Month in Review - November 2025
More than 1,600 customers use bucketAV to scan their S3 buckets for viruses, trojans, ransomware, and other kinds of malware. We would like to thank you for your trust and loyalty. Special thanks go to all customers who share their feedback with us. This feedback is essential for us to be able to further develop bucketAV. In the following, we summarize what happened at bucketAV in November 2025.
Releases
Here is a list of all releases that we shipped in November 2025.
- bucketAV for Amazon S3 powered by Sophos®: v3.0.0
- bucketAV for Amazon S3 powered by ClamAV®: v3.0.0
- bucketAV for Cloudflare R2 powered by Sophos®: v3.0.0
- bucketAV for Cloudflare R2 powered ClamAV®: v3.0.0
Follow the update guide to upgrade your installation of bucketAV to the latest version.
Breaking Changes v3
Note that this is a major release with the following breaking changes.
First, we removed two options from the CapacityStrategy configuration parameter. In case you have used SpotOnlyWithoutAlternativeInstanceType or SpotWithoutAlternativeInstanceTypeWithOnDemandFallback you have to take action during the update. To keep the current behavior, modify the configuration parameters as follows.
| Old Value (CapacityStrategy) | New Value (CapacityStrategy) | New Value (AlternateInstanceType1..3) |
|---|---|---|
SpotOnlyWithoutAlternativeInstanceType | SpotOnly | Disabled |
SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | SpotWithOnDemandFallback | Disabled |
However, we encourage you to configure alternate instance types to increase the availability of spot instances and to minimize spot interruptions. To do so, please choose instance types for the configuration parameters AlternateInstanceType1, AlternateInstanceType2, and AlternateInstanceType3.
Second, we introduced three new parameters named AlternateInstanceType1, AlternateInstanceType2, and AlternateInstanceType3. We highly encourage you to configure alternate instance types when using the capacity strategies SpotOnly or SpotWithOnDemandFallback. Ensure you pick instance types that are available in the AWS region of your choice.
Third, we are removing the formerly deprecated configuration parameters CloudWatchIntegration, OpsCenterIntegration, and SecurityHubIntegration.
The CloudWatch integration is enabled by default. In case you rely on the OpsCenter or Security Hub integration, please check the following integrations.
Fourth, not exactly a breaking change but an important one is that we are expanding bucketAV’s footprint from two to three availability zones. Except for us-west-1 where only two availability zones are available for most customers.
Keep those breaking changes in mind when updating to major version 3.
Spot Instance Availability and Interruptions
Utilizing EC2 spot instances is key when it comes to keeping the infrastructure costs for bucketAV a minimum. Unfortunately, the availability of spot instances is low for some instance types in certain availability zones. That causes issues, for example, when CloudFormation orchestrates a rolling update of the EC2 instances during an update of bucketAV. Moreover, the likelihood of spot interruptions increased dramatically during the past weeks. We observe that up to 20% of spot instances are getting interrupted, which causes delays for some scan jobs.
Therefore, we are making two changes with the goal to increase the availability of spot instances as well as to reduce the number of spot interruptions.
- New configuration parameters
AlternateInstanceType1,AlternateInstanceType2, andAlternateInstanceType3allow you to define alternate instance types. The more instance types you define, the higher the chances that the auto-scaling group can launch a new spot instance. - Adding a 3rd availability zone. We are expanding the footprint of bucketAV from two to three availability zones. Doing so allows the auto-scaling group to launch spot instances in availability zones with less demand.
Please note, bucketAV uses three availability zones in all regions except for us-west-1 only two availability zones are used. That’s because only two availability zones are available for most customers in us-west-1. When using the fulfillment option Existing VPC, we recommend that you configure three subnets spanning three availability zones.
When selecting EC2 instance types, keep in mind that not all instance families are available in all regions. Also, configure unique instance types for the configuration parameters InstanceType, AlternateInstanceType1, AlternateInstanceType2, and AlternateInstanceType3. It is possible to disable alternate instance types with the Disabled value.
Dedicated private VPC without NAT Gateway
The VPC configuration for bucketAV for Amazon S3 powered by Sophos no longer includes public subnets and NAT gateways. All required endpoints are available through VPC endpoints. This change simplifies the networking architecture, reduces costs, and allows 100% control of outbound network connectivity.
Due to technical limitations the VPC configuration for bucketAV ClamAV and bucketAV for Cloudflare R2 still require public subnets and NAT gateways.
New region: ap-southeast-6
bucketAV powered by ClamAV adds support for the new AWS region ap-southeast-6 (Asia Pacific (New Zealand)). Due to restrictions caused by the AWS Marketplace, we cannot release ap-southeast-6 support for bucketAV powered by Sophos.
What’s next?
We are planning to work on the following features and improvements within the next few weeks.
- Update to ClamAV 1.5.1
- Upgrade to AWS SDK v3
- Show failed scheduled scans in the CloudWatch dashboard.
Feedback
We would appreciate your feedback to help us improve bucketAV. What feature do you miss? What is particularly important to you when it comes to protecting Amazon S3 and Cloudflare R2 from malware? hello@bucketav.com
Published on December 1, 2025 | Written by Andreas