How to work around the limitations of GuardDuty Malware Protection for S3?
In July 2024, AWS released GuardDuty Malware Protection for Amazon S3. We’ve compared GuardDuty with our solution to scan Amazon S3 and Cloudflare R2 for malware and viruses before (see Amazon GuardDuty Malware Protection for S3 versus bucketAV). In this blog post, we explain the limitations of GuardDuty Malware Protection for S3 (see Quotas in Malware Protection for S3) and how bucketAV works around these limitations.
Maximum S3 object size
GuardDuty scans S3 objects up to a file size of 5 GB. If the file is larger than 5 GB, then GuardDuty will skip the file.
Do you need to scan S3 objects larger than 5 GB for viruses and malware? Use bucketAV powered by Sophos which supports scanning files up to 5 TB.
Extracted archive bytes
When it comes to scan archived files like ZIP, TAR, RAR, 7Z, etc., GuardDuty scans extracted data up to 5 GB. In other words, archives uploaded to S3 that are larger than 5 GB after unzipping can not be scanned.
Do you need to scan larger archived files? Use bucketAV powered by Sophos, which is only limited by the provisioned EBS storage configured by you.
Extracted archive files
GuardDuty extracts up to 1,000 files from an archive file to scan for viruses and malware. If the archive contains more than 1,000 files, then GuardDuty will skip the archived file.
In contrast, bucketAV powered by Sophos scans all files in an archive file, regardless of the number of files in the archive. Note, that there is a limit on the archive depth level (see next section).
Maximum archive depth levels
When scanning nested archives, GuardDuty extracts and scans data up to a depth level of 5.
To scan nested archives beyond 5 levels, use bucketAV powered by Sophos instead, which supports scanning nested archives up to a depth level of 100.
Maximum protected buckets
GuardDuty protects up to 25 S3 buckets per account and region. But what, when you need to protect more than 25 buckets?
Use bucketAV powered by Sophos instead, which supports scanning all the buckets in your account in real-time, scheduled, or on-demand.
Summary
GuardDuty Malware Protection for S3 is a great service, but it has some limitations. If you need to scan files larger than 5 GB, archived files with more than 5 GB extracted data, more than 1,000 files in an archive, nested archives beyond 5 levels, or protect more than 25 buckets, then use bucketAV powered by Sophos instead.
Published on March 4, 2025 | Written by Andreas