket policy fix
S3 API retry call improvements
ClamAV engine handling
v7.10.000 CloudFormation Template
In this release:
Private Deployment CloudFormation Template
If you need a way to deploy privately but aren't sure which subnets to use from your current VPCs, you can use our private deployment CFT to create a new VPC with all of the resources (subnets, VPC endpoints, etc.) needed to deploy your Management Console and scanning agents in a fully private environment
Ability to disable classification through the Management Console
You can now disable Data Classification through the License Management page of your Management Console
CXMail findings are now marked as suspicious instead of infected
The Sophos scanning engine has a CXMail identity that is specific to files sent over email channels. This finding while useful, does not fully apply to cloud storage mediums. Because of this, we are re-categorizing all findings under the CXMail identity to be found as suspicious. If you come across a CXMail finding we recommend you run a static or dynamic analysis to see if the file is legitimately malicious
Various Improvements and Bug Fixes
Large File Scanning EC2 instances are labeled with names identifying them as instances stood up by Cloud Storage Security
Job Networking selection of us-west-1 fixed
Improvement to Notifications Filters
Data Classification error fixed for EFS volumes
In this release:
A fix for page errors when the Management Console is trying to display 100+ linked accounts
Broken linked account Management Console API functions
Scheduled job bug fixes
v7.08.002 CloudFormation Template
In this release:
A fix for EBS volumes that were failing scanning
v7.08.001 CloudFormation Template
In this release:
Ability to use S3 Inventory Reports for crawling
Users now have the option to leverage existing S3 Inventory Reports to collect the list of objects when initiating a retro scan of S3 buckets. Note: If chosen buckets are not included within the S3 Inventory Report selected, those buckets will not be scanned during the job.
EFS: Scan Existing AV & DC
We've added the ability to scan pre-existing EFS Volumes for malware or against user-selected classification rule sets.
FSx: Scan Existing AV & DC
We've added the ability to scan pre-existing FSx Volumes for malware or against user-selected classification rule sets.
Controls to determine whether to upload files matched by the Classification API
When using the Classification API, you can now control whether all files are uploaded upon scan, or only those that have not been matched by your chosen Classification Rule Set.
Various Improvements and Bug Fixes
Display subnet in Job Details
No longer show resources from inactive linked accounts
Storage Breakdown data consistency
Permission issue preventing Console Logs from being tagged properly
Fixed issue preventing Large File Scans being triggered via API
v7.08.000 CloudFormation Template
IMPORTANT to get the SSL Cert up to date, and keep your DNS secure.
In this release:
Improved handling for EBS scanning quotas
A fix for EBS volume scanning in GovCloud
v7.07.001 CloudFormation Template
In this release:
Scan Stability Improvements
Handling of S3 rate limiting when scanning a large number of S3 objects
Handling of EBS Service Quotas, ensuring we don’t use all of the customer’s quota, or try to run jobs when we don’t have the space required
Trial Notification Improvements
Data remaining notification 100, 50, 25, 0GB left of free trial data
Expiration notification: 7, 3, 1, 0 days left on free trial
Added support for FSx Lustre volumes
We now support schedule-based virus scanning and data classification for FSx Lustre volumes
Added support for EBS Scan Existing - DC
You can now classify pre-existing data in EBS volumes.
EBS and LFS Scanning Improvements
We've migrated both EBS Scanning and LFS Scanning to leverage the new EBS on Fargate integration
Central Job Networking Configuration page
You can now manage networking configuration for jobs all on one page
V7.07.000 CloudFormation Template
In this release:
A patch to fix an issue related to scanning of FSx volumes
A patch to fix an issue related to deployment of our solution using a private environment with a proxy
v7.06.004 CloudFormation Template
In this release:
A patch to fix an issue with SSO functionality communicating with integrated IDPs.
v7.06.003 CloudFormation Template
In this release:
A patch to fix an issue with FSx volumes being retrieved and displayed in your AV Console.
v7.06.002 CloudFormation Template
In this release:
A patch to surface logs related to FSx volumes and scanning for those volume types.
v7.06.001 CloudFormation Template
In this release:
API Scanning for Data Classification
You now have the ability to classify text-based documents and scan for PII using API agents.
