v6 and older
A list of features and releases for version 5 and prior.
Last updated
A list of features and releases for version 5 and prior.
Last updated
We released v8.00.000 of our solution in August 2024. If you haven't already updated and are running an older version you can review release details for previous versions on this page.
We recommend you upgrade your deployment to the latest version to receive the latest features, improvements, and bug fixes. Please note you'll need to upgrade to the latest current version you're on before you can upgrade to the next major version.
If you need to find the release notes for v8 you can click here.
Below you can view release note details for versions 2-6.
In this release:
System Tagging for Resources
The System Tags feature allows you to apply your own custom tags to the resources deployed by Cloud Storage Security within your AWS environment. By applying descriptive tags to your resources, you gain the ability to categorize, search, and filter based on specific criteria.
API Scanning with ClamAV
API Scanning now supports both the ClamAV and Sophos scanning engines. When you create your API agent you'll be able to select the scanning engine you want to use. Both engines support the following functions:
API/Token
API/Scan
API/Scan/Upload
API/Scan/Existing
API/Scan/URL
Prefixes support for On Demand Scanning
You can now set prefixes for your buckets when performing a retro-based on demand scan.
Data scanned column added to Results page table
The results table located under Monitoring > Results now shows the amount of data scanned for each date across each type of breakdown.
Problem Files Page Improvements
Pagination is now available on the Problem Files page
You can now export data shown on the Problem Files page to a CSV for external analysis
Various Bug Fixes
Additional bug fixes and improvements for both Antivirus and Data Classification.
v6.06.000 CloudFormation Template
In this release:
Various Bug Fixes:
Scan Queue improvement if crawling is still running
Agent environment improvements
In this release:
Various Bug Fixes:
Ensuring files that cannot fit on disk are properly deleted
Agent Linked Account Role Assumption Error Handling Improvements
In this release:
Various Bug Fixes:
Fix for bucket protection failing after console reboot
In this release:
Various Bug Fixes:
Linked Account improvements
AWS Marketplace metering
In this release:
Various Bug Fixes:
Fix API Agent security group deployment issue - when upgrading an existing API Endpoint the agent security group was modified to have no inbound rules (introduced in 6.05.001) - this release fixes that
v6.05.002 CloudFormation Template
For those that have a larger ProblemFiles table in DynamoDB you may notice that this update will take longer than regular. Please DO NOT restart the console or disrupt the update as that may cause damage to your deployment.
In this release:
Specify your own Security Groups at deployment
We have had a number of requests to leverage existing Security Groups rather than having the solution create its own
You can now specify Security Groups when deploying from the CloudFormation Template
New Console User Role: Read-only
You can now create console users that have read-only permissions throughout the console
These users will not be able to make any changes to any functioning aspect of the deployment
They will be able to download reporting information from: Results, Usage and Problem Files reporting
API Endpoint UI Enhancement
You can now easily specify separate sets of Subnets for the Load Balancer and the Scanning Agent independently
Event-based Scanning for Data Classification is now available
Long-awaited request delivered. On top of schedule based data classification, real-time event-based classification is publicly released
Simply click the shield to turn on event driven, rules-based classification of files
Pair AV and data classification scanning together off of the same event driven scanning
Create a 3 bucket system where you AV scan first, chain classification onto the clean files and after that only promote clean, non-sensitive files to production for consumption
Archive Handling Enhancements
No longer run into archive file issues where the archive uncompresses to larger than the available disk
True archive file size evaluated before scanning takes place - if true size is found to be too big it can trigger the Large File Scanning process or simply tag the file as unscannable-too large
This is applicable to zip, 7zip and gz files as this time - reach out to us if more file types need to be supported sooner
Improved scanning performance with the Sophos engine
On average 3x faster than previous throughput
Updated SSL certificate for console when using default DNS
The current SSL certificate for the console will expire in June 2023. We suggest upgrading your console to avoid any expired SSL certificate errors.
v6.05.001 CloudFormation Template
In this release:
Improved directions for setting up WorkDocs connections
Handling inability to connect to AWS Marketplace when looking for license
Fixed IDP support for Cognito in GovCloud
Fixed issue where included monthly GB is not properly provisioned
Handle Sophos error code 0070 disk full
For zip and 7z files when 0070 is found the scanner will either mark the file a unscannable - too large or send the file off for Large File Scanning (if enabled)
Improved logging on scanning Agent shutdown
v6.04.007 CloudFormation Template
In this release:
Critical to update your scanning agent - Started March 2, 2023
Please upgrade your scanning agent to avoid scanning down time. If you are on Scanning Agent v6.04.000 or newer, you must upgrade your agent to avoid scanning down time.
If you think you have had a lapse of scanning, you can easily go back and scan data from the missing time frame with an On-demand Scan. It is easy to configure for a specific time frame and only scan the files that haven't already been scanned.
Various Bug Fixes
Addressed an update bug where the Sophos scan engine would crash after the signature update halting scanning.
In this release:
Various Bug Fixes
ResultKind (sub scan result) added to the API response
Fixed a scheduled scanning bug caused by an out of band process deleting a bucket and the schedule not being updated accordingly causing the scheduled scan to error
Storage Assessment - new deployments will not automatically create disabled inventory configs on every bucket
Storage Assessment - defaulted to off for new installs and upgrades (will remain on if already on)
Fixed a strange/rare billing bug
v6.04.006 CloudFormation Template
In this release:
Upgrade your scanning agent.
A patch for the ClamAV scanning engine to address the following vulnerability - CVE-2023-20032. You can learn more about the upgrade on ClamAV's blog.
If you are using ClamAV we recommend you perform an upgrade of the agent immediately.
