Concepts

bucketAV works like this:

  1. A file is uploaded to Amazon S3 or Cloudflare R2, or a bucket scan runs.
  2. A scan job is placed on the Scan Queue.
  3. An EC2 instance from the Scan Fleet fetches the scan job.
  4. The file is downloaded to an EBS volume.
  5. The file is scanned.
  6. The file is tagged as clean or infected (can be disabled, Amazon S3 only).
  7. If infected, the file is deleted (can be disabled).
  8. The scan result is published to the Findings Topic.
  9. The file is removed from the EBS volume.
  10. The scan job is deleted/acknowledged from the Scan Queue.
  11. Optionally, files are quarantined or moved by Add-Ons.

Scan Queue

An Amazon SQS queue implements the Scan Queue. The Scan Queue is the external interface of bucketAV. All scan jobs are submitted to the Scan Queue. Scan jobs are submitted by:

By default, the Scan Queue accepts scan jobs from Amazon S3 Event Notifications, Amazon SNS, and Amazon EventBridge in the same AWS account. Other AWS accounts can be added via the AWSAccountRestriction configuration parameter or AWSOrganizationRestriction configuration parameter.

  • Cloudflare Worker

Dead Letter Queue (DLQ)

An Amazon SQS queue implements the DLQ. If a scan job can not be processed, it is moved to the DLQ. The DLQ is monitored to notify you in case of issues. The recipient is configurable via the InfrastructureAlarmsEmail configuration parameter. Learn more about resolving DLQ issues.

Scan Fleet

The Scan Fleet consists of Amazon EC2 instances managed by an Auto Scaling Group.

  1. bucketAV polls the Scan Queue for scan jobs.
  2. bucketAV downloads the file from Amazon S3 or Cloudflare R2 to an EBS volume.
  3. The file is scanned.
  4. The file is tagged as clean or infected (configurable via the TagFiles configuration parameter, Amazon S3 only).
  5. The file is deleted if infected (configurable via the DeleteInfectedFiles configuration parameter).
  6. The scan result is published to the Findings Topic.
  7. The file is removed from EBS.
  8. The scan job is deleted/acknowledged.
  9. Further mitigation actions such as quarantine or move are triggered.

Auto scaling

bucketAV grows and shrinks the Scan Fleet based on the system’s load.

New EC2 instances are added to the Scan Fleet if the Scan Queue grows. The maximum number of EC2 instances is configurable via the AutoScalingMaxSize configuration parameter.

If the Scan Queue is empty, EC2 instances are removed from the Scan Fleet. The minimum number of EC2 instances is configurable via the AutoScalingMinSize configuration parameter.

Findings Topic

An Amazon SNS topic implements the Findings Topic. Each scan job produces a scan result per file. The scan result contains information about the file, the scan result (e.g., clean or infected), and other metadata. Scan results are published to EventBridge too (disabled by default). Scan results subscribers are:

Add-On

Add-Ons flexibly extend the functionality of bucketAV. bucketAV customers are allowed to use all Add-Ons at no additional charge. AWS infrastructure costs do apply.

Find a list of all Add-Ons.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email