Reporting false positives in GuardDuty Malware Protection

GuardDuty Malware Protection scans may identify a harmless file in your Amazon EC2 instance or container workload as being malicious or harmful. To improve your experience with Malware Protection and the GuardDuty service, you can report false positive results if you believe that a file identified as being malicious or harmful during a scan doesn't actually contain malware.

False positive file submission

Log into the https://console.aws.amazon.com/guardduty/ console.
When you identify what appears to be a false positive result, contact AWS Support to initiate the process of false positive file submission.
Choose Malware Scans.
Choose a scan to view its Finding ID.
Provide the Finding ID. You must also provide the SHA-256 hash of the file. This is required to ensure that GuardDuty Malware Protection has received the correct file.
The AWS Support team will provide you an Amazon Simple Storage Service (S3) URL that you can use to upload the file and SHA-256 hash. Inform the AWS Support team after you have successfully uploaded the file.

Warning
Do not directly provide the file or SHA-256 hash to AWS Support. You should only upload the file and hash to Amazon S3 through the provided URL. If you fail to upload the file and hash within seven days of receiving the URL, it will become invalid. If the URL becomes invalid, you'll have to reach out to AWS Support to receive a new URL.

GuardDuty keeps your file for no more than 30 days. GuardDuty team members will analyze your submission and take appropriate steps to improve your experience with Malware Protection and the GuardDuty service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Understanding CloudWatch Logs and reasons for skipping resources

Remediating findings