# On-demand malware scan in GuardDuty
<a name="on-demand-malware-scan"></a>

On-demand malware scan helps you detect the presence of malware on Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 instances. With no configuration needed, you can start an on-demand malware scan by providing the Amazon Resource Name (ARN) of the Amazon EC2 instance that you want to scan. You can start an on-demand malware scan either through the GuardDuty console or API. Before initiating an on-demand malware scan, you can set your preferred [Snapshots retention](malware-protection-customizations.md#mp-snapshots-retention) setting. The following scenarios can help you identify when to use the On-demand malware scan type with GuardDuty:
+ You want to detect the presence of malware in your Amazon EC2 instances without enabling GuardDuty-initiated malware scan.
+ You have enabled GuardDuty-initiated malware scan and a scan was invoked automatically. After following the recommended remediation for the generated Malware Protection for EC2 finding type, if you want to start a scan on the same resource, you can start an on-demand malware scan after 1 hour has passed from the previous scan start time.

  On-demand malware scan doesn't require that 24 hours have passed from the time the previous malware scan was started. One hour should have passed before initiating an On-demand malware scan on the same resource. To avoid duplicating a malware scan on the same EC2 instance, see [Re-scanning previously scanned Amazon EC2 instance](initiate-on-demand-scan-on-same-resource.md).

**Note**  
On-demand malware scan is not included in the 30-day free trial period with GuardDuty. The usage cost applies to the total Amazon EBS volume scanned for each malware scan. For more information, see [Amazon GuardDuty pricing](https://aws.amazon.com/guardduty/pricing/#Pricing_by_region). For information about the cost of creating the Amazon EBS volume snapshots and their retention, see [Amazon EBS pricing](https://aws.amazon.com/ebs/pricing/).

## How On-demand malware scan works
<a name="how-odmalscan-works-in-gdu"></a>

With On-demand malware scan, you can start a malware scan request for your Amazon EC2 instance even when it is currently in use. After you start an On-demand malware scan, GuardDuty creates snapshots of the Amazon EBS volumes attached to the Amazon EC2 instance whose Amazon Resource Name (ARN) was provided for the scan. Next, GuardDuty shares these snapshots with the [GuardDuty service account](gdu-service-account-region-list.md). GuardDuty creates encrypted replica EBS volumes from those snapshots in the GuardDuty service account. For more information about how the Amazon EBS volumes are scanned, see [How GuardDuty scans EBS volumes for malware detection](guardduty_malware_protection-ebs-volume-data.md). 

**Note**  
GuardDuty creates the snapshots of the data that has already been written to the Amazon EBS volumes at the point-in-time when you start an On-demand malware scan.

If malware is found and you've enabled the snapshots retention setting, the snapshots of your EBS volume are automatically retained in your AWS account. On-demand malware scan generates the [Malware Protection for EC2 finding types](findings-malware-protection.md). If malware is not found, then regardless of the snapshots retention setting, the snapshots of your EBS volumes are deleted.

GuardDuty uses a global tag key, `GuardDutyExcluded`, that you can add to your Amazon EC2 resources and set the tag value to `true`. This Amazon EC2 resource that has this tag key and value pair will be excluded from the malware scan. Both the scan types (GuardDuty-initiated malware scan and On-demand malware scan) support the global tag. If you start an on-demand malware scan on an Amazon EC2, a scan ID will be generated. However, the scan will be skipped with an `EXCLUDED_BY_SCAN_SETTINGS` reason. For more information, see [Reasons for skipping resource during malware scan](malware-protection-auditing-scan-logs.md#mp-scan-skip-reasons).

# Starting On-demand malware scan in GuardDuty
<a name="malware-protection-getting-started-on-demand-scan"></a>

This section provides a list of prerequisites before initiating an on-demand malware scan and steps to start the scan on a resource for the first time.

As a GuardDuty administrator account, you can start an on-demand malware scan on behalf of your active member accounts that have the following prerequisites set up in their accounts. Standalone accounts and active member accounts in GuardDuty can also start an on-demand malware scan for their own Amazon EC2 instances.

## Prerequisites
<a name="prerequisites-on-demand-malware-scan"></a>

Before you start an On-demand malware scan, your account must meet the following prerequisites:
+ GuardDuty must be enabled in the AWS Regions where you want to start the on-demand malware scan.
+ Ensure that the [AWS managed policy: AmazonGuardDutyFullAccess\$1v2 (recommended)](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonGuardDutyFullAccess-v2) is attached to the IAM user or the IAM role. You will need the access key and secret key associated with the IAM user or the IAM role.
+ As a delegated GuardDuty administrator account, you have the option to start an on-demand malware scan on behalf of an active member account. 
+ Before you start an on-demand malware scan, make sure that no scan was started on the same resource in the past 1 hour; otherwise, it will be de-duped. For more information, see [Re-scanning previously scanned Amazon EC2 instance](initiate-on-demand-scan-on-same-resource.md).
+ If you're a member account that doesn't have the [Service-linked role permissions for Malware Protection for EC2](slr-permissions-malware-protection.md), then initiating an on-demand malware scan for an Amazon EC2 instance that belongs to your account, will automatically create the SLR for Malware Protection for EC2.

**Important**  
Ensure that no one deletes the [SLR permissions for Malware Protection for EC2](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions-malware-protection.html#delete-slr) when the malware scan is still in progress. This malware scan could be either started by GuardDuty or started on-demand. Deleting the SLR will prevent the scan from completing successfully, and providing definite scan result.

## Start On-demand malware scan
<a name="malware-protection-initiate-on-demand-malware-scan"></a>

You can start an on-demand malware scan in your account through GuardDuty console or by using AWS CLI. You will need to provide the Amazon EC2 Amazon Resource Name (ARN) for which you want to start the scan. The detailed steps are provided in both console and API/AWS CLI instructions in the following section.

Choose your preferred access method to start an on-demand malware scan.

------
#### [ Console ]

1. Open the GuardDuty console at [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/).

1. Start the scan using one of the following options:

   1. Using the **Malware Protection for EC2** page:

      1. In the navigation pane, under **Protection plans**, choose **Malware Protection for EC2**.

      1. On the **Malware Protection for EC2** page, provide the **Amazon EC2 instance ARN**1 for which you want to start the scan.

   1. Using the **Malware Scans** page:

      1. In the navigation pane, choose **Malware Scans**.

      1. Choose **Start on-demand scan** and provide the **Amazon EC2 instance ARN**1 for which you want to start the scan.

      1. If this is a re-scan, select an **Amazon EC2** instance ID on the **Malware Scans** page.

         Expand the **Start on-demand scan** dropdown and choose **Re-scan selected instance**.

1. After you successfully start a scan using either method, a scan ID gets generated. You can use this scan ID to track the progress of the scan. For more information, see [Monitoring malware scan statuses and results](malware-protection-scans.md).

------
#### [ API/CLI ]

Invoke [StartMalwareScan](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_StartMalwareScan.html) that accepts the `resourceArn` of the Amazon EC2 instance1 for which you want to start an on-demand malware scan.

```
aws guardduty start-malware-scan --resource-arn "arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f"
```

After you successfully start a scan, `StartMalwareScan` returns a `scanId`. Invoke [DescribeMalwareScans](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeMalwareScans.html) monitor the progress of the started scan.

------

1For information about the format of your Amazon EC2 instance ARN, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For Amazon EC2 instances, you can use the following example ARN format by replacing the values for the partition, Region, AWS account ID, and Amazon EC2 instance ID. For information about length of your instance ID, see [Resource IDs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resource-ids.html).

```
arn:aws:ec2:us-east-1:555555555555:instance/i-b188560f
```

### AWS Organizations service control policy – Denied access
<a name="malware-protection-on-demand-scan-org-scp"></a>

Using the [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in AWS Organizations, the delegated GuardDuty administrator account can restrict permissions and deny actions such as initiating an on-demand malware scan for Amazon EC2 instance owned by your accounts.

As a GuardDuty member account, when you start an on-demand malware scan for your Amazon EC2 instances, you may receive an error. You can connect with the management account to understand why an SCP was set up for your member account. For more information, see [SCP effects on permissions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions).

# Re-scanning previously scanned Amazon EC2 instance
<a name="initiate-on-demand-scan-on-same-resource"></a>

Whether a scan is GuardDuty-initiated or started on-demand, you can start a new on-demand malware scan on the same Amazon EC2 instance after 1 hour from the start time of the previous malware scan. If the new malware scan gets started within 1 hour of initiation of the previous malware scan, your request will result in the following error, and no scan ID will get generated for this request.

`A scan was started on this resource recently. You can request a scan on the same resource one hour after the previous scan start time.`

The steps to re-scan the instance remain the same as starting an on-demand malware scan for the first time. For information about the steps, see [Start On-demand malware scan](malware-protection-getting-started-on-demand-scan.md#malware-protection-initiate-on-demand-malware-scan).

To track the status of the malware scans, see [Monitoring scan statuses and results in Malware Protection for EC2](malware-protection-scans.md).