# GuardDuty-initiated malware scan
<a name="gdu-initiated-malware-scan"></a>

With GuardDuty-initiated malware scan enabled, whenever GuardDuty generates [Findings that invoke GuardDuty-initiated malware scan](gd-findings-initiate-malware-protection-scan.md), an agentless malware scan on the Amazon Elastic Block Store (Amazon EBS) volumes attached to the potentially impacted Amazon EC2 resource will initiate. Before a scan initiates, you must prepare your account for any customizations. With scan options, you can add inclusion tags associated with the resources that you want to scan, or add exclusion tags associated with the resources that you want to skip from the scanning process. An automatic scan initiation will always consider your scan options. GuardDuty also supports a global `GuardDutyExcluded`:`true` tag key:value pair. When you add this global tag to an Amazon EC2 resource, GuardDuty will initiate the scan and then skip it. You can also choose to turn on the snapshots retention setting to retain the snapshots of your EBS volumes where malware was potentially detected. For more information about scan options, global exclusion tag, and snapshot settings, see [Set up snapshot retention and EC2 scan coverage](malware-protection-customizations.md).

When GuardDuty generates multiple findings for the same Amazon EC2 resource, GuardDuty will be able to initiate a scan only after 24 hours have been passed since the last GuardDuty-initiated malware scan. For information about how the Amazon EBS volumes attached to your Amazon EC2 instance or container workload are scanned, see [How GuardDuty scans EBS volumes for malware detection](guardduty_malware_protection-ebs-volume-data.md). 

The following image describes how GuardDuty-initiated malware scan works. 

![\[Depicts how Malware Protection for EC2 works and available customizations in GuardDuty.\]](http://docs.aws.amazon.com/guardduty/latest/ug/images/malwareprotection-diagram.png)


For information about GuardDuty malware detection methodology and the scan engines that it uses, see [GuardDuty malware detection scan engine](guardduty-malware-detection-scan-engine.md).

When malware is found, GuardDuty generates [Malware Protection for EC2 finding types](findings-malware-protection.md). If GuardDuty doesn't generate a finding indicative of malware on the same resource, no GuardDuty-initiated malware scan will be invoked. You can also initiate an On-demand malware scan on the same resource. For more information, see [On-demand malware scan in GuardDuty](on-demand-malware-scan.md).

# 30-day free trial in GuardDuty-initiated malware scan
<a name="malware-protection-ec2-guardduty-30-day-free-trial"></a>

You can choose to enable or disable GuardDuty-initiated malware scan for an AWS account in a supported AWS Region at any time. If you have an organization, each member account has its own 30-day free trial.

To understand how 30-day free trial works, consider the following scenarios:
+ When you enable GuardDuty for the first time (new GuardDuty account), GuardDuty-initiated malware scan also gets enabled and is included in the 30-day free trial associated with the GuardDuty service.
+ An existing GuardDuty account can enable GuardDuty-initiated malware scan for the first time with a 30-day free trial. When you enable this feature in a different Region for the first time, you will get a 30-day free trial in that Region.
+ If you have been using Malware Protection for EC2 in an AWS Region before this protection plan was divided into two scan types – GuardDuty-initiated malware scan and On-demand malware scan, you can continue using GuardDuty-initiated malware scan with the same pricing model in the same AWS Region. If you enable GuardDuty-initiated malware scan for the first time in a new Region, your account will get a 30-day free trial. 

**Note**  
Even if you're on a 30-day free trial period, the standard usage cost for creating the Amazon EBS volume snapshots and their retention applies. For more information, see [Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).

# Enabling GuardDuty-initiated malware scan in multiple-account environments
<a name="configure-malware-protection-guardduty-initiated-multi-account"></a>

In a multiple-account environment, only GuardDuty administrator account can enable GuardDuty-initiated malware scan on behalf of their member accounts. Additionally, an administrator account that manages the member accounts with AWS Organizations support can choose to have GuardDuty-initiated malware scan enabled automatically on all the existing and new accounts in the organization. For more information, see [Managing GuardDuty accounts with AWS Organizations](guardduty_organizations.md). 

