# Starting On-demand malware scan in GuardDuty
This section provides a list of prerequisites before initiating an on-demand malware scan and steps to start the scan on a resource for the first time.
As a GuardDuty administrator account, you can start an on-demand malware scan on behalf of your active member accounts that have the following prerequisites set up in their accounts. Standalone accounts and active member accounts in GuardDuty can also start an on-demand malware scan for their own Amazon EC2 instances.
## Prerequisites
Before you start an On-demand malware scan, your account must meet the following prerequisites:
+ GuardDuty must be enabled in the AWS Regions where you want to start the on-demand malware scan.
+ Ensure that the [AWS managed policy: AmazonGuardDutyFullAccess\$1v2 (recommended)](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) is attached to the IAM user or the IAM role. You will need the access key and secret key associated with the IAM user or the IAM role.
+ As a delegated GuardDuty administrator account, you have the option to start an on-demand malware scan on behalf of an active member account.
+ Before you start an on-demand malware scan, make sure that no scan was started on the same resource in the past 1 hour; otherwise, it will be de-duped. For more information, see [Re-scanning previously scanned Amazon EC2 instance](initiate-on-demand-scan-on-same-resource.md).
+ If you're a member account that doesn't have the [Service-linked role permissions for Malware Protection for EC2](slr-permissions-malware-protection.md), then initiating an on-demand malware scan for an Amazon EC2 instance that belongs to your account, will automatically create the SLR for Malware Protection for EC2.
**Important**
Ensure that no one deletes the [SLR permissions for Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions-malware-protection.html#delete-slr) when the malware scan is still in progress. This malware scan could be either started by GuardDuty or started on-demand. Deleting the SLR will prevent the scan from completing successfully, and providing definite scan result.
## Start On-demand malware scan
You can start an on-demand malware scan in your account through GuardDuty console or by using AWS CLI. You will need to provide the Amazon EC2 Amazon Resource Name (ARN) for which you want to start the scan. The detailed steps are provided in both console and API/AWS CLI instructions in the following section.
Choose your preferred access method to start an on-demand malware scan.
------
#### [ Console ]
1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).
1. Start the scan using one of the following options:
1. Using the **Malware Protection for EC2** page:
1. In the navigation pane, under **Protection plans**, choose **Malware Protection for EC2**.
1. On the **Malware Protection for EC2** page, provide the **Amazon EC2 instance ARN**1 for which you want to start the scan.
1. Using the **Malware Scans** page:
1. In the navigation pane, choose **Malware Scans**.
1. Choose **Start on-demand scan** and provide the **Amazon EC2 instance ARN**1 for which you want to start the scan.
1. If this is a re-scan, select an **Amazon EC2** instance ID on the **Malware Scans** page.
Expand the **Start on-demand scan** dropdown and choose **Re-scan selected instance**.
1. After you successfully start a scan using either method, a scan ID gets generated. You can use this scan ID to track the progress of the scan. For more information, see [Monitoring malware scan statuses and results](malware-protection-scans.md).
------
#### [ API/CLI ]
Invoke [StartMalwareScan](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StartMalwareScan.html) that accepts the `resourceArn` of the Amazon EC2 instance1 for which you want to start an on-demand malware scan.
```
aws guardduty start-malware-scan --resource-arn "arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f"
```
After you successfully start a scan, `StartMalwareScan` returns a `scanId`. Invoke [DescribeMalwareScans](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeMalwareScans.html) monitor the progress of the started scan.
------
1For information about the format of your Amazon EC2 instance ARN, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For Amazon EC2 instances, you can use the following example ARN format by replacing the values for the partition, Region, AWS account ID, and Amazon EC2 instance ID. For information about length of your instance ID, see [Resource IDs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resource-ids.html).
```
arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f
```
### AWS Organizations service control policy – Denied access
Using the [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in AWS Organizations, the delegated GuardDuty administrator account can restrict permissions and deny actions such as initiating an on-demand malware scan for Amazon EC2 instance owned by your accounts.
As a GuardDuty member account, when you start an on-demand malware scan for your Amazon EC2 instances, you may receive an error. You can connect with the management account to understand why an SCP was set up for your member account. For more information, see [SCP effects on permissions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions).