Vendors Amazon Web Services AWS GuardDuty GuardDuty Malware Protection for Backup Finding Types

GuardDuty Malware Protection for Backup Finding Types

Malware detection in backups, snapshots, and recovery points

AWS GuardDuty Malware Protection for Backup finding types detecting malicious files in EBS snapshots, EC2 AMIs, AWS Backup EC2 Recovery Points, and AWS Backup S3 Recovery Points through backup scanning, including trojans, backdoors, viruses, ransomware, spyware, rootkits, miners, worms, and potentially unwanted applications

malware-protection backup snapshot ami recovery-point malware-detection

JSON Format 15 Fields Low Frequency Generator

Preview Sample View Schema

Overview

Malware Protection for Backup provides single findings for all threats detected during scans of EBS snapshots, EC2 AMIs, AWS Backup EC2 Recovery Points, and AWS Backup S3 Recovery Points. Includes total number of detections and details for top 32 threats based on severity. Findings are not updated when same resource is scanned again - new finding generated for each scan that detects malware.

When Generated:

Malicious file detected in EBS snapshot during backup scan
Malicious file detected in EC2 AMI during backup scan
Malicious file detected in AWS Backup EC2 Recovery Point (snapshot or AMI)
Malicious file detected in AWS Backup S3 Recovery Point
Scan triggered by GuardDuty threat detection finding
Scheduled backup malware scan detects threats
On-demand backup scan detects threats

Security Relevance:

High

Compliance:

PCI-DSS 5.1.1, 11.4 HIPAA 164.308(a)(1), 164.312(e)(1) SOC 2 CC6.1, CC7.2 ISO 27001 A.12.4.1, A.12.4.2 NIST CSF PR.DS-5, DE.AE-3 CIS AWS Foundations 3.1-3.14

Frequency Notes:

Malware Protection for Backup findings are generated when backup scans detect threats. Frequency depends on backup volume, scan frequency, and threat landscape. Production environments typically see 1-10 findings per week. Each finding represents one backup scan with detected threats - findings are not updated when same resource is scanned again. New finding generated for each scan that detects malware. Severity varies depending on detected threat.

Resources

Documentation

Malware Protection for Backup Finding Types official
Remediating Potentially Compromised EBS Snapshot official
Remediating Potentially Compromised EC2 AMI official
Remediating Potentially Compromised EC2 Recovery Point official
Remediating Potentially Compromised S3 Recovery Point official
GuardDuty Malware Protection for Backup official

Tools

AWS GuardDuty Console
Web interface for viewing and managing Backup malware protection findings
AWS Backup
Manage AWS Backup recovery points and vaults