All you need to do is enable the Configure Classification toggle and select the rule set(s) you want to use for classification. After this anytime a file is sent to your API endpoint we will classify it and provide information on whether it contains PII against the rule set(s) you've selected.
FSx OpenZFS volume types
We now support schedule-based virus scanning and data classification for FSx OpenZFS volumes
We will add support for additional FSx file systems in future releases. If you need a specific file system supported sooner please Contact Us.
Console Checker Tool
During deployment of our Management Console we will now perform a series of checks of your environment to ensure that the VPC, Subnets, CIDR range, etc. have been set properly and are compatible with our deployment.
Proactive Notifications for Data Consumed
We have added a Proactive Notification Type which you can use to notify when you are running low on prepaid data.
Scan using multiple engines via API
You can now use multiple engines to perform API scans either by using the default configuration you've set on the Scan Settings page or by setting API specific engines.
Use pre-existing Load Balancers for Management Console
If you would like to use a Load Balancer for your Management Console you can now assign a pre-existing LB that you have stood up instead of creating a new one from scratch through the CFT.
Our CloudFormation Template now allows specifying the existing target group ARN. If the ARN value is specified, the CFT will register the ECS Console Service with that Target Group instead of creating a new LB.
v7.06.000 CloudFormation Template
In this release:
Classify pre-existing objects in S3 buckets
We've added the ability to scan pre-existing objects stored in S3 buckets against user-selected classification rule sets by selecting Scan Existing - DC through the Actions menu on the Bucket Protection page.
Advanced Scan Setting: Files to process in parallel
This setting controls how many files are scanned at the same time by your scanning agent(s), when using Sophos or CrowdStrike. It is designed to be used in scenarios where small, compressed files are unexpectedly triggering Large File Scans.
We recommend that you do not modify this setting, and use the default value. It should only be changed in the scenario where you are scanning small, compressed files resulting in unnecessary Large File Scans being initiated.
Various Bug Fixes:
Improvements to Unhealthy Event Agent SNS Topic Proactive Monitor
Eliminated false-positives when detecting unhealthy Event Agent topics, and improved the message body when delivering notifications
Resolved issue with Smart Scan sometimes deleting the SNS subscription
Resolved an issue where S3 buckets in linked accounts were not showing the proper protection status in the console
v7.05.000 CloudFormation Template
**VERY IMPORTANT** Critical to update your Console If you are running a previous version of v7.04 we recommed that you upgrade to this latest patch immediately.
In this release:
A patch to resolve an AWS Marketplace billing issue we identified that may affect a small number of customers running previous versions of v7.04.
v7.04.004 CloudFormation Template
The Scan Existing function for our API scanning model was not metered correctly through AWS Marketplace and you may not have been previously charged for retro data scanning. We introduced a fix in this version to resolve this so you may see your scanning bill increase depending on if you are using the Scan Existing function through our API scanning model.
In this release:
Scheduled Scanning for FSx Volumes
We now support schedule-based virus scanning and data classification for FSx volumes.
Currently we only support the NetApp ONTAP file system, however we will add support for additional file systems in future releases. If you need a specific file system supported please Contact Us.
Universal Gigabyte Scanning
Soon you will be able to purchase data for any scan type (new data, pre-existing data) without having to worry about what type of data you are scanning.
Job Monitoring Insights
We now show additional details for each scan job you start including account, container, results, and job logs directly in your Management Console.
