Malware Protection For Pc
Sadoth Royer
With Amazon GuardDuty, you can monitor your AWS accounts and workloads to detect malicious activity. Today, we are adding to GuardDuty the capability to detect malware. Malware is malicious software that is used to compromise workloads, repurpose resources, or gain unauthorized access to data. When you have GuardDuty Malware Protection enabled, a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious. For example, a malware scan is triggered when an EC2 instance is communicating with a command-and-control server that is known to be malicious or is performing denial of service (DoS) or brute-force attacks against other EC2 instances.
GuardDuty supports many file system types and scans file formats known to be used to spread or contain malware, including Windows and Linux executables, PDF files, archives, binaries, scripts, installers, email databases, and plain emails.
When potential malware is identified, actionable security findings are generated with information such as the threat and file name, the file path, the EC2 instance ID, resource tags and, in the case of containers, the container ID and the container image used. GuardDuty supports container workloads running on EC2, including customer-managed Kubernetes clusters or individual Docker containers. If the container is managed by Amazon Elastic Kubernetes Service (Amazon EKS) or Amazon Elastic Container Service (Amazon ECS), the findings also include the cluster name and the task or pod ID so application and security teams can quickly find the affected container resources.
As with all other GuardDuty findings, malware detections are sent to the GuardDuty console, pushed through Amazon EventBridge, routed to AWS Security Hub, and made available in Amazon Detective for incident investigation.
The service-linked role grants GuardDuty access to AWS Key Management Service (AWS KMS) keys used to encrypt EBS volumes. If the EBS volumes attached to a potentially compromised EC2 instance are encrypted with a customer-managed key, GuardDuty Malware Protection uses the same key to encrypt the replica EBS volumes as well. The KMS keys from which GuardDuty issues grants to the service account cannot be invoked from any context except the Amazon EBS service. Further, the grants are retired after the scan completes. If the volumes are not encrypted, GuardDuty uses its own key to encrypt the replica EBS volumes to ensure that these volumes created by GuardDuty are always encrypted. Volumes encrypted with EBS-managed keys are not supported.
Snapshots are automatically deleted after they are scanned. In General settings, I have the option to retain in my AWS account the snapshots where malware is detected and have them available for further analysis.
In Scan options, I can configure a list of inclusion tags, so that only EC2 instances with those tags are scanned, or exclusion tags, so that EC2 instances with tags in the list are skipped.
Testing Malware Protection GuardDuty Findings
To generate several Amazon GuardDuty findings, including the new Malware Protection findings, I clone the Amazon GuardDuty Tester repo:
First, I create an AWS CloudFormation stack using the guardduty-tester.template file. When the stack is ready, I follow the instructions to configure my SSH client to log in to the tester instance through the bastion host. Then, I connect to the tester instance:
After a few minutes, the findings appear in the GuardDuty console. At the top, I see the malicious files found by the new Malware Protection capability. One of the findings is related to an EC2 instance, the other to an ECS cluster.
First, I select the finding related to the EC2 instance. In the panel, I see the information on the instance and the malicious file, such as the file name and path. In the Malware scan details section, the Trigger finding ID points to the original GuardDuty finding that triggered the malware scan. In my case, the original finding was that this EC2 instance was performing RDP brute force attacks against another EC2 instance.
Here, I choose Investigate with Detective and, directly from the GuardDuty console, I go to the Detective console to visualize AWS CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow data for the EC2 instance, the AWS account, and the IP address affected by the finding. Using Detective, I can analyze, investigate, and identify the root cause of suspicious activities found by GuardDuty.
Comparing GuardDuty Malware Protection with Amazon Inspector
At this point, you might ask yourself how GuardDuty Malware Protection relates to Amazon Inspector, a service that scans AWS workloads for software vulnerabilities and unintended network exposure. The two services complement each other and offer different layers of protection:
Attackers always look for quick ways to steal data. Using readily available automated tools and advanced techniques, they can do so with ease, leaving your traditional network defenses ineffective. Malware is designed to spread quickly, create havoc and affect as many machines as possible. To protect your organization against such threats, you need a holistic, enterprise-wide malware protection strategy.