In this release:
License Mode Switcher
You now have the ability to change from BYOL <--> PAYG mode
For those times you started with one billing model and wanted to switch to the other without re-deploying the solution and losing the history
You must subscribe to the corresponding AWS Marketplace listing so the entitlement check passes appropriately. If you were on BYOL and want to switch to PAYG, you must subscribe to the PAYG listing.
Various Bug Fixes
Multi-region bucket crawling in Schedules
Storage Assessment fix for Linked Accounts
v6.04.005 CloudFormation Template
In this release:
CloudTrail Lake Integration released
With the newly launched PutAuditEvents API for AWS CloudTrail Lake, CSS has created a simple integration for you to capture user activity and events from the CSS console. In just a few steps, you can consolidate CSS activity logs together with AWS activity logs in CloudTrail Lake without having to build or manage the event data pipeline.
Check out the Integrations page for more details
Various Bug Fixes
v6.04.004 CloudFormation Template
In this release:
Patch build to correct found vulnerabilities
Management Console moved to CentOS Stream 9
Various Bug Fixes
v6.04.003
v6.04.003 CloudFormation Template
In this release:
EC2 Tagging
The EC2 instances that run for Large File Scanning can now be tagged
Tags are manually defined (at this time) by running a Stack update and filling in the EC2 Tags field
Export Problem Files report
Problem Files reporting can now be exported from the Problem Files page within the Console
Various Bug Fixes
read-only root file system fixes
crawling improvements
API scaling thresholds - reduced thresholds from 1000 to 200
v6.04.002 CloudFormation Template
In this release:
Upgrade your Scanning Agents
Agent-only release
Fixed Storage Assessment data gathering bug where it would crawl and perform S3 Get calls more often than it should causing an increase in logging and potentially higher AWS costs
In this release:
Must Upgrade Linked Account Role Please upgrade to the latest Linked Account Role. If you are prior to version 1.11.000, then you will have to upgrade each linked account's role manually (sorry). Going forward you will be able to update through the console.
Storage Assessment
The new Storage Assessment feature is the start of additional functionality we are adding to give you better intelligence around your data
This new functionality helps you answer the questions: what do I have? where is it located? what are my data trends? what coverage for scanning and encryption do I have for my storage?
Additional Costs - This feature is automatically turned on when you upgrade to this release through the standard console upgrade process. You can disable this feature at upgrade by manually updating the stack and turning the drop down selection to False.
This feature will start by crawling all of your data to give you an initial overview to all of the files you have stored in Amazon S3. After that initial crawl, Storage Assessment will leverage S3 Inventory to continue to assess the data. Both the crawl and S3 Inventory have minimal charges associated with them.
Percent Scanned requires the checking of S3 Tags to determine if the scan-result tags exist on the objects. GetObjectTagging calls will be made against every inventoried S3 bucket
read-only root file system fix
Made it so the Fargate container root file systems are read-only
Various Bug Fixes
Improved unusual character handling in object key values - specifically those files that happen to have // in the key itself
v6.04.000 and v6.04.001 CloudFormation Template v6.04.001 CFT v6.04.000 CFT
In this release:
EventBridge integration to solve event conflicts on buckets
There are 3 conflicts that can occur in respect to Amazon S3 bucket notifications: lambda, queue, and topics. Lambda and SQS created a scenario where the scanning engine and the existing workflow could not share events.
The EventBridge integration will allow existing Lambdas and Queues and AVforS3 to each receive the All Object Create event and perform the work needed.
A new attribute, 'useEventBridge`, has been added to the Bucket-->Protect API call to allow you to specify whether or not to use EventBridge with a given bucket.
Setting This Up
The UI will allow you to simply protect a conflicted bucket as you do any other bucket, but in this release you must activate protection through the Management API. This is a very simple process by using the Swagger documentation we have attached to the AVforS3 Console (https://consoleURL/swagger)
Object Key added to the Scan Result filterable attributes
With the Key added to the Message Attributes, you can now filter the message by path or entire file name for advanced filtering
This is a great set of AWS doc pages that show the power of how message filtering can work: Amazon SNS subscription filter policies
Various bug fixes and improvements
Job crawling improvements - crawling in parallel and scanning is kicked off immediately as opposed to when crawling completed
Fixe public IP override for task definitions
Improve S3 registration with SNS Topic
Jobs status cleanup
Dashboard custom date selection fix
Deregister all task definitions upon service termination
Cleanup Notifications
AppConfig resources now created and cleaned up by the CFT
Permissions updates
In this release:
Various bug fixes and improvements
Multiple proxy deployment related adjustments and fixes
In this release:
Scanning Agents check updates over proxy
Private Mirror was required when deployed in proxy mode
With this release the scanning agents can check for signature updates over the proxy
!!! note Ensure you have the proxy open to allow for the ClamAV traffic
`https://database.clamav.net`Better handling for encrypted files
With this release we will identify more encrypted file types and mark them as unscannable - encrypted rather than letting them pass through
Sophos Engine Only - ClamAV will still pass most of these through as clean
!!! note SafeGuard encrypted file (self-extracting) Microsoft Office 2007 Encrypted Package (password protected) Microsoft Excel 2007 onwards [encrypted] Microsoft PowerPoint 2007 onwards [encrypted] Microsoft Word 2007 onwards [encrypted] Open Packaging Convention file format (OPC) [encrypted] Open Document Format for Office Applications [encrypted] PK ZIP archive [encrypted] SafeGuard encrypted file ACE archive [encrypted] Kremlin encrypted file xBase Database File (DBF) [encrypted] PGP encrypted file (binary) OpenPGP/GPG encrypted file AxCrypt Encrypted File SecurityBox encrypted file PGP encrypted message (ASCII-Armored)
