Vendors Amazon Web Services AWS GuardDuty GuardDuty Malware Protection for EC2 Finding Types

GuardDuty Malware Protection for EC2 Finding Types

Malware detection on EC2 instances and containers

AWS GuardDuty Malware Protection for EC2 finding types detecting malicious and suspicious files on EC2 instances, ECS clusters, Kubernetes clusters, and containers through EBS volume scanning, including trojans, backdoors, viruses, adware, spyware, ransomware, rootkits, miners, and worms

malware-protection ec2 container malware-detection threat-scanning

JSON Format 13 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

Malware Protection for EC2 provides single findings for all threats detected during EBS volume scans of EC2 instances and container workloads. Includes total number of detections and details for top 32 threats based on severity. Findings include scan information and correlation with GuardDuty findings that initiated the scan.

When Generated:

Malicious file detected on EC2 instance during EBS volume scan
Malicious file detected on container workload in ECS cluster
Malicious file detected on container workload in Kubernetes cluster
Malicious file detected on standalone container workload
Suspicious file (adware, spyware, dual-use tool) detected on EC2 instance
Suspicious file (adware, spyware, dual-use tool) detected on container workload
Scan triggered by GuardDuty threat detection finding
Scheduled malware scan detects threats

Security Relevance:

High

Compliance:

PCI-DSS 5.1.1, 11.4 HIPAA 164.308(a)(1), 164.312(e)(1) SOC 2 CC6.1, CC7.2 ISO 27001 A.12.4.1, A.12.4.2 NIST CSF PR.DS-5, DE.AE-3 CIS AWS Foundations 3.1-3.14

Frequency Notes:

Malware Protection for EC2 findings are generated when malware scans detect threats. Frequency depends on threat landscape and scan frequency (triggered by GuardDuty findings or scheduled). Production environments typically see 5-30 findings per day. Each finding represents one scan with detected threats - findings are not updated when same resource is scanned again. New finding generated for each scan that detects malware. Malicious file findings are higher severity than suspicious file findings.

Resources

Documentation

Malware Protection for EC2 Finding Types official
Remediating Potentially Compromised EC2 Instance official
Remediating Potentially Compromised ECS Cluster official
Remediating EKS Protection Findings official
GuardDuty Malware Protection for EC2 official

Tools

AWS GuardDuty Console
Web interface for viewing and managing Malware Protection findings
AWS Systems Manager
Manage GuardDuty malware protection agents

Generation Configuration

Base Frequency: 15 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 1.2x

Weekend Multiplier: 1.0x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
detail.type Source: random_choice() of 8 Malware Protection for EC2 finding types	String	Required	—	Malware Protection for EC2 finding type indicating resource and threat classification	`Execution:EC2/MaliciousFile`	`Execution:EC2/MaliciousFile` — Malicious file detected on EC2 instance `Execution:ECS/MaliciousFile` — Malicious file detected on container in ECS cluster `Execution:Kubernetes/MaliciousFile` — Malicious file detected on container in Kubernetes cluster `Execution:Container/MaliciousFile` — Malicious file detected on standalone container `Execution:EC2/SuspiciousFile` — Suspicious file (adware, spyware, dual-use tool) detected on EC2 instance `Execution:ECS/SuspiciousFile` — Suspicious file (adware, spyware, dual-use tool) detected on container in ECS cluster `Execution:Kubernetes/SuspiciousFile` — Suspicious file (adware, spyware, dual-use tool) detected on container in Kubernetes cluster `Execution:Container/SuspiciousFile` — Suspicious file (adware, spyware, dual-use tool) detected on standalone container
detail.resource.resourceType Source: random_choice(['Instance', 'EKSCluster', 'ECSCluster', 'Container'])	String	Required	—	Type of resource where malware was detected	`Instance`	`Instance` — Amazon EC2 instance `EKSCluster` — Amazon EKS cluster (for Kubernetes findings) `ECSCluster` — Amazon ECS cluster (for ECS findings) `Container` — Standalone container (for Container findings)
detail.service.malwareProtectionScanDetails Source: Malware scan metadata from GuardDuty	Object	Required	—	Details about the malware scan that detected the threats	`{scanId, scanStartTime, scanEndTime, scannedResourceDetails, triggerFindingId, sources}`	—
detail.service.malwareProtectionScanDetails.scanId Source: random_guid()	String	Required	`UUID`	Unique identifier for the malware scan	`550e8400-e29b-41d4-a716-446655440000`	—
detail.service.malwareProtectionScanDetails.scannedResourceDetails.volumeDetails Source: EBS volume metadata from scan	Array	Required	—	EBS volume details that were scanned	`[{volumeArn, volumeType, deviceName, volumeSizeInGB, encryptionType}]`	—
detail.service.malwareProtectionScanDetails.triggerFindingId Source: random_hex(32, 32) or empty if scheduled scan	String	Optional	`32-character hexadecimal string`	GuardDuty finding ID that triggered this scan (if scan was triggered by finding)	`a1b2c3d4e5f6...`	—
detail.service.malwareProtectionScanDetails.sources Source: random_choice(['THREAT_DETECTION', 'SCHEDULED_SCAN'])	Array	Required	—	Source that initiated the scan	`['THREAT_DETECTION']`	`THREAT_DETECTION` — Scan triggered by GuardDuty threat detection finding `SCHEDULED_SCAN` — Scan performed on scheduled basis
detail.service.additionalInfo.threatsDetectedItemCount Source: random_int(1, 32) - total detections in scan	Integer	Required	`Integer (1 or more)`	Total number of threats detected during the scan	`15`	—
detail.service.additionalInfo.threatsDetected Source: Array of threat details from malware scan	Array	Required	—	Details for top 32 threats detected (based on severity). Each finding includes up to 32 threats.	`[{threatName, severity, itemCount, files}]`	—
detail.service.additionalInfo.threatsDetected[].threatName Source: random_choice() of malware threat names	String	Required	`Threat name`	Name of the detected threat	`Trojan.Win32.Generic`	`Trojan.Win32.Generic` — Windows trojan `Trojan.Linux.Generic` — Linux trojan `Backdoor.Linux.Generic` — Linux backdoor `Virus.Win32.Generic` — Windows virus `Adware.Mac.Generic` — Mac adware `Spyware.Win32.Generic` — Windows spyware `Ransomware.Win32.Generic` — Windows ransomware `PUA.Win32.Generic` — Potentially Unwanted Application `Rootkit.Linux.Generic` — Linux rootkit `Miner.Linux.Generic` — Cryptocurrency miner
detail.service.additionalInfo.threatsDetected[].files[].filePath Source: File path from malware scan	String	Required	`Absolute file path`	Full path to the malicious or suspicious file. Note: File paths may be controlled by malicious actors and should be sanitized when displayed	`/tmp/malware.exe`	—
detail.service.additionalInfo.threatsDetected[].files[].fileHash Source: SHA-256 hash of file content	String	Required	`64-character hexadecimal string`	SHA-256 hash of the malicious or suspicious file	`a1b2c3d4e5f6...`	—
detail.severity Source: random_choice([2, 5, 5, 8, 8, 8]) - varies based on threat	Integer	Required	—	Finding severity level (varies depending on detected threat severity)	`8`	`2` — Low severity (1.0-3.9) - typically suspicious files `5` — Medium severity (4.0-6.9) `8` — High severity (7.0-8.9) - typically malicious files

Details

Fields

Medium

Frequency

Feedback

No ratings yet