## Establishing trusted access to enable GuardDuty-initiated malware scan
<a name="delegated-admin-different-management-account"></a>

If the GuardDuty delegated administrator account is not the same as the management account in your organization, the management account must enable GuardDuty-initiated malware scan for their organization. This way, the delegated administrator account can create the [Service-linked role permissions for Malware Protection for EC2](slr-permissions-malware-protection.md) in member accounts that are managed through AWS Organizations.

**Note**  
Before you designate a delegated GuardDuty administrator account, see [Considerations and recommendations](guardduty_organizations.md#delegated_admin_important).

Choose your preferred access method to allow the delegated GuardDuty administrator account to enable GuardDuty-initiated malware scan for member accounts in the organization.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   To log in, use the management account for your AWS Organizations organization.

1. 

   1. If you have not designated a delegated GuardDuty administrator account, then:

      On the **Settings** page, under **delegated GuardDuty administrator account**, enter the 12-digit **account ID** that you want to designate to administer the GuardDuty policy in your organization. Choose **Delegate**. 

   1. 

      1. If you've already designated a delegated GuardDuty administrator account that is different from the management account, then:

         On the **Settings** page, under **Delegated Administrator**, turn on the **Permissions** setting. This action will allow the delegated GuardDuty administrator account to attach relevant permissions to the member accounts and enable GuardDuty-initiated malware scan in these member accounts.

      1. If you've already designated a delegated GuardDuty administrator account that is the same as the management account, then you can directly enable GuardDuty-initiated malware scan for the member accounts. For more information, see [Auto-enable GuardDuty-initiated malware scan for all member accounts](#auto-enable-malware-protection-all-organization-member). 
**Tip**  
If the delegated GuardDuty administrator account is different from your management account, you must provide permissions to the delegated GuardDuty administrator account to allow enabling GuardDuty-initiated malware scan for member accounts.

1. If you want to allow the delegated GuardDuty administrator account to enable GuardDuty-initiated malware scan for member accounts in other Regions, change your AWS Region, and repeat the steps above.

------
#### [ API/CLI ]

1. Using your management account credentials, run the following command:

   ```
   aws organizations enable-aws-service-access --service-principal malware-protection.guardduty.amazonaws.com
   ```

1. (Optional) to enable GuardDuty-initiated malware scan for the management account that is not a delegated administrator account, the management account will first create the [Service-linked role permissions for Malware Protection for EC2](slr-permissions-malware-protection.md) explicitly in their account, and then enable GuardDuty-initiated malware scan from the delegated administrator account, similar to any other member account.

   ```
   aws iam create-service-linked-role --aws-service-name malware-protection.guardduty.amazonaws.com
   ```

1. You have designated the delegated GuardDuty administrator account in the currently selected AWS Region. If you have designated an account as a delegated GuardDuty administrator account in one region, that account must be your delegated GuardDuty administrator account in all other regions. Repeat the step above for all other Regions.

------

## Configuring GuardDuty-initiated malware scan for delegated GuardDuty administrator account
<a name="configure-gdu-initiated-malware-pro-delegatedadmin"></a>

Choose your preferred access method to enable or disable GuardDuty-initiated malware scan for a delegated GuardDuty administrator account.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, choose **Malware Protection for EC2**.

1. On the **Malware Protection for EC2** page, choose **Edit** next to **GuardDuty-initiated malware scan**.

1. Do one of the following:

**Using **Enable for all accounts****
   + Choose **Enable for all accounts**. This will enable the protection plan for all the active GuardDuty accounts in your AWS organization, including the new accounts that join the organization.
   + Choose **Save**.

**Using **Configure accounts manually****
   + To enable the protection plan only for the delegated GuardDuty administrator account account, choose **Configure accounts manually**.
   + Choose **Enable** under the **delegated GuardDuty administrator account (this account)** section.
   + Choose **Save**.

------
#### [ API/CLI ]

Run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html) API operation using your own regional detector ID and passing the `features` object `name` as `EBS_MALWARE_PROTECTION` and `status` as `ENABLED`.

