Reporting false positives in Malware Protection for EC2 - Amazon GuardDuty

Reporting false positives in Malware Protection for EC2

GuardDuty Malware Protection for EC2 scans may identify a harmless file in your Amazon EC2 instance or container workload as being malicious or harmful. To improve your experience with Malware Protection for EC2 and the GuardDuty service, you can report false positive results if you believe that a file identified as being malicious or harmful during a scan doesn't actually contain malware.

To report an Amazon EC2 malware scan result as false positive

To initiate the process, contact AWS Support. Use the following steps to provide details about the scanned S3 object:

  1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. Choose EC2 malware Scans.

  3. Choose a scan to view its Finding ID.

  4. Provide the Finding ID. You must also provide the SHA-256 hash of the file. This is required to ensure that GuardDuty Malware Protection for EC2 has received the correct file.

  5. The AWS Support team will provide you an Amazon Simple Storage Service (Amazon S3) presigned URL that you can use to upload the potentially malicious file and SHA-256 hash. For information about steps to upload the scanned object, see Uploading objects with presigned URLs in the Amazon S3 User Guide.

    Warning

    You must upload the required details within seven days of receiving the presigned URL. The URL becomes invalid after seven days. If you miss this seven-day window, reach out to AWS Support to request a new presigned URL. Don't provide the potentially malicious file or SHA-256 hash directly to AWS Support.

  6. After you have uploaded the file, inform the AWS Support team.

    The AWS Support will provide an acknowledgment after receiving the file. The GuardDuty service team members will analyze your submission, and take appropriate steps to improve your experience with Malware Protection for EC2 and the GuardDuty service. The AWS Support team will continue to provide status update on your case. GuardDuty keeps your S3 object for no more than 30 days.