Various bug fixes and improvements
Addressed inconsistency with establishing the S3 Client for us-east-1
In this release:
Bucket Configuration Remediation
Help enforce best practices throughout your Amazon S3 buckets:
Block Public Access - allows you to turn off the public access settings
Reconcile Encryption - allows you to determine whether the objects in your bucket are encrypted or not and remediate by specifying an encryption key if so desired. Otherwise it will simply output the list of files that are not encrypted
Enable Logging - turn on logging for select Amazon S3 buckets
Deployment Improvements
One of the most secure ways to deploy any solution is to air-gap it as much as you can. Restrict the access in and even the access out. We fully support this option with the use of VPC Endpoints, a Proxy Server (of your choice) to limit the outbound and the ability to Private Mirror the signature updates
This update fully makes this a reality with a documented approach on how to do it
Admin API Additions
Added more functionality to simplify solution management: deployment, tear down, protection, etc
Type /swagger to the end of your deployment base URL for all the details on the available APIs
Object Tagging for Errors
Added details to objects there were unscannable due to error
Various bug fixes and improvements
In this release:
Amazon WorkDocs Scanning
We're happy to announce event-based scanning for Amazon WorkDocs
Following our simple-to-protect philosophy, you will easily be able to enable protection and quarantining of files stored and managed within Amazon WorkDocs
More details to come, look under Configuration-->WorkDocs Connections to configure within your Console
Various bug fixes and improvements
Fix race condition on v6 upgrade with entitlement
Fix uploadedBy required in the scan API
Fix API data tracking in dashboard and reports
In this release:
SSL Certificate Update
Console and API Agent updates to support updated built-in SSL certificate
In this release:
API bug fix introduced in v6.00.000
Agent-only release
In this release:
Data Classification for Amazon S3
The initial release of our new sensitive data discovery functionality
Data Classification for Amazon S3 is a cloud-based in-tenant solution that leverages the power of Sophos to identify sensitive data at petabyte scale across all S3 buckets. Knowing what sensitive data exists and where it exists enables you to proactively manage data privacy and protection as well as compliance with frameworks such as SOC 2, PCI DSS, and HIPAA.
Identifies hundreds of sensitive data types across a variety of file types and 11 regional localizations; looks at bucket configurations
Pinpoint Personally Identifiable Information (PII), financial data, health care information, government ID numbers and more, as well as where it resides, at scale
DC for Amazon S3 can be run stand-alone or in tandem with AV for Amazon S3
Free Trial - give it a go for 30 days! Trial extensions available when needed.
Various bug fixes and improvements
In this release:
Notification Bell and Page
Centralized visual to monitor all proactive notifications and AWS Security Hub findings
Allows to more easily track activity without having to subscribe to notifications
Allows you to determine which notifications you should be subscribing to
Enhanced AWS Security Hub Integration
Added the ability to ingest findings from AWS Security Hub
Findings can be leveraged for actions taken as part of Proactive Notifications responses
True File Type
Each Scan Result now includes what the scanning engine has determined as the actual file type being scanned
Allows you to take action based on the "real" file type no matter the naming
This is a filterable value in the Proactive Notifications
Improved Special Character Handling
AWS APIs handle special characters in Buckets / Paths / File Names inconsistently
Changed the way we are handling files so all Keys can be handled in the same way and fewer to no errors are encountered when processing files
New Proactive Notification Type - job
Tracking by job is now available via Proactive Notifications
!!! warning "Notification Type Removal" We have removed bucketCrawling and extraLargeFile filterable messages and now labeled those as the job notification type.
Various bug fixes and improvements
Unscannable results from API Scanning now have a message indicating why
Scan Results page charts were incorrectly reflecting the results
In this release:
Notification Bell and Page
Centralized visual to monitor all proactive notifications and AWS Security Hub findings
Allows to more easily track activity without having to subscribe to notifications
Allows you to determine which notifications you should be subscribing to
Enhanced AWS Security Hub Integration
Added the ability to ingest findings from AWS Security Hub
Findings can be leveraged for actions taken as part of Proactive Notifications responses
True File Type
Each Scan Result now includes what the scanning engine has determined as the actual file type being scanned
Allows you to take action based on the "real" file type no matter the naming
This is a filterable value in the Proactive Notifications
Improved Special Character Handling
AWS APIs handle special characters in Buckets / Paths / File Names inconsistently
Changed the way we are handling files so all Keys can be handled in the same way and fewer to no errors are encountered when processing files
New Proactive Notification Type - job
Tracking by job is now available via Proactive Notifications
!!! warning "Notification Type Removal" We have removed bucketCrawling and extraLargeFile filterable messages and now labeled those as the job notification type.
Various bug fixes and improvements
Unscannable results from API Scanning now have a message indicating why
Scan Results page charts were incorrectly reflecting the results
In this release:
Various bug fixes and improvements
API Endpoint - replaced port 80 with port 443 for the Target Groups health check (scanning traffic is always secure)
Newly installed API endpoints only
For existing endpoints, you'll have to remove and reinstall (unfortunately)
Sophos engine update
In this release:
Deployment Improvements
You can now add/remove the Load Balancer at any time. Previously you had to completely reinstall the product to add a load balancer.