Various Bug Fixes:
Fixed EFS job networking
Resolved issue with schedules if Data Classification custom rule sets have been deleted
In this release:
AV Two-Bucket System Configuration
The Two-Bucket System allows moving objects to a different bucket and/or prefix after being successfully scanned as Clean. All other result types -- Infected, Error, Unscannable -- remain in the protected source bucket
This system can be configured within Configuration > Scan Settings
When leveraging this capability, the promotion of the clean files is handled directly within the agent and eliminates the need for a Lambda Function to promote the files
EBS Scanning for Linked Accounts
We now support schedule-based virus scanning and data classification for the EBS volumes within your linked accounts
The volumes from your linked accounts will appear within your EBS Protection page as well as the Schedule creation interface
Please note that you must first update the Linked Account CFT for each of your linked accounts to take advantage of this capability
EFS Volume Inventory for Linked Accounts
We will not display the EFS volumes that reside within your linked accounts by default. If you would like to display volumes that reside in linked account, there is a toggle within the EFS Protection page to show/hide these volumes
The ability to scan these volumes will be included in a future update
Please note that you must first update the Linked Account CFT for each of your linked accounts to take advantage of this capability
Refresh List of EBS and EFS Volumes
Using the Actions dropdown within both the EBS and EFS Protection pages, you can now manually refresh the list of volumes
Unique Job IDs
Each Job will now display a unique ID within the Monitoring > Jobs page
This ID will also be present within the CloudWatch logs, allowing you to easily link logs to specific jobs that have run
Changes to default date range when loading date-based reports
When loading reports that display data based on date, the report will now default to showing the full previous day and full current day. Prior to this change it would default to the previous 24 hours from when the report was viewed
Reports updated: Problem Files, Jobs, Notifications
EventBridge Notifications
Added the possibility to send proactive notifications to EventBridge in Console Settings > AWS EventBridge Proactive Notifications
This will send the notifications to the selected event bus, where you can create rules to send the notification somewhere else. e.g. CloudWatch
Management API
Additional function to allowing assigning Linked Accounts to Groups on creation
Added Manage Groups endpoints
Various Bug Fixes:
Fixed EventBridge Scanning for linked accounts
Fixed Cognito issue breaking Manage Users and Manage Groups pages
Maximize the amount of buckets and capacity of protection
Improved clean up for stale jobs (retro, LFS, etc.)
v7.03.000 CloudFormation Template
In this release:
Allow assigning Linked Accounts to Groups on creation
v7.02.002 CloudFormation Template
In this release:
Problem Files/Findings Page Improvements
Unclassifiable results now show in the DC findings as a Classification Result Type
Retrying Static & Dynamic Analysis
You can now retry performing a Static or Dynamic Analysis
Sophos updates their Static and Dynamic analysis library periodically and retrying an analysis at a later time can yield a different or more informative result. If an analysis failed the first time around you can also retry it.
Rescanning for large files is now available
Multi-engine rescan
When rescanning files you can now select the engine to rescan with and perform the rescan with multiple engines.
API Agent Allowed Request Origins Configuration (CORS)
If you are embedding our scan API within a web app, you can now specify the web app domain(s).
Various Bug Fixes:
EBS Data Classification fixes and improvements
Monitoring page fixes
v7.02.000 CloudFormation Template
In this release:
EBS and EFS Scheduled Scanning
We now support schedule-based virus scanning and data classification for EBS volumes and EFS volumes
EBS Virus Scanning and Classification supports Linux and Windows (FAT4, XFS, NTFS, exFAT. FileSystems)
You can now have a schedule that scans and classifies a mixture of S3 buckets, EBS and EFS volumes
Please note that you must first stage a region to run a scan on any EBS volume within that region, if you have not already deployed a scanner within that region.
This will be corrected in a patch, afterwhich you will be prompted to configure the region when activating your schedule.
Problem Files Rescan Functionality
You now have the ability to rescan any problem files that are found to be infected, unscannable, suspicious, or have an error.
If a file is found to be unscannable or produces an error upon being scanned, we will not charge you for the data that scan used. Once you rescan, if the file is scanned successfully and is found to be clean, infected, or suspicious the scan will count towards your scanning data.