Generation Configuration

Base Frequency: 3 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.2x

Night Hours Multiplier: 1.0x

Weekend Multiplier: 0.8x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
detail.type Source: random_choice() of 4 Malware Protection for Backup finding types	String	Required	—	Malware Protection for Backup finding type indicating resource type and threat classification	`Execution:EC2/MaliciousFile!Snapshot`	`Execution:EC2/MaliciousFile!Snapshot` — Malicious file detected in EBS snapshot `Execution:EC2/MaliciousFile!AMI` — Malicious file detected in EC2 AMI `Execution:EC2/MaliciousFile!RecoveryPoint` — Malicious file detected in AWS Backup EC2 Recovery Point (snapshot or AMI) `Execution:S3/MaliciousFile!RecoveryPoint` — Malicious file detected in AWS Backup S3 Recovery Point
detail.resource.resourceType Source: random_choice(['Instance', 'Snapshot', 'AMI', 'RecoveryPoint', 'S3Bucket'])	String	Required	—	Type of resource where malware was detected	`Snapshot`	`Instance` — Amazon EC2 instance (source of snapshot/AMI) `Snapshot` — EBS snapshot (for !Snapshot findings) `AMI` — EC2 AMI (for !AMI findings) `RecoveryPoint` — AWS Backup recovery point (for !RecoveryPoint findings) `S3Bucket` — S3 bucket (for S3 Recovery Point findings)
detail.service.malwareProtectionScanDetails.scannedResourceDetails.snapshotArn Source: EBS snapshot ARN from scan details	String	Optional	`EBS snapshot ARN`	ARN of the EBS snapshot that was scanned (for !Snapshot findings)	`arn:aws:ec2:us-east-1:snapshot/snap-1234567890abcdef0`	—
detail.service.malwareProtectionScanDetails.scannedResourceDetails.amiArn Source: EC2 AMI ARN from scan details	String	Optional	`EC2 AMI ARN`	ARN of the EC2 AMI that was scanned (for !AMI findings)	`arn:aws:ec2:us-east-1::image/ami-12345678`	—
detail.service.malwareProtectionScanDetails.scannedResourceDetails.recoveryPointArn Source: AWS Backup recovery point ARN from scan details	String	Optional	`AWS Backup recovery point ARN`	ARN of the AWS Backup recovery point that was scanned (for !RecoveryPoint findings)	`arn:aws:backup:us-east-1:123456789012:recovery-point:EC2:abc123...`	—
detail.service.malwareProtectionScanDetails.scannedResourceDetails.volumeDetails Source: EBS volume metadata from backup scan	Array	Optional	—	EBS volume details from snapshot/AMI that were scanned	`[{volumeArn, volumeType, deviceName, volumeSizeInGB, encryptionType}]`	—
detail.service.malwareProtectionScanDetails.scanId Source: random_guid()	String	Required	`UUID`	Unique identifier for the backup malware scan	`550e8400-e29b-41d4-a716-446655440000`	—
detail.service.malwareProtectionScanDetails.triggerFindingId Source: random_hex(32, 32) or empty if scheduled/on-demand scan	String	Optional	`32-character hexadecimal string`	GuardDuty finding ID that triggered this scan (if scan was triggered by finding)	`a1b2c3d4e5f6...`	—
detail.service.malwareProtectionScanDetails.sources Source: random_choice(['THREAT_DETECTION', 'SCHEDULED_SCAN', 'ON_DEMAND'])	Array	Required	—	Source that initiated the backup scan	`['THREAT_DETECTION']`	`THREAT_DETECTION` — Scan triggered by GuardDuty threat detection finding `SCHEDULED_SCAN` — Scan performed on scheduled basis `ON_DEMAND` — Scan triggered on-demand
detail.service.additionalInfo.threatsDetectedItemCount Source: random_int(1, 32) - total detections in scan	Integer	Required	`Integer (1 or more)`	Total number of threats detected during the backup scan	`5`	—
detail.service.additionalInfo.threatsDetected Source: Array of threat details from backup malware scan	Array	Required	—	Details for top 32 threats detected (based on severity). Each finding includes up to 32 threats.	`[{threatName, severity, itemCount, files}]`	—
detail.service.additionalInfo.threatsDetected[].threatName Source: random_choice() of malware threat names	String	Required	`Threat name`	Name of the detected threat	`Trojan.Win32.Generic`	`Trojan.Win32.Generic` — Windows trojan `Trojan.Linux.Generic` — Linux trojan `Backdoor.Linux.Generic` — Linux backdoor `Virus.Win32.Generic` — Windows virus `Ransomware.Win32.Generic` — Windows ransomware `Spyware.Win32.Generic` — Windows spyware `Rootkit.Linux.Generic` — Linux rootkit `Miner.Linux.Generic` — Cryptocurrency miner `Worm.Win32.Generic` — Windows worm `PUA.Win32.Generic` — Potentially Unwanted Application
detail.service.additionalInfo.threatsDetected[].files[].filePath Source: File path from backup malware scan	String	Required	`Absolute file path`	Full path to the malicious file in the backup/snapshot/AMI. Note: File paths may be controlled by malicious actors and should be sanitized when displayed	`/tmp/malware.exe`	—
detail.service.additionalInfo.threatsDetected[].files[].fileHash Source: SHA-256 hash of file content	String	Required	`64-character hexadecimal string`	SHA-256 hash of the malicious file	`a1b2c3d4e5f6...`	—
detail.severity Source: random_choice([2, 5, 5, 8, 8, 8]) - varies based on threat	Integer	Required	—	Finding severity level (varies depending on detected threat severity)	`8`	`2` — Low severity (1.0-3.9) `5` — Medium severity (4.0-6.9) `8` — High severity (7.0-8.9)

Details

Fields

Low

Frequency

Feedback

No ratings yet