# Monitoring scan statuses and results in Malware Protection for EC2 After a malware scan is initiated on an Amazon EC2 instance, GuardDuty provides the status and result fields automatically. You can monitor the status through transitions, and view if malware was detected. The following table provides the possible values associated to the malware scan. | Category | Potential values | | --- | --- | | Scan status | `Running`, `Completed`, `Skipped`, or `Failed` | | Scan result[*](#scan-result-malwalre-protection-ec2) | `Clean` or `Infected` | | Scan type | `GuardDuty initiated` or `On demand` | \$1Scan result is populated only when the scan status becomes `Completed`. The scan result `Infected` means that GuardDuty detected the presence of malware. Scan results for each malware scan has a retention period of 90 days. Choose your preferred access method to track the status of your malware scan. ------ #### [ Console ] 1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/). 1. In the navigation pane, choose **EC2 malware scans**. 1. You can filter the malware scans by the following **Properties** available in the *filter search bar*. + **Scan ID** – Unique identifier associated with the EC2 malware scan. + **Account ID** – AWS account ID where the malware scan initiated. + **EC2 instance ARN** – Amazon Resource Name (ARN) associated with the Amazon EC2 instance associated with the scan. + **Scan status** – The scan status of the EBS volume, such as **Running**, **Skipped**, and **Completed** + **Scan type** – Indicates whether this was an On-demand malware scan or a GuardDuty-initiated malware scan. ------ #### [ API/CLI ] + After the malware scan has a scan result, use [DescribeMalwareScans](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeMalwareScans.html) to filter the malware scans on the basis of `EC2_INSTANCE_ARN`, `SCAN_ID`, `ACCOUNT_ID`, `SCAN_TYPE` `GUARDDUTY_FINDING_ID`, `SCAN_STATUS`, and `SCAN_START_TIME`. The `GUARDDUTY_FINDING_ID` filter criteria is available when the `SCAN_TYPE` is GuardDuty initiated. + You can change the example *filter-criteria* in the command below. Presently, you can filter on the basis of one `CriterionKey` at a time. The options for `CriterionKey` are `EC2_INSTANCE_ARN`, `SCAN_ID`, `ACCOUNT_ID`, `SCAN_TYPE` `GUARDDUTY_FINDING_ID`, `SCAN_STATUS`, and `SCAN_START_TIME`. You can change the *max-results* (up to 50) and the *sort-criteria*. The `AttributeName` is mandatory and must be `scanStartTime`. In the following example, the values in *red* are placeholders. Replace them with the values appropriate for your account. For example, replace the example `detector-id` *60b8777933648562554d637e0e4bb3b2* with your own valid `detector-id`. If you use the same `CriterionKey` as below, ensure to replace the example `EqualsValue` with your own valid AWS *scan-id*. ``` aws guardduty describe-malware-scans --detector-id 60b8777933648562554d637e0e4bb3b2 --max-results 1 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' --filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }' ``` + The response of this command displays a maximum of one result with details about the affected resource and malware findings (if `Infected`). ------