Proactive Monitoring
This is the first version of our Proactive Monitoring functionality. This will be part of a larger release where we will implement modules to monitor certain parts of your deployment
Your Console and Agent will detect issues and create CloudWatch alarms to notify you of a broken deployment. This iteration monitors the following:
Event Agent SNS Topic or Access Policy doesn't exist
Re-create SNS topic and automatically fix Access Policy
Invalid ECS Task Running
Performs an analysis on resources to determine if the Task is running when it should not.
Unhealthy status means:
ScanQueue job status is not running
SQS Queue is missing
A notification email will be sent informing you of an unhealthy region
Console Health Check
If the Console is found to be unhealthy we will send a notification when the CloudWatch Alarm Status changes
Updated Protection Section in Management Console Navigation
Protection now links to pages for your S3 Buckets, EBS Volumes, EFS Volumes, and WorkDocs Connections
Various Bug Fixes:
API Agent Cross Region Scanning Fix
Scan Now improvement on scan schedules
WorkDocs icon in Problem Files table
CloudTrail Integration Fix
Large File Scanning improvements and fixes
v7.01.001 CloudFormation Template
In this release:
Various Bug Fixes:
Extra large file scanning and EC2 error
v7.00.004 CloudFormation Template
In this release:
Various Bug Fixes:
AWS Marketplace metering reporting
v7.00.003 CloudFormation Template
In this release:
New Premium Scan Engine Added - CrowdStrike
Introducing the CrowdStrike File Analyzer Software Development Kit (SDK) scanning engine, which uses market-leading machine learning technology and CrowdStrike’s massive corpus of malware samples to scan for malicious code
Available for event-based, retro-based (both on-demand and schedule), and API-based scanning
Get more details by visiting the Scan Engines section of the Architecture Overview page
Read our blog post announcement
Secure Your Managed File Transfer: Cloud Storage Security + AWS Transfer Family
Ensure the data that is moved into Amazon S3 via AWS Transfer Family is free of ransomware, viruses, trojans and other payloads by scanning it inline with Antivirus for Amazon S3
Integrated AWS Partner Solution created for simple, single-click install of both solutions. Be up and running with both solutions in under 15 minutes
Check out the Integrations page for more details
Event Bridge Support in Console
In November of 2022 we released Event Bridge support through our management API. As of v7.00.000, you can now protect your buckets with Event Bridge or with S3 Event Notifications protection through the Console and if there is a conflict we will best match protection method to resolve the conflict
For example, if you select multiple buckets to protect with event-based. scanning and some of them contain conflicts we will protect the conflict buckets with Event Bridge (after you acknowledge this in the popup modal) and the rest will be protected with S3 Event Notifications. If you decline in the modal we will not protect those conflicted buckets.
If Protect with Event Bridge is enabled globally from Scan Settings then we will protect all selected buckets with Event Bridge without acknowledgment.
Learn more on the Bucket Protection and Scan Settings pages on how Event Bridge helps to resolve event-based scanning on conflicted buckets
Protecting buckets with Event Bridge will incur additional AWS charges. If enabled globally, we will not go back to currently protected buckets and switch their current protection method.
API Scanning Agent
Updated Load Balancer SSL certificate from TLS 1.2 to 1.3
Additional engine choices for scanning now include CrowdStrike and ClamAV
Multi-engine API scanning will be coming in a future release.
Please note, that if the application you have integrated API scanning into only supports TLS 1.2 you will need to upgrade it to support TLS 1.3. Otherwise your application will not be able to successfully communicate with our API Scanning Agent.
Problem Files
Pagination Improvements
CSV export improvements
Various Bug Fixes
Better character handling for file paths
Resolved problem file allow once/permanently error when infected file handling is set to Keep
Scanning agent logging and updates improvements
SQS Queue messages handling
v7.00.002 CloudFormation Template