Upgrade to this version, then simply run a stack update (from the AWS CloudFormation page) and enter or remove the load balancer information
Single Sign On Support
We are taking advantage of Amazon Cognito's inherent support for SAML Identity Providers you can now add support to leverage SSO providers like Okta to sign in to the console
Get more details by visiting the ==SSO FAQ==
Various bug fixes and improvements
Replaced port 80 with port 443 for the Target Groups
Upped the Static and Dynamic Analysis file size limit to 100MB
Chrome browser javascript fix (introduced in January 4 Chrome update)
In this release:
Extra Large File Scanning
Files up to the Amazon S3 max file size (5TB) are now support for scanning
Get more details by visiting the ==Extra Large File Scanning== page
Performance improvements
Various bug fixes and improvements
In this release:
Automatic Bucket Protection
This feature leverages tags on buckets to identify and automatically provision event-based scanning on bucket(s). Any time a bucket is discovered with the specified tag it will be protected. The system checks for bucket information every 30 minutes. In this check we will look at the bucket configuration and tags and respond accordingly
To support this feature we've added the ability to "stage" regions with run configuration information. Check out ==Event Agent Settings== page for these details
Get more details by visiting the ==Console Settings help== page
Proactive Notifications Subscription UI
Antivirus for Amazon S3 provides real-time notifications for many aspects of the system including: scan results, bucket characteristics (like public/private), system characteristics and more. Up to this point you were required to subscribe to an SNS Topic inside of the AWS Console
This feature provides a page where you can setup and manage the subscriptions to the notifications
Get more details by visiting the ==Proactive Notifications help== page
API Endpoint Enhancements
1 new APIs: scan by URL
With scan by URL you specify the full HTTP url to a file for scanning
There are many uses for this, but one in particular we think will be useful is for Amazon S3 pre-signed URLs. These are a good way to hand off objects, but also to implement what we call Scan on Read.
Scan on Read writeup coming soon
Get more details by visiting the ==API Overview== page
Audit Logging
Anything and everything that is done through the Management Console is now logged to a new CloudWatch Log Group for auditing messages - CloudWatch --> Log Groups --> CloudStorageSecurity.Console.AuditLogging
Self-Service Prepaid Discount Marketplace Listing
New AWS Marketplace purchasing option where you can buy in bulk in a discounted, pre-paid fashion
This is a self-service purchase option that offers discounted pricing without having to talk to anyone
Note: If you are planning to purchase more than 6TB of new data and / or more than 100TB of existing data, reach out to us to discuss a Private Offer with custom pricing
Check out the ==Pre-paid Discount Listing== on the AWS Marketplace
Various bug fixes and improvements
In this release:
Cloud Detonation Sandbox
Sometimes you require additional analysis of problematic files you encounter. You can now send those files to the cloud sandbox for detonation. You can perform a simpler Static Analysis or a Dynamic Analysis where the file is executed on a system and the outcome shared.
This leverages the Sophos Cloud Sandbox for detonation. Cloud Storage Security has a dedicated slice of this sandbox specifically for scanning their customer's files.
Get more details by visiting the ==Problem Files help== page
Activity by Bucket Reporting
The Scan Results reporting page has been enhanced to show bucket activity by day, week, month and custom time frames.
Get more details by visiting the ==Scan Results help== page
Linked Account Management Simplification
See the version and status of the linked account roles connected to your deployment
Upgrade one / multiple / all linked accounts from the console
No longer do you need to go to each linked account to run the stack update for the role
Get more details by visiting the ==Manage Accounts help== page
Various bug fixes and improvements
In this release:
API Endpoint Enhancements
2 new APIs: scan and then upload and scan an existing S3 object (both customer requests)
With scan and upload you specify a new uploadTo attribute in the header that specifies a "<container> / <object-path>" like "mybucket/full-path-to-file.txt"
Note: this is an add on to the existing scan api
The scan existing S3 object is a new API, not just a modification to the existing scan option. You will call api/Scan/Existing and specify the location information ("container" and "objectPath") in the header
Get more details by visiting the ==API Overview== page
Setup Simplification
You can now leverage the Cloud Storage Security SSL cert and application domain for your API Endpoint access
Prior to this release you were required to provide your own certificate and DNS registration. Now, like the Management Console itself, you can register your API Endpoint(s) with the cloudstoragesecapp.com domain.
This makes testing and configuring the API Endpoint much simpler and a whole lot quicker to get setup
Get more details by visiting the ==API Agent Settings== page
API calls log to CloudWatch and Problem Files
All scan API calls now log CloudWatch and Problem Files if they are in fact problem files
API-Only Users
Prior to this release, users authorized to make API calls could also log into the Management Console. You can now create a user that only has the rights to make API calls, but won't be able to login to the console
Multi-factor Authentication
Users can now setup multi-factor authentication to assist in more secure access
Get more details by visiting the ==User Management== page
CFT Updates
Added the ability to use the HostedZoneID in addition to the HostedZoneName for use with Route53
Various bug fixes and improvements
In this release:
Patch fix to make the proper regional endpoint calls
Upgrade Notes
If upgrading from 5.05.x and prior, you should have no issues upgrading to 5.06.002
If coming from 5.06.001, you will have to take an additional action this one time
!!! warning "Upgrading from 5.06.001" Release 5.06.001 introduced two new parameters into the CloudFormation Template. These new parameters were entered with blank default behaviors and due to CFT functionality those needed default values. We've added the default values now, but in order for the upgrade to work properly you will need to reboot your Management Console. Once you've rebooted the console the upgrade will go smoothly. This process should not take any longer than 5 minutes.
??? tip "Reboot and then Upgrade"
Rebooting the console is a simple process. We will walk you through it below.
