By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

GuardDuty On Demand Malware Scan Running for Days

0

I initiated a GuardDuty on-demand malware scan on an EC2 instance, but it has had the status of "running" for 6 days. I was able to successfully run scans on other EC2 instances, and those ones completed. I tried running a second scan on the target EC2 instance, but that one is also got stuck on the status of "running". I am trying to (1) identify why the scan won't complete, and (2) stop it from continuing to run if it is permanently stuck.

Topics
Security, Identity, & Compliance
Tags
Amazon GuardDuty
Language
English
e-post-user
asked 10 days ago49 views
2 Answers
0

There are a few potential reasons why the GuardDuty on-demand malware scan might be stuck in the "running" state for an extended period on a specific EC2 instance:

  1. Instance Characteristics: The instance might have certain characteristics that are causing the scan to take longer than expected, such as a large amount of data, high CPU utilization, or limited network bandwidth. This could cause the scan to take an extended time to complete.

  2. Networking Issues: There could be networking issues between the EC2 instance and the GuardDuty service, which could prevent the scan from completing successfully. This could be due to firewall rules, network ACLs, or other network configuration issues.

  3. Service Availability: There may be temporary service disruptions or high demand on the GuardDuty service, which could cause the scan to take longer to complete or get stuck.

  4. Instance State: If the EC2 instance is in a specific state, such as stopping or stopping, the scan may not be able to complete successfully.

To troubleshoot this issue, you can try the following steps:

  1. Check the EC2 Instance: Ensure that the EC2 instance is in a healthy state and not experiencing any issues, such as high CPU utilization or network problems.

  2. Check the Network Configuration: Verify that the network configuration, including firewall rules and network ACLs, are not preventing the GuardDuty service from accessing the EC2 instance.

  3. Check the GuardDuty Service Status: Check the AWS Service Health Dashboard to see if there are any ongoing issues or disruptions with the GuardDuty service that could be impacting the scan.

  4. Stop the Scan: If the scan appears to be permanently stuck, you can try to stop it. To do this, you can use the stop-activity action in the AWS CLI or the GuardDuty API. This will cancel the ongoing scan and free up the EC2 instance for future scans.

Here's an example of how to stop the scan using the AWS CLI:

aws guardduty stop-activity --detector-id <detector_id> --finding-id <finding_id>

Replace <detector_id> with the ID of your GuardDuty detector, and <finding_id> with the ID of the specific finding that is stuck in the "running" state.

After stopping the scan, you can try running a new on-demand malware scan on the EC2 instance to see if it completes successfully. If the issue persists, you may need to further investigate the instance or network configuration to identify the root cause.

AWS
JonQ
answered 10 days ago
0

aws guardduty stop-activity is not an available command.

AWS CLI version:

aws-cli/2.15.40 Python/3.11.8 Darwin/20.5.0 exe/x86_64 prompt/off

Guard duty API documentation also does not mention StopActivity endpoint. https://docs.aws.amazon.com/guardduty/latest/APIReference/Welcome.html

M
answered 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content