You can enable GuardDuty-initiated malware scan by running the following AWS CLI command. Make sure to use delegated GuardDuty administrator account's valid *detector ID*. 

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 /
              --account-ids 555555555555 /
              --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'
```

------

## Auto-enable GuardDuty-initiated malware scan for all member accounts
<a name="auto-enable-malware-protection-all-organization-member"></a>

Choose your preferred access method to enable the GuardDuty-initiated malware scan feature for all member accounts. This includes existing member accounts and the new accounts that join the organization.

------
#### [ Console ]

1. Sign in to the AWS Management Console and open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Make sure to use the delegated GuardDuty administrator account credentials.

1. Do one of the following:

**Using the **Malware Protection for EC2** page**

   1. In the navigation pane, choose **Malware Protection for EC2**.

   1. On the **Malware Protection for EC2** page, choose **Edit** in the **GuardDuty-initiated malware scan** section.

   1. Choose **Enable for all accounts**. This action automatically enables GuardDuty-initiated malware scan for both existing and new accounts in the organization.

   1. Choose **Save**.
**Note**  
It may take up to 24 hours to update the configuration for the member accounts.

**Using the **Accounts** page**

   1. In the navigation pane, choose **Accounts**.

   1. On the **Accounts** page, choose **Auto-enable** preferences before **Add accounts by invitation**.

   1. In the **Manage auto-enable preferences** window, choose **Enable for all accounts** under **GuardDuty-initiated malware scan**.

   1. On the **Malware Protection for EC2** page, choose **Edit** in the **GuardDuty-initiated malware scan** section.

   1. Choose **Enable for all accounts**. This action automatically enables GuardDuty-initiated malware scan for both existing and new accounts in the organization.

   1. Choose **Save**.
**Note**  
It may take up to 24 hours to update the configuration for the member accounts.

**Using the **Accounts** page**

   1. In the navigation pane, choose **Accounts**.

   1. On the **Accounts** page, choose **Auto-enable** preferences before **Add accounts by invitation**.

   1. In the **Manage auto-enable preferences** window, choose **Enable for all accounts** under **GuardDuty-initiated malware scan**.

   1. Choose **Save**.

   If you can't use the **Enable for all accounts** option, see [Selectively enable GuardDuty-initiated malware scan for member accounts](#selective-enable-disable-malware-protection-member-accounts).

------
#### [ API/CLI ]
+ To selectively enable GuardDuty-initiated malware scan for your member accounts, invoke the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*. 
+ The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable a member account, replace `ENABLED` with `DISABLED`. 

  To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