1. Login to the <a href="https://console.aws.amazon.com" target="_blank">AWS Console</a>
*Note: ensure you are in the region you installed the Antivirus for Amazon S3 Management Console*
2. Navigate to the Elastic Container Service
Which will lead you to:
3. Click into the Cluster that matches your deployment to see the details and services
4. Tick the box for the Console service and click the `Update` button
5. Tick the box for `Force New Deployment` and click the `Skip to Review` button
6. Click the `Update Service` button
That is it. Once the new console instance has come online you will be able to proceed with the [standard upgrade process](./console-overview/product-upgrades.md)In this release:
Multi-Engine Scanning options
You can now select to scan your files with all the engines we support - currently Sophos and ClamAV
Two options for activating multi-engine scanning:
All Files - every file that is scanned will be scanned by all engines
By File Size - Smaller files (<2gb) will be scanned by ClamAV and larger files (>2gb) will be scanned by Sophos can handle much larger file sizes (<195gb)
Get more details by visiting the ==Scan Settings== page
Dashboard and Reporting Updates
==Dashboard== now reflects all 3 scan models (Event, Retro and API) for the GB Scanned and Object Scanned Charts
==Usage Report== now has the option to export data to CSV file
==Scan Results== received two enhancements - data can be exported to CSV and individual findings (infected, error, unscannable) are clickable and will redirect you to the specific results on the Problem Files page
==Bucket Settings== - new page to review the critical configuration aspects of your S3 Buckets
Enhanced Scan Result details
Each and every Scan Result now includes the Engine Name, Engine Version, Virus DB Version and the Scan Type
This is included in multi-engine scan results ??? note "Sample Multi-Engine Scan Result"
{
"guid": "f3780373-ca3c-4324-bdd0-774d8b04f92e",
"dateScanned": "2021-08-24T12:25:30.4494053Z",
"bucketName": "preview-destination-bucket",
"key": "virus/YNtbRiwU4Iyv5vOY_virus_157_eicar_com.zip",
"versionId": null,
"result": 1,
"scanResults": [
{
"result": "Infected",
"virusName": [
"Win.Test.EICAR_HDB-1"
],
"message": [],
"dateScanned": "2021-08-24T12:25:30.4494053Z",
"engine": "ClamAV",
"engineVersion": "0.103.3",
"virusDbVersion": "26231",
"scanType": "GoFwd"
},
{
"result": "Infected",
"virusName": [
"EICAR-AV-Test"
],
"message": [
"eicar.com"
],
"dateScanned": "2021-08-24T12:25:30.4564762Z",
"engine": "Sophos",
"engineVersion": "3.82.1",
"virusDbVersion": "5.86",
"scanType": "GoFwd"
}
],
"actionTaken": "Move",
"virusUploadedBy": "AWS:AROA3K5IVNMVJTERL6GIW:preview-bucket-transfer",
"fileExists": true,
"movedTo": "cloudstoragesecquarantine-pk913wa-779353418538-us-east-1",
"region": "us-east-1",
"accountId": "779353418538",
"allowOnceExemptionAdded": false,
"permanentlyAllowed": false
}Various bug fixes and improvements
In this release:
API Endpoint Agent Changes
We now allow you to use IAM based certificates with the API endpoint
Enabled CORS in the API Agent - currently allowing all sources
CFT Changes
We now allow you to specify custom, pre-existing roles to leverage
Quarantine Bucket Changes
Added new configuration option that allows you to quarantine files centrally to the deployment account or keep current settings of quarantining files within linked accounts
Add Life Cycle Policy days attribute to quarantine buckets - after set number of days quarantined objects will be deleted
DynamoDB Changes
Allow you to turn on / off Point In Time Recovery on our tables
Various bug fixes and improvements
In this release:
Various bug fixes and improvements
Console Settings
API Agent Settings
Job Status filtering
Schedule overlap message
Linked Account bucket, assumed role, SNS topic and permissions fix
Multi infected message for a single file fix
!!! important You must upgrade the Linked Account Role (cross account role) for any linked accounts. You can launch the stack up from the Manage Accounts.
In this release:
Security Hardening
Improved allowed TLS versions and cipher suites
Added content security policy
Added additional security headers
Various bug fixes and improvements
In this release:
API Driven Object Scanning
To go along with event-based scanning, scheduled scanning and on-demand scanning, we are happy to introduce API-driven scanning. As it sounds, we are providing a REST API where you are able to hand us a file or object for scanning directly.
For those environments where you have applications and workflows where you need to insert file scanning before deciding what next to do with the file, you can leverage this to slip it right into your solution. This is often desired if you want to scan the files before they are written to "disk" (Amazon S3 or anywhere else).
This can have a public or private access URL allowing you to integrate this in to any application running on-prem, in AWS or any other cloud. The implications are such that you are not required to have the object residing in Amazon S3 in order to scan it. You can get the verdict back before placing the file into Amazon S3
Get more details by visiting the ==API Driven Scanning== page
See how to configure API Agent Scanning on the ==API Agent Settings== page
Scan Results Report
This simple report gives you the Scan Results breakdown for all files processed by day (last 30 days), by week (last 12 weeks), by month (last 12 months) and for custom time ranges
You can drill down into any time window to see the activity by Account
Get more details by visiting the ==Scan Results Report== page
Various bug fixes and improvements
In this release:
Detailed usage rollup reporting
Today you can piece together activity from the Dashboard and the Logs, but haven't had a clean rollup for usage and issues by Groups and Accounts. This is the first step towards interesting reports. More to come
This new Monitoring page will give you a high-level view for the last 12 months by Group and Account in the charts. It will also provide a more detailed view by current month, last month, 3 months, 6 months and 12 months within the Group panels
Get more details by visiting the ==Usage Rollup== page
Increased File Size Handling (200GB)
This latest release now takes advantage of AWS Fargate's new disk size options (new max size is 200GB). The larger native disk size allows for larger file handling without having to bring in additional AWS services (like EFS)
As AWS Fargate allows for even larger disk sizes, scanned file size will also increase
If you know you will be scanning larger file sizes, you can simple change the Scanning Agent disk size on the ==Agent Settings== page
Re-architecture of On-Demand and Scheduled Scanning
Each schedule execution or on-demand scan is treated as its own stand-alone job
Each job will get its own resources (queue, scanning agents, etc) for the duration of the job
This allows for great scale and simultaneous jobs won't step on or delay each other
For existing customers:
!!! important This will remove the Retro Service that has been in place to manage both of these types of scanning. Run Task functionality is now replacing the Retro Service.
