FAQ

Can you explain the pricing in more detail?

Three dimensions are important: bucketAV Software, AWS Infrastructure, and S3 API.

bucketAV Software:

AWS Infrastructure: The main cost driver is the number of EC2 instances running to scan your files. By default, one m5.large instance is allowed to run. Besides that, you also pay the usual AWS charges for EBS, SNS, SQS, CloudWatch.

S3 API: AWS charges every API call made to the S3 service. Typical API calls are: GetObject, DeleteObject, GetObjectTagging, and PutObjectTagging. Keep in mind that you also pay a monthly fee for every tag.

You only pay for bucketAV while EC2 instances are running. As soon as you uninstall bucketAV, you stop paying for it.

Use the pricing page to calculate your costs.

What’s the maximum file size supported?

bucketAV powered by ClamAV® can scan files up to 2 GB in size. The file has to fit into memory as well. Our recommended instance type m5.large comes with enough memory to scan files up to 2 GB in size.

bucketAV powered by Sophos® is able to scan files up to 5 TB in size, which is the maximum object size limit by S3. Please note, by default the VolumeSize parameter is set to 32 GiB. Make sure to increase the VolumeSize parameter as objects are downloaded to the volume so they can be scanned.

How can I test the solution with an EICAR Standard Anti-Virus Test File?

The EICAR Standard Anti-Virus Test File is the gold standard for testing antivirus solutions. Unfortunately, your local antivirus solution on your computer will likely quarantine the EICAR Standard Anti-Virus Test File before you can upload it to S3. The following steps upload an EICAR Standard Anti-Virus Test File outside your local machine.

  1. Open a AWS CloudShell.
  2. Ensure that you are in the correct region where bucketAV runs.
  3. Execute the following commands (replace YOUR_BUCKET_NAME with your S3 bucket name):
    • aws s3 cp s3://bucketav-eicar/clean-delete-me.txt s3://YOUR_BUCKET_NAME Copy
    • aws s3 cp s3://bucketav-eicar/infected-eicar.com s3://YOUR_BUCKET_NAME Copy Step 1
  4. Visit the AWS S3 Console.
  5. Open your S3 bucket (the one you used instead of YOUR_BUCKET_NAME).
  6. You will see a single file clean-delete-me.txt. Open the file details to see the clean tag. Step 2
  7. The infected-eicar.com file was deleted and is, therefore, not visible.
  8. Delete the clean-delete-me.txt file from your bucket.

How to run an initial full bucket scan?

Learn more.

Is bucketAV available in AWS GovCloud (US)?

Unfortunately, bucketAV is not yet available in GovCloud regions.

I already created an S3 Event Notification; how can I still use bucketAV?

Each bucket can only have one S3 Event notification to inform about newly created files. If multiple systems are interested in this information, two options are available:

  1. EventBridge (recommended; requires bucketAV powered by ClamAV® version >= 2.9.0 or bucketAV powered by Sophos® version >= 2.0.0)
  2. SNS fan-out approach (requires bucketAV powered by ClamAV® version >= 1.4.0 or bucketAV powered by Sophos® version >= 2.0.0)

EventBridge

Requires bucketAV powered by ClamAV® version >= 2.9.0 or bucketAV powered by Sophos® version >= 2.0.0. To update to the latest version, follow the Update Guide.

Learn more.

SNS fan-out approach

Requires bucketAV powered by ClamAV® version >= 1.4.0 or bucketAV powered by Sophos® version >= 2.0.0. To update to the latest version, follow the Update Guide.

Instead of configuring S3 to send events to SQS, you can create an SNS topic and configure S3 to publish events to the SNS topic. You can add as many subscribers to this topic as you wish. Each subscriber will get a copy of the events published from S3.

If you already have your SNS topic created, you can skip this step. Otherwise, create an SNS topic in the same AWS account and region as your S3 bucket.