  ```
  aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'
  ```

  You can also pass a list of account IDs separated by a space.
+ When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

------

## Enable GuardDuty-initiated malware scan for all existing active member accounts
<a name="enable-for-all-existing-members-gdu-initiated-malware-scan"></a>

Choose your preferred access method to enable GuardDuty-initiated malware scan for all the existing active member accounts in the organization.

**To configure GuardDuty-initiated malware scan for all existing active member accounts**

1. Sign in to the AWS Management Console and open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Sign in using the delegated GuardDuty administrator account credentials.

1. In the navigation pane, choose **Malware Protection for EC2**.

1. On the **Malware Protection for EC2**, you can view the current status of the **GuardDuty-initiated malware scan** configuration. Under the **Active member accounts** section, choose **Actions**.

1. From the **Actions** dropdown menu, choose **Enable for all existing active member accounts**.

1. Choose **Save**.

## Auto-enable GuardDuty-initiated malware scan for new member accounts
<a name="configure-malware-protection-new-accounts-organization"></a>

The newly added member accounts must **Enable** GuardDuty before selecting configuring GuardDuty-initiated malware scan. The member accounts managed by invitation can configure GuardDuty-initiated malware scan manually for their accounts. For more information, see [Step 3 - Accept an invitation](guardduty_become_console.md#guardduty_accept_invite_proc).

Choose your preferred access method to enable GuardDuty-initiated malware scan for new accounts that join your organization.

------
#### [ Console ]

The delegated GuardDuty administrator account can enable GuardDuty-initiated malware scan for new member accounts in an organization, using either the **Malware Protection for EC2** or **Accounts** page.

**To auto-enable GuardDuty-initiated malware scan for new member accounts**

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Make sure to use the delegated GuardDuty administrator account credentials.

1. Do one of the following:
   + Using the **Malware Protection for EC2** page:

     1. In the navigation pane, choose **Malware Protection for EC2**.

     1. On the **Malware Protection for EC2** page, choose **Edit** in the **GuardDuty-initiated malware scan**.

     1. Choose **Configure accounts manually**.

     1. Select **Automatically enable for new member accounts**. This step ensures that whenever a new account joins your organization, GuardDuty-initiated malware scan will be automatically enabled for their account. Only the organization delegated GuardDuty administrator account can modify this configuration.

     1. Choose **Save**.
   + Using the **Accounts** page:

     1. In the navigation pane, choose **Accounts**.

     1. On the **Accounts** page, choose **Auto-enable** preferences.

     1. In the **Manage auto-enable preferences** window, select **Enable for new accounts** under **GuardDuty-initiated malware scan**.

     1. Choose **Save**.

------
#### [ API/CLI ]
+ To enable or disable GuardDuty-initiated malware scan for new member accounts, invoke the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateOrganizationConfiguration.html) API operation using your own *detector ID*. 
+ The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. To disable it, see [Selectively enable GuardDuty-initiated malware scan for member accounts](#selective-enable-disable-malware-protection-member-accounts). If you don't want to enable it for all the new accounts joining the organization, set `AutoEnable` to `NONE`. 

  To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

  ```
  aws guardduty update-organization-configuration --detector-id 12abc34d567e8fa901bc2d34e56789f0 --AutoEnable --features '[{"Name": "EBS_MALWARE_PROTECTION", "AutoEnable": NEW}]'
  ```

  You can also pass a list of account IDs separated by a space.
+ When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

------

## Selectively enable GuardDuty-initiated malware scan for member accounts
<a name="selective-enable-disable-malware-protection-member-accounts"></a>

Choose your preferred access method to configure GuardDuty-initiated malware scan for member accounts selectively.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, choose **Accounts**.

1. On the **Accounts** page, review the **GuardDuty-initiated malware scan** column for the status of your member account. 

1. Select the account for which you want to configure GuardDuty-initiated malware scan. You can select multiple accounts at a time. 

1. From the **Edit protection plans** menu, choose the appropriate option for **GuardDuty-initiated malware scan**.

------
#### [ API/CLI ]

To selectively enable or disable GuardDuty-initiated malware scan for your member accounts, invoke the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*. 

The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. 

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --features '[{"Name": "EBS_MALWARE_PROTECTION", "Status": "ENABLED"}]'
```

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

To selectively enable GuardDuty-initiated malware scan for your member accounts, run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateMemberDetectors.html) API operation using your own *detector ID*. The following example shows how you can enable GuardDuty-initiated malware scan for a single member account. 