This will not impact existing schedules.Job monitoring for On-Demand and Scheduled Scanning
Added the ability to track historically and in real-time the jobs (on-demand and scheduled scans) executed by the system. No longer do you have to question if you ran an on-demand scan or if a scheduled scan executed or not
You will have the ability to monitor and manage the jobs
Get more details by visiting the ==Jobs== page
Various bug fixes and improvements
!!! warning If you have been using the system for many months and have processed a lot of data, especially leveraging Smart Scan, then the post-upgrade process could take a "long" time. It is dependent on the amount of data you have in the DynamoDB tables. One customer has seen this process take upwards of 4 hours.
If you are not upgrading to this version, but install from this version or later you will not face this upgrade time.In this release:
Local Task Image Support
We now support the ability to host the container images locally
You can download the images from our repo and place them locally in your own repo
Simply specify and account number where the repo will be located and make sure to use matching names
Get more details by visiting the ==Advanced Deployment Considerations== section
Various bug fixes and improvements
Fixed a billing issue introduced in the v5 release
Fixed a out-of-memory issue in the Dashboard Widgets when you have a lot of Agent data
Fixed a bug in the Scheduled Scan modal
Improved agent data lookups
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
In this release:
Various bug fixes and improvements
Deployment Overview page updated to better reflect real-time scan protection vs schedule protection in your overall regional bucket protection score
Improved Object Tag handling
Fixed discarding existing tags on object when we place our tags
New object scanning will evaluate whether the object has been scanned before and skip it if it has the "scan-result" tag on it
This is useful if copying objects that have been previously scanned into the same or another protected bucket
Note: if a replacement object has been uploaded "over the top" of the existing object, we will scan it (it will come in without tags and erase existing tags)
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
In this release:
Premium Scan Engine Added - Sophos
Sophos is a well known household name in security providing excellent detection and great performance
Sophos provides the ability to scan much larger file sizes
15gb to start, but much larger in the very near future
Sophos offers much better ==performance==
Get more details by visiting the ==Scan Engines== page
Improvements to Local Signature Updates
New lambda and guide for ClamAV updates
Offering local updates for Sophos right out of the gate
Get more details by visiting the ==Private Mirror - Local Signature Updates== page
More Deployment Options Added
Auto Assign Public IP - Console and Agents
You can control whether your Console and Agents are publicly accessible through multiple methods, but we were still assigning public IPs even if they weren't accessible. You now have the option to turn off the assignment if they will never be used
Agent Scan Engine
You can choose which engine, ClamAV or Sophos, you'd like to start with - this can be ==changed in the console== after deployment as well
Info Opt-out
In order to provide a proper SSL-protected persistent URL for application access, we register your IP and subdomain info with our hosted Route53. If you plan to leverage a Load Balancer and would prefer not to send us that info, you can now make that choice
Various bug fixes and improvements
Bucket Protection page modified to reflect protection through real-time or scheduled scans
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
!!! note Agent vCPU and Memory recommendations have changed. We recommend to run the scanning agents with 1 vCPU and 3gb Memory. The defaults have been 2 vCPU and 4gb Memory, but we are finding there is no advantage to those settings at the moment. Switching to 1 and 3 is a worthwhile cost savings while having no impact on performance. In the Performance Throughput Table the ClamAV numbers were produced with 2vCPU and 4gb Mem, but the Sophos numbers were run with 1vCPU and 3gb Mem. In subsequent testing, we saw no noticeable reduction in performance with ClamAV as well.
----Leveraging the Sophos engine has an add-on cost associated with it. Check our <a href="https://aws.amazon.com/marketplace/pp/B089QBV2GC/?ref=_ptnr_help_doc_" target="_blank">**AWS Marketplace Listing**</a> for more details on the pricing. Please [Contact Us](./contact-us.md) if you would like to discuss pricing in more detail.March 2021 - v4.11.000 In this release:
Permitted File Handling - False Positive / Acceptable File
It is inevitable that a file or object is identified as infected. Whether you deem it is a false positive or an acceptable file, you will need to place it back into a useful state. This release allows you to handle those files and place them back into the original bucket they were uploaded to
You can place the objects back into a usable state as a one-off or "permanently"
Get more details by visiting the Problem Files page
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
February 2021 - v4.10.000 In this release:
Turn Off Public IP Assignment to Console and Scanning Agents
To go along with the 4.08 release that introduced the ability to put the Console and the Scanning Agents into private subnets, we have now removed the public IP that AWS would assign to the service. This public IP did not make either service public when deployed this way, but this ensures now it is not assigned at all
The default value is ENABLED, but after the upgrade to 4.10.000 occurs, you can run an Update Stack leveraging the same template and change the value for these two new parameters to disabled
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
Upgrade issue indicated below
If upgrading from 4.8.x and prior, you should have no issues upgrading to 4.10.000
If coming from 4.09.x, you will have to take an additional action this one time
Upgrade Notes
Upgrading from 4.09.000
Release 4.09.000 introduced an upgrade bug where upgrades from this point would initially fail. There are two ways you can go about resolving this issue: reboot the console, then proceed with the upgrade or to manually upgrade pointing at the latest template. Both should take no more than 5 minutes.
February 2021 - v4.09.000 In this release:
Custom Resource Naming
Many customers have a formal naming scheme for resources within their environment. It is often something along the lines of <project name>-<resource type>. For example: abc_fin_processing-sqsqueue.