  1. Visit the Amazon SNS Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Topics.
  4. Click on Create topic.
  5. Select Type Standard.
  6. Set a Name.
  7. Open the Access policy box, select Advanced, and enter the following policy:
  • Replace REGION with your AWS Region (e.g., us-east-1; get the value from the top right).
  • Replace ACCOUNT_ID with your AWS account id.
  • Replace TOPIC_NAME with the name of the topic that you created before.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
        "AWS": "*"
    },
    "Action": "SNS:Publish",
    "Resource": "arn:aws:sns:REGION:ACCOUNT_ID:TOPIC_NAME",
    "Condition": {
      "StringEquals": {
        "aws:SourceAccount": "ACCOUNT_ID"
      }
    }
  }]
}
  1. Click on Create topic to save.
  2. In the AWS S3 Management Console, click on the bucket you want to connect to bucketAV. Make sure the bucket’s region matches the bucketAV region.
  3. Click on the Properties tab.
  4. Scroll down to the Event notifications.
  5. Click on Create event notification.
  6. Set the Event Name (e.g., bucketav) and select the All objects create events event type.
  7. Select the destination SNS topic and choose the SNS Topic that you created before.
  8. Click on Save changes.

To connect bucketAV to your SNS topic:

  1. Visit the Amazon SNS Console
  2. Ensure that you are in the correct region.
  3. Navigate to Topics.
  4. Click on the SNS topic that you created before.
  5. Click on Create subscription.
  6. Set the Protocol to Amazon SQS.
  7. Set the Endpoint to:
    1. Visit the AWS CloudFormation Console.
    2. Ensure that you are in the correct region.
    3. Navigate to Stacks.
    4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
    5. Click on the Outputs tab.
    6. Use the value next to the output key ScanQueueArn.
  8. Click on Create subscription to save.

How can I change the instance type?

By default, the InstanceType configuration parameter is set to m5.large. You can reduce costs in small environments or development environments by switching to the t3 or t3a family.

Keep in mind that a larger instance is not the only option to increase the system’s throughput. You can also increase the maximum number of instances scanning your files by increasing the AutoScalingMaxSize configuration parameter!

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. At the top right, click on Update.
  6. In the next step, just click Next.
  7. Change the InstanceType configuration parameter.
  8. Click Next.
  9. In the next step, just click Next.
  10. At the bottom, check “I acknowledge that AWS CloudFormation might create IAM resources.” and click Update stack.
  11. Wait for the stack update to complete.
  12. Terminate all running bucketAV EC2 instances (if you followed the docs, the name is bucketav). The terminated EC2 instances will be replaced within minutes.

How can I receive an email if infected files are found?

Sometimes, it is enough to be notified if infected files are found without sending an email for every infected file. A daily report provides a good summary of the past day.

How can I quarantine infected files?

You can move infected files into a quarantine bucket with the Quarantine infected files Add-On.

How can I move clean files into a secure bucket?

You can move clean files into a target bucket with the Move clean files Add-On.

What reporting capabilities are available?

bucketAV generates daily, weekly, or monthly CSV reports.

How can I keep infected files?

By default, infected files are deleted. You can keep and tag them as infected if you want.

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. At the top right, click on Update.
  6. In the next step, just click Next.
  7. Set the DeleteInfectedFiles configuration parameter to false.
  8. Click Next.
  9. In the next step, just click Next.
  10. At the bottom, check “I acknowledge that AWS CloudFormation might create IAM resources.” and click Update stack.

To move infected files into a quarantine bucket for further investigation, check out the Quarantine infected files Add-On.

Which version am I using?

To find the running version of bucketAV and Add-Ons:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. Click on the Outputs tab.
  6. Check the value next to the output key Version.

Which engine am I using?

To find the running engine of bucketAV:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. Click on the Outputs tab.
  6. Check the value next to the output key Engine. If the value does not exist, you are using ClamAV.

Which delivery method (aka fulfillment option) am I using?

To find the delivery method of bucketAV:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. Click on the Outputs tab.
  6. Check the value next to the output key FulfillmentOption.
CloudFormation FulfillmentOption outputDelivery Method / Fulfillment Option
dedicated-public-vpcDedicated public VPC
dedicated-private-vpcDedicated private VPC
shared-vpcExisting VPC

Does bucketAV work in Cross- / Multi-Account setups?

Yes, learn more.

Does bucketAV support a multi-region setup?

bucketAV needs to be located in the same region as your S3 buckets. If you have buckets in two regions, you can install bucketAV twice (once per region). The reasons for this are:

  1. S3 Event Notifications (required for real-time scanning) only support SQS queues in the same region as the bucket.
  2. Traffic between EC2 and S3 is free in the same region but not cross-region.

How can I be notified if a new release becomes available?

Receive a monthly digest of security updates, new capabilities, and best practices.

Alternatively, subscribe our Atom feeds.