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
aws guardduty update-member-detectors --detector-id 12abc34d567e8fa901bc2d34e56789f0 --account-ids 111122223333 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'
```

You can also pass a list of account IDs separated by a space.

When the code has successfully executed, it returns an empty list of `UnprocessedAccounts`. If there were any problems changing the detector settings for an account, that account ID is listed along with a summary of the issue.

------

## Enable GuardDuty-initiated malware scan for existing accounts in the Organization managed via invitation
<a name="enable-malware-protection-existing-accounts-organization"></a>

The GuardDuty Malware Protection for EC2 service-linked role (SLR) must be created in member accounts. The administrator account can't enable the GuardDuty-initiated malware scan feature in member accounts that are not managed by AWS Organizations.

Presently, you can perform the following steps through the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) to enable GuardDuty-initiated malware scan for the existing member accounts.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

   Sign in using your administrator account credentials.

1. In the navigation pane, choose **Accounts**.

1. Select the member account for which you want to enable GuardDuty-initiated malware scan. You can select multiple accounts at a time. 

1. Choose **Actions**.

1. Choose **Disassociate member**.

1. In your member account, choose **Malware Protection** under **Protection plans** on the navigation pane.

1. Choose **Enable GuardDuty-initiated malware scan**. GuardDuty will create an SLR for the member account. For more information on SLR, see [Service-linked role permissions for Malware Protection for EC2](slr-permissions-malware-protection.md).

1. In your administrator account account, choose **Accounts** on the navigation pane.

1. Choose the member account that needs to be added back to the organization.

1. Choose **Actions** and then, choose **Add member**.

------
#### [ API/CLI ]

1. Use administrator account account to run [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html) API on the member accounts that want to enable GuardDuty-initiated malware scan.

1. Use your member account to invoke [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html) to enable GuardDuty-initiated malware scan.

   To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

   ```
   aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --data-sources '{"MalwareProtection":{"ScanEc2InstanceWithFindings":{"EbsVolumes":true}}}'
   ```

1. Use administrator account account to run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html) API to add the member back to the organization.

------

# Enabling GuardDuty-initiated malware scan for a standalone account
<a name="configure-malware-protection-single-account"></a>

A standalone account owns the decision to enable or disable a protection plan in their AWS account in a specific AWS Region. 

If your account is associated with a GuardDuty administrator account through AWS Organizations, or by the method of invitation, this section doesn't apply to your account. For more information, see [Enabling GuardDuty-initiated malware scan in multiple-account environments](configure-malware-protection-guardduty-initiated-multi-account.md).

After you enable GuardDuty-initiated malware scan, GuardDuty will initiate a malware scan of the Amazon EBS volume that is attached to the Amazon EC2 instance that was involved in a GuardDuty. For a list of findings that initiate malware scan, see [Findings that invoke GuardDuty-initiated malware scan](gd-findings-initiate-malware-protection-scan.md).

Choose your preferred access method to configure GuardDuty-initiated malware scan for a standalone account.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. In the navigation pane, under **Protection plans**, choose **Malware Protection for EC2**.

1. The Malware Protection for EC2 pane lists the current status of GuardDuty-initiated malware scan for your account. Choose **Enable** to enable GuardDuty-initiated malware scan in this account.

1. Choose **Save** to confirm your selection.

------
#### [ API/CLI ]

Run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html) API operation using your own regional detector ID and passing the `dataSources` object with `EbsVolumes` set to `true`.

You can also enable GuardDuty-initiated malware scan using AWS CLI by running the following AWS CLI command. Make sure to use your own valid *detector ID*. 

To find the `detectorId` for your account and current Region, see the **Settings** page in the [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) console, or run the [https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.