Customers have asked us for the ability to rename the Antivirus for Amazon S3 resources to match their naming standards. With this release we're happy to say we now support that
A section has been added to the CloudFormation template which allows you to rename all of the resources with their own unique prefix
We must still append a unique appID to each resource
Following the example above, the resource would be created as: abc_fin_processing-sqsqueue-e6t7q1 where the e6t7q1 is the portion we append
Get more details on custom resource naming in the Advanced Deployment Considerations → Optional AWS Resource Renaming section
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
February 2021 - v4.08.001 In this release:
Scheduled Scanning
The ability to scan all files or new files (since last scan) based on a schedule
Whether it is because compliance is driving you to scan on a regular basis or it is that your workflow allows for non-real-time scanning, scheduled scanning provides flexibility for how you scan your data. You get to decide whether you want real-time, one-off on demand, schedule driven scanning or a combination of all the above
Get more details for Scheduled Scans
Load Balancer Deployment Option
Provided the option to deploy the management console behind a load balancer for persistent IP and access as an alternative to registering with the Cloud Storage Security Route53
This can be leveraged if you want the application tied into your own domain or you are planning a deployment without public access
Get more details for leveraging a load balancer in the Advanced Deployment Considerations → Optional Load Balancer Configuration section
More details will show up in the Deployment Details page as well
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
January 2021 - v4.07.000 In this release:
AWS Security Hub Integration
AWS Security Hub provides a consolidated view of your security status in AWS. Automate security checks, manage security findings, and identify the highest priority security issues across your AWS environment.
Antivirus for Amazon S3 has integrated with AWS Security Hub to allow your Amazon S3 object findings (malware and viruses) to be posted to this central location. Any infected files found within your Amazon S3 storage can be shown and managed alongside the rest of the findings coming from all other aspects of your infrastructure.
Get more details for Security Hub integration
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
January 2021 - v4.06.001 In this release:
Bring Your Own License Option (good for GovCloud)
Another consumption model for those who prefer to pre-buy an allotment of GBs to scan
For those who require strict control over their spend or who want to buy in bulk for discounts
Once the pre-purchased GB allotment runs out, you will have 14 days to get a new license in place before the scanning agents start to shut down
Checkout the new BYOL and GovCloud Listing
Pre-bought allotments can be done with the pay-as-you-go model as well. You will switch to consumption pricing once the allotment runs out
This deployment can be leveraged inside of GovCloud
For those of you who need to scan Amazon S3 inside of GovCloud, this deployment will allow for that.
You can work directly with us to sort out the license or we can involve a partner of choice
Private Offers through AWS Marketplace available as well
A consumption option will be provided once AWS Marketplace offers it for Fargate
Dashboard updates
Added a single, centralized Time Window time picker for all charts. So a singled time slice picked is reflected across all charts
Get more details here.
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
December 2020 - v4.05.001 In this release:
Buckets Page Optimization
Massive improvement to loading performance
Data loads independently: bucket list first, then permissions info and then the metrics
Bucket management can start immediately while the additional characteristic information sets are loading
Where it took 6+ minutes to load 1000 buckets now takes just seconds to load 3000 buckets. Working with even larger bucket sets is just fine as well. You can also break those down by Groups/Accounts to make it more feasible to deal with.
Regex searching and better sorting
Get more details on how the page works here.
Scan / Skip List Enhancements
Added support for * wild cards to be used anywhere in the path or filename for the objects
Added a global option where you can specify a particular path that may repeat in all your buckets to be used either with the scan or skip list
Get more details on how the page works here.
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
Update ClamAV main engine version
December 2020 - v4.04.004 In this release:
Simplified KMS access
Added option to the CloudFormation template to grant access to all KMS keys
Access to all KMS keys leverages the permission option viaService to specify limited scope access to only Amazon S3 objects. The keys cannot be used for any other purpose.
Simply keep the default in the CFT or rerun the CFT to change the value at a later time
You can still grant one off access as well
Get more details on assigning access here.
Granular Prepaid License Management
You can now buy prepaid data amounts for Retro scanning independently from Go Forward scanning
You can now keep track of the license files that have been applied to the deployment
Global (almost) Tagging for all solution resources
Tags can help you manage, identify, organize, search for, and filter resources. You can create tags to categorize resources by purpose, owner, environment, or other criteria.
Resources we tag:
ECS Clusters, App Config Doc, App Config Schema, App Config Profile, SNS Topic, SQS Queues, Agent Task Def, Agent ECS Service, Security Groups, CloudWatch Metric Alarms, CloudWatch Retro Alarms, S3 Quarantine Buckets, DynamoDB tables, ECS Console Service, Console Task Def
Resources we are currently not tagging:
CloudFormation Stack, Cognito, running Tasks
You can manually tag the remaining items
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
November 2020 - v4.03.001 In this release:
Local Signature Updates (Private Mirror):
In certain situations, you may prefer to have the scanning agents retrieve signature updates locally rather than reaching out over the internet. Local updates would allow you to better control and potentially eliminate outbound access for the VPCs housing the scanning agents.
This new option allows you to specify an Amazon S3 bucket in your account for the scanning agents to look to for signature updates. You can get the updates into this bucket however you see fit (we provide a sample lambda function that can be used) and each scanning agent as it boots up and then every 6 hours after that will pick up the updates.
Get more details for Private Mirror (local updates)
Image Distribution:
Added Console and Scanning Agent task images to every standard AWS region as part of the build process. This enables local delivery of the Console task image as well as the Scanning Agent task image from the regions each is deployed within.
