Reports

Reports are an essential pillar of your data security strategy for several reasons:

  • Compliance: Reports demonstrate compliance with security regulations and standards.
  • Trend analysis: Reports help to analyze trends in malware detections and to identify patterns in infected files. This can help organizations to better understand the type of malware they are dealing with and to develop more effective defense strategies.
  • Evidence gathering: In the event of a security breach, reports can provide valuable evidence to help identify the breach’s source and support investigations.
  • Auditing: Reports can be used to perform regular security audits, allowing organizations to identify vulnerabilities and take corrective action.

bucketAV reports are delivered via email and contain the following information:

  • Statistics about scanned files: Number of files scanned, % of clean files, % of infected files, and % of unscannable files.
  • Top 10 threats.
  • CSV reports include all files or only infected and unscannable files.
  • Operational alarms to signal if bucketAV needs your attention.

Example report

The following shows an example report:

Reporting period: 2023-01-30 - 2023-02-05
AWS Region: eu-west-1
AWS Account ID: ***151466***
bucketAV Stack Name: bucketav
Add-On Stack Name: bucketav-reporting


==================================================
Overview
==================================================

358 scanned
49.16% clean
48.88% infected
1.96% unscannable


==================================================
Top 10 infections
==================================================

56x Win.Test.EICAR_HDB-1
35x Doc.Malware.Prince-6784184-0
7x Doc.Dropper.Agent-6460256-0
7x Doc.Dropper.Agent-6496090-0
7x Xls.Dropper.Agent-7505951-0
7x Doc.Dropper.Agent-6361752-0
7x Doc.Dropper.Agent-6507997-0
7x Doc.Dropper.Agent-6997781-0
7x Doc.Dropper.Agent-6488415-0
7x Doc.Dropper.Agent-6609394-0


==================================================
Top 10 buckets
==================================================

bucketav-demo
307 scanned
49.19% clean
48.86% infected
1.95% unscannable

bucketav-demo2
51 scanned
49.02% clean
49.02% infected
1.96% unscannable


==================================================
CSV reports
==================================================

The following CSV reports are available for 27 days:
Infected & unscannable files: <Link to Amazon S3>
All files: <Link to Amazon S3>

CSV example

The following columns are available:

  • timestamp: ISO 8601 format
  • bucket: Name of S3 bucket
  • key: Object key
  • version: Object version or null for unversioned buckets
  • status: clean, infected, no
  • action: delete, tag, no
  • finding: The type of malware detected or Unknown

The following shows an example data set:

"timestamp","bucket","key","version","status","action","finding"
"2023-01-30T20:19:00.051Z","bucketav-demo","clean.xlxs","null","clean","tag","Unknown"
"2023-01-30T20:19:23.674Z","bucketav-demo","infected.pdf","null","infected","delete","Win.Test.EICAR_HDB-1"
"2023-01-31T20:20:10.074Z","bucketav-demo","encrypted.pdf","null","no","tag","Heuristics.Encrypted.PDF"

Setup

Requires bucketAV powered by ClamAV® version >= 1.7.0 or bucketAV powered by Sophos® version >= 2.0.0. To update to the latest version, follow the Update Guide.

The ReportCleanFiles configuration parameter must be set to true.

Install Add-On (requires a running bucketAV installation)

  1. Set the Stack name to bucketav-reporting.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Set the ReportReceiver1 parameter to your email address.
  4. By default, the ReportingFrequency is set to weekly. Change that if needed.
  5. Select I acknowledge that AWS CloudFormation might create IAM resources.
  6. Click on the Create stack button to save.
  7. You will receive an email (subject: AWS Notification - Subscription Confirmation) with a confirmation link that you have to visit.

Terraform

resource "aws_cloudformation_stack" "bucketav_add_on_reporting" {
  name         = "bucketav-reporting"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.10.0/bucketav-add-on-reporting.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
    ReportReceiver1= "name@domain.todo" # TODO replace email address
  }
}

Update

Which version am I using?

  1. To update this add-on to version v2.10.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-reporting, otherwise search for the name you specified.
  4. Select the stack and click on Update.
  5. Select Replace current template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/reporting/v2.10.0/bucketav-add-on-reporting.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page and click on Next.
  9. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.

Architecture

The following AWS services are used:

  • SNS Subscription to connect to the Findings Topic.
  • Kinesis Firehose Delivery Stream to store the messages from SNS on S3.
  • Athena to generate CSV files.
  • S3 Bucket to store the data and reports.
  • StepFunction State Machine to orchestrate report generation.
  • Lambda Function to send out the report email.
  • EventBridge Cron Rule to trigger the report daily/weekly/monthly.
  • SNS Topic & Subscription to send out report emails.
  • CloudWatch Alarms to monitor the used AWS services.

On-demand report

Requires version >= 2.9.0 of this add-on. To update to the latest version, follow the update instructions.

If you need a report now, follow these steps:

  1. Follow the setup instructions.
  2. Visit the AWS Step Functions Management Console.
  3. Ensure that you are in the correct region.
  4. Navigate to State machines