```
 aws guardduty update-detector --detector-id 12abc34d567e8fa901bc2d34e56789f0 --features [{"Name" : "EBS_MALWARE_PROTECTION", "Status" : "ENABLED"}]'
```

------

# Findings that invoke GuardDuty-initiated malware scan
<a name="gd-findings-initiate-malware-protection-scan"></a>

When GuardDuty detects suspicious behavior that is indicative of malware on an Amazon EC2 instance or a container workload that is running on an Amazon EC2 instance, GuardDuty will generate a finding. If this generated finding belongs to the following list of GuardDuty findings, then GuardDuty will automatically initiate malware scan on the Amazon EBS volumes attached to the Amazon EC2 instance that is involved in the finding. After the scan, if GuardDuty detects malware, then it will also generate one or more [Malware Protection for EC2 finding types](findings-malware-protection.md).

If any of the following GuardDuty findings get generated in your account, GuardDuty will automatically initiate malware scan in the Amazon EBS volume of the potentially compromised Amazon EC2 instance.
+ [Backdoor:EC2/C&CActivity.B](guardduty_finding-types-ec2.md#backdoor-ec2-ccactivityb)
+ [Backdoor:EC2/C&CActivity.B\$1DNS](guardduty_finding-types-ec2.md#backdoor-ec2-ccactivitybdns)
+ [Backdoor:EC2/DenialOfService.Dns](guardduty_finding-types-ec2.md#backdoor-ec2-denialofservicedns)
+ [Backdoor:EC2/DenialOfService.Tcp](guardduty_finding-types-ec2.md#backdoor-ec2-denialofservicetcp)
+ [Backdoor:EC2/DenialOfService.Udp](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceudp)
+ [Backdoor:EC2/DenialOfService.UdpOnTcpPorts](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceudpontcpports)
+ [Backdoor:EC2/DenialOfService.UnusualProtocol](guardduty_finding-types-ec2.md#backdoor-ec2-denialofserviceunusualprotocol)
+ [Backdoor:EC2/Spambot](guardduty_finding-types-ec2.md#backdoor-ec2-spambot)
+ [CryptoCurrency:EC2/BitcoinTool.B](guardduty_finding-types-ec2.md#cryptocurrency-ec2-bitcointoolb)
+ [CryptoCurrency:EC2/BitcoinTool.B\$1DNS](guardduty_finding-types-ec2.md#cryptocurrency-ec2-bitcointoolbdns)
+ [DefenseEvasion:Runtime/PtraceAntiDebugging](findings-runtime-monitoring.md#defenseevasion-runtime-ptrace-anti-debug)
+ [DefenseEvasion:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#defenseevasion-runtime-suspicious-command)
+  [Execution:Runtime/MaliciousFileExecuted](findings-runtime-monitoring.md#execution-runtime-malicious-file-executed) 
+  [Execution:Runtime/SuspiciousCommand](findings-runtime-monitoring.md#execution-runtime-suspiciouscommand) 
+  [Execution:Runtime/SuspiciousShellCreated](findings-runtime-monitoring.md#execution-runtime-suspicious-shell-created) 
+  [Execution:Runtime/SuspiciousTool](findings-runtime-monitoring.md#execution-runtime-suspicioustool) 
+ [Impact:EC2/AbusedDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-abuseddomainrequestreputation)
+ [Impact:EC2/BitcoinDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-bitcoindomainrequestreputation)
+ [Impact:EC2/MaliciousDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-maliciousdomainrequestreputation)
+ [Impact:EC2/PortSweep](guardduty_finding-types-ec2.md#impact-ec2-portsweep)
+ [Impact:EC2/SuspiciousDomainRequest.Reputation](guardduty_finding-types-ec2.md#impact-ec2-suspiciousdomainrequestreputation)
+ [Impact:EC2/WinRMBruteForce](guardduty_finding-types-ec2.md#impact-ec2-winrmbruteforce) (Outbound only) 
+  [PrivilegeEscalation:Runtime/ElevationToRoot](findings-runtime-monitoring.md#privilegeesc-runtime-elevation-to-root) 
+ [Recon:EC2/Portscan](guardduty_finding-types-ec2.md#recon-ec2-portscan)
+ [Trojan:EC2/BlackholeTraffic](guardduty_finding-types-ec2.md#trojan-ec2-blackholetraffic)
+ [Trojan:EC2/BlackholeTraffic\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-blackholetrafficdns)
+ [Trojan:EC2/DGADomainRequest.B](guardduty_finding-types-ec2.md#trojan-ec2-dgadomainrequestb)