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
Changing VPC settings for agents was failing due to a Security Group issue. New security groups are now created for each vpc switched to
October 2020 - v4.02.000 In this release:
Bucket Attributes:
Public settings awareness
Provide better awareness around the public settings for buckets. Give you a feel if a bucket is capable of being public () and/or whether ACL or Bucket Policies are making it truly public ()
KMS encryption status
This makes you aware of whether a bucket is protected by Custom KMS and prevent you from scanning the objects within the bucket until the AgentRole has permissions to the key
= encrypted and AgentRole doesn't have permissions
= encrypted and AgentRole does have permissions
Get more details for Bucket Attributes
Problem Files filtering:
Added 3 filter options: Accounts, Problem Types and Date Range that allows you to get more specific and useful results
Get more details for Problem Files page updates
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
Metering submission bug which was causing agents to shut down after 24 hours of non-submissions
October 2020 - v4.01.002 In this release:
Additional System Configuration in the console
New Console Settings:
Added the ability to change the inbound CIDR rules for console access
Added the ability to change the VPC and Subnets the console runs in
Better inform you of suitable VPCs and Subnets (public / private)
New Agent Settings:
Added the ability to change the VPC and Subnets the agent(s) runs in
Better inform you of suitable VPCs and Subnets (public / restricted)
Get more details for Console Settings and Agent Settings
Proactive Notifications update
Added 6 new notification types: bucketsDiscovered, bucketProtection, bucketCrawling, bucketsPublicAccess, updatesAvailable, trialExpiring
Get more details on Proactive Notifications
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
Performance issues found while crawling objects
Bug related to long bucket names or long object paths when retro scanning
September 2020 - v4.00.009 In this release:
Group Organization
New Groups feature for deployments that need to better organize views into the accounts, buckets, scan results, users and dashboard views
You are now able to collect accounts and users into groups creating logical separation from other groups. This may be to separate departments (dev/test/prod or HR/Sales/Finance) within a company or to separate customers from one another in a services model
Get more details on Groups Management
Deployment Overview
This new page gives you a quick view into what is deployed within your infrastructure (event scanning, retro scanning) and the bucket protection status by region
This page also gives you the ability to cleanup parts of the installation or uninstall the entire application
Get more details for Deployment Overview
Proactive Notifications update
Added the bucket name to the scanResult notifications so filtering can be done by bucket as well
Get more details on Proactive Notifications
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
August 2020 - v3.02.004 In this release:
Scan Results Notifications
The object scan results are now sent to a new SNS Topic where you can subscribe to receive notifications based on your protocol (HTTP, HTTPS, Email, Email-JSON, Amazon SQS, AWS Lambda, Platform Application Endpoint, SMS) of choice
scanResult attribute is added to each message so you can filter down to the object results (Clean, Infected, Unscannable, Error) you care about
Get more details on Proactive Notifications
System Configuration from the Console
We've now simplified the process to change the system configuration by providing you a mechanism to configure: scaling thresholds, cpu, memory and min/max agents from within the console
You can set default settings that will apply to all regions as they come online or make specific configurations by region
Get more details for Console Settings and Agent Settings
Smart Scan Configuration
This new option will allow you to run the scanning agents only when there is work to be done. This option will modify scaling alarms to allow for the complete shutdown of scanning agents when the work queues are empty. This will save you money for those periods of times you do not have objects coming in.
You will have the option to determine at what point in the work queue you would like an agent to spin up to start processing. The default is any time there is work to be done (so at least 1 entry in the queue), but you can configure this as you choose
This mode can be turned on by default for all deployed agents or on a per region basis
This effectively turns the scanning agent container into a Lambda firing up when needed, but better from the perspective as it can persist for as long as there is work to be done with no limitations.
Get more details for Smart Scan
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
August 2020 - v3.01.001 In this release:
Dashboard Improvements
Informational widgets have been added across the top of the dashboard to give more insight into your storage protection.
Get more details here
Public Access identifier on buckets
An identifier () has been added to buckets that have public access granted on them.
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
July 2020 - v3.0.0 In this release:
Cross Account Scanning
With this release you can centrally install the console and scanning agents to perform scanning on S3 objects in both the deployed account (primary) as well as remote accounts (linked accounts). This simplifies deployment, adds cost efficiencies and allows you to better meet AWS security best practices.
Review how this works here
User Management
This new page gives you a clear list of users as well as allows you to add, modify and delete users within the console. You can change user roles as well as activate / deactivate them.
Overview of the new user management can be found here
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
July 2020 - v2.05.006 In this release:
Scan Existing Files
When enabling protection on a bucket, you will be prompted to select whether or not to scan files that were added to the bucket while it was not protected. This may be all files in the bucket, or files between a date range if you had previously protected this bucket.
From the "Actions" menu on the Bucket Protection page, you may choose "Scan Existing Files..." and will be presented with a dialog to scan existing files. You are able to select the date range as well as how many Agents you would like to use for scanning these files.
Review how this works here
Improved Updates
Applying Console updates will now perform an Update Stack operation in order to more smoothly add new features that require changes to the CloudFormation template
Overview of updating can be found here
Problem Files page
View a table containing information about files that were found to be infected or were too large to be scanned
Page overview can be found here
Various bug fixes and improvements
Many small bugs have been fixed, as well as tweaks to the UI behavior and appearance.
June 2020 - v2.01.008 This is the initial public release of the Antivirus for Amazon S3 scanning product. Cloud Storage Security is introducing an event driven scanning engine and infrastructure for Amazon S3.
In this release:
Deploy in minutes from AWS Marketplace Subscription
Simple management through Console
Easily turn on / off buckets for malware scanning
Deploy scanning Agents to multiple regions from centralized Console
Upgrade Console and scanning Agents in-place
Charts to clearly monitor usage, throughput, malicious files and protection status
Custom subdomain access into your console
Lightweight containers running on AWS Fargate
No EC2 instances to manage
Highly scalable
Free Trial - give it a go for 30 days! Trial extensions available when needed.
Pre-paid Purchase option - ability to buy GBs to scan in bulk
Contact Us if you would like to pursue this option