What does status no mean?

Unscannable files are tagged with no and reported with status no when:

To get more details about why the file is unscannable, check the finding. The finding is reported on the Findings Topic and in the logs.

FindingbucketAV powered by ClamAV®bucketAV powered by Sophos®
bucketav:too-bigsupportedsupported
bucketav:not-foundsupportedsupported
bucketav:access-deniedsupportedsupported
bucketav:not-downloadablesupportedsupported
bucketav:corruptednot supportedsupported
bucketav:recursion-limitnot supportedsupported
bucketav:encryptednot supportedsupported
Heuristics.Encrypted.*supportednot supported
Heuristics.Limits.Exceeded.*supportednot supported

Supported file types?

bucketAV powered by ClamAV® scans all file types which do not exceed the maximum file size of 2 GB. On top of that, bucketAV looks into more details for some file types like PDF, ZIP, Excel, Word, and many more. Check out ClamAV File Types for more details.

bucketAV powered by Sophos® scans all file types and adapts the techniques to detect threats based on file type.

How can I deploy bucketAV with Terraform?

  1. The AWS Marketplace Subscription itself needs to be created manually. Unfortunately, AWS does not provide an API to subscribe to a product today.
  2. In Terraform, use the cloudformation_stack resource to deploy bucketAV. Set the template_url to the S3 Url from the release notes.
  3. In Terraform, use the outputs of the cloudformation_stack resource to access values such as ScanQueueArn.
resource "aws_cloudformation_stack" "bucketav" {
  name         = "bucketav"
  template_url = "https://s3.amazonaws.com/awsmp-fulfillment-cf-templates-prod/39d58953-9c3f-4b5d-a00c-3df2aa282f32.f1b2767e-c1f5-4d21-a99c-c8cb5b5d5e9b.template" # Powered by ClamAV®
  #template_url = "https://s3.amazonaws.com/awsmp-fulfillment-cf-templates-prod/2b307b6c-8135-4f39-a086-880f7f3ed25e/1a04bf18af5a475d8321fea7121122dc.template" # Powered by Sophos®
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    KeyName = "YOUR_EC2_KEY_NAME" # see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
  }
}

# you can access outputs from CloudFormation like this
output "scan_queue_arn" {
  value = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # check the created CloudFormation stack for a full list of supported outputs
}

Uninstall bucketAV

Uninstalling bucketAV does not delete your files stored on S3.

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. If you use Add-Ons, uninstall them in the same way as described next.
  5. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  6. At the top right, click on Delete.

After deleting the stack, you can cancel your AWS Marketplace subscription:

  1. Visit the AWS Marketplace Console.
  2. Click on the bucketAV subscription.
  3. Click on Actions and Cancel subscription.

Limitations

  • bucketAV powered by ClamAV® RAR files are not supported and not flagged as infected.

Does bucketAV modify any bucket or object permissions?

No, bucketAV does not modify bucket or object permissions.

How does Immediate zero-day protection work?

The ClamAV engine uses a signature-based approach and only detects malware that ClamAV includes in the signatures database. If new malware appears, the engine will not detect it until the new signature is added to the database.

The Sophos engine combines a signature-based approach with generic malware detection based on Sophos Behavioural Genotype Detection. Even if a new malware appears, the chances are high that the engine can still detect it.

Can I use bucketAV with Amazon S3 File Gateway (AWS Storage Gateway)?

We recommend against this configuration because of the following limitations of Amazon S3 File Gateway:

  1. “An object that needs to be accessed by using a file share should only be managed by the gateway. If you directly overwrite or update an object previously written by Amazon S3 File Gateway, it results in undefined behavior when the object is accessed through the file share” (source).
  2. “The file upload notification provides a notification for each individual file that is uploaded to Amazon S3 through S3 File Gateway. S3 event notifications provide notifications that include partial file uploads so there is no way to tell from the S3 event notification that the file upload has completed” (source).

Can I use bucketAV with AWS Transfer Family?

Learn more.

Why is an EC2 Key Pair required?

Unfortunately, AWS Marketplace requires all products to use Key Pairs.

Is bucketAV affected by the Apache Log4j2 Issue (CVE-2021-44228)?

bucketAV uses Amazon Linux 2 underneath. According to AWS, “The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228” (Source).

bucketAV itself does not use Java. Therefore, to our knowledge, bucketAV is not affected and no update is required.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email