+ [Trojan:EC2/DGADomainRequest.C\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-dgadomainrequestcdns)
+ [Trojan:EC2/DNSDataExfiltration](guardduty_finding-types-ec2.md#trojan-ec2-dnsdataexfiltration)
+ [Trojan:EC2/DriveBySourceTraffic\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-drivebysourcetrafficdns)
+ [Trojan:EC2/DropPoint](guardduty_finding-types-ec2.md#trojan-ec2-droppoint)
+ [Trojan:EC2/DropPoint\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-droppointdns)
+ [Trojan:EC2/PhishingDomainRequest\$1DNS](guardduty_finding-types-ec2.md#trojan-ec2-phishingdomainrequestdns)
+ [UnauthorizedAccess:EC2/RDPBruteForce](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-rdpbruteforce) (Outbound only)
+ [UnauthorizedAccess:EC2/SSHBruteForce](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-sshbruteforce) (Outbound only)
+ [UnauthorizedAccess:EC2/TorClient](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-torclient)
+ [UnauthorizedAccess:EC2/TorRelay](guardduty_finding-types-ec2.md#unauthorizedaccess-ec2-torrelay)
+ [Backdoor:Runtime/C&CActivity.B](findings-runtime-monitoring.md#backdoor-runtime-ccactivityb)
+  [Backdoor:Runtime/C&CActivity.B\$1DNS](findings-runtime-monitoring.md#backdoor-runtime-ccactivitybdns) 
+ [CryptoCurrency:Runtime/BitcoinTool.B](findings-runtime-monitoring.md#cryptocurrency-runtime-bitcointoolb)
+ [CryptoCurrency:Runtime/BitcoinTool.B\$1DNS](findings-runtime-monitoring.md#cryptocurrency-runtime-bitcointoolbdns)
+ [Execution:Runtime/NewBinaryExecuted](findings-runtime-monitoring.md#execution-runtime-newbinaryexecuted)
+  [Execution:Runtime/NewLibraryLoaded](findings-runtime-monitoring.md#execution-runtime-newlibraryloaded) 
+  [Execution:Runtime/ReverseShell](findings-runtime-monitoring.md#execution-runtime-reverseshell) 
+  [Impact:Runtime/AbusedDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-abuseddomainrequestreputation) 
+  [Impact:Runtime/BitcoinDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-bitcoindomainrequestreputation) 
+  [Impact:Runtime/CryptoMinerExecuted](findings-runtime-monitoring.md#impact-runtime-cryptominerexecuted) 
+  [Impact:Runtime/MaliciousDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-maliciousdomainrequestreputation) 
+  [Impact:Runtime/SuspiciousDomainRequest.Reputation](findings-runtime-monitoring.md#impact-runtime-suspiciousdomainrequestreputation) 
+  [PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified](findings-runtime-monitoring.md#privilegeesc-runtime-cgroupsreleaseagentmodified) 
+  [PrivilegeEscalation:Runtime/ContainerMountsHostDirectory](findings-runtime-monitoring.md#privilegeescalation-runtime-containermountshostdirectory) 
+  [PrivilegeEscalation:Runtime/DockerSocketAccessed](findings-runtime-monitoring.md#privilegeesc-runtime-dockersocketaccessed) 
+  [PrivilegeEscalation:Runtime/RuncContainerEscape](findings-runtime-monitoring.md#privilegeesc-runtime-runccontainerescape) 
+  [PrivilegeEscalation:Runtime/UserfaultfdUsage](findings-runtime-monitoring.md#privilegeescalation-runtime-userfaultfdusage) 
+ [Trojan:Runtime/BlackholeTraffic](findings-runtime-monitoring.md#trojan-runtime-blackholetraffic)
+  [Trojan:Runtime/BlackholeTraffic\$1DNS](findings-runtime-monitoring.md#trojan-runtime-blackholetrafficdns) 
+ [Trojan:Runtime/DropPoint](findings-runtime-monitoring.md#trojan-runtime-droppoint)
+  [Trojan:Runtime/DropPoint\$1DNS](findings-runtime-monitoring.md#trojan-runtime-droppointdns) 
+  [Trojan:Runtime/DGADomainRequest.C\$1DNS](findings-runtime-monitoring.md#trojan-runtime-dgadomainrequestcdns) 
+  [Trojan:Runtime/DriveBySourceTraffic\$1DNS](findings-runtime-monitoring.md#trojan-runtime-drivebysourcetrafficdns) 
+ [Trojan:Runtime/PhishingDomainRequest\$1DNS](findings-runtime-monitoring.md#trojan-runtime-phishingdomainrequestdns)
+  [UnauthorizedAccess:Runtime/MetadataDNSRebind](findings-runtime-monitoring.md#unauthorizedaccess-runtime-metadatadnsrebind)