You create the illusion of security if you only rely on perimeter security, such as firewalls, intrusion prevention systems and URL filtering, or focus only on endpoint security, such as antivirus, anti-spam and malware analysis. With the ever-increasing attack surface and the growing prevalence of automated, sophisticated and volumetric attacks, you need a platform approach built for automation. To stay ahead of attackers, you need a malware protection strategy that includes a global threat intelligence community and covers the network, endpoint and cloud.
A successful military operation relies on credible threat intelligence to make executive decisions. Similarly, contextual threat intelligence shared with a global community enables organizations to respond to attacks more quickly. Security analysts can subscribe to premium and free versions of global threat feed to help their teams stay ahead of attackers.
Everything runs on the network. Business transactions, application deployments, access to resources, web browsing and video streaming all depend on the network running smoothly. The network is also a doorway to your most critical business assets, and it needs protection. Firewalls, intrusion prevention systems, URL filtering and sandboxing systems are typically deployed to protect the network by detecting, analyzing and preventing malicious activity.
More organizations are moving their critical assets to the cloud for its scalability, agility and cost savings. However, there are some security risks organizations must address. Hackers go after your data no matter where it lives, so cloud infrastructure is still open to cyberattacks similar to those that target traditional data centers. To protect against malware, you need to gain complete visibility into your cloud infrastructure, provide strong protections for incoming and outgoing traffic, secure your containers, and run compliance audits to expose data leaks.
The key is to seamlessly integrate cloud, network and endpoint security with global threat intelligence to quickly detect and deliver automated malware protections in near-real time. Tight integration across your network, cloud and endpoint environments, coupled with global threat intelligence, simplifies security so you can secure your users, applications and data everywhere.
Extended detection and response (XDR) is a new category of security solutions that can help you stop malware. XDR combines next-gen antivirus and endpoint protection with network detection and response, user behavior analytics and more to deliver holistic security across all your digital assets. The industry's first XDR platform, Cortex XDR, gathers and integrates data from any source to block malware and detect and eradicate stealthy threats.
Malware Protection for S3 helps you detect potential presence of malware by scanning newly uploaded objects to your selected Amazon Simple Storage Service (Amazon S3) bucket. When an S3 object or a new version of an existing S3 object gets uploaded to your selected bucket, GuardDuty automatically starts a malware scan.
You can enable Malware Protection for S3 when your AWS account enables the GuardDuty service and you use Malware Protection for S3 as a part of the overall GuardDuty experience, or when you want to use the Malware Protection for S3 feature by itself without enabling the GuardDuty service. When you enable Malware Protection for S3 by itself, the GuardDuty documentation refers to it as using Malware Protection for S3 as an independent feature.
When you enable Malware Protection for S3 independently in an account, that account will not have an associated detector ID. This impacts what GuardDuty features may be available to you. For example, when an S3 malware scan detects the presence of malware, no GuardDuty finding will get generated in your AWS account because all GuardDuty findings are associated with a detector ID.
You can enable Malware Protection for S3 for an Amazon S3 bucket that belongs to your own account. As a delegated GuardDuty administrator account you can't enable this feature in an Amazon S3 bucket that belongs to a member account.
As a delegated GuardDuty administrator account, you will receive an Amazon EventBridge notification each time there is a change in the Malware Protection plan resource status of an S3 bucket that one of your organization's member account configured for this feature.
Malware, short for "malicious software," refers to a type of computer program designed to infect a legitimate user's computer and inflict harm on it in multiple ways. Malware can infect computers and devices in several ways and comes in a number of forms, just a few of which include viruses, worms, Trojans, spyware and more. It's vital that all users know how to recognize and protect themselves from malware in all of its forms.
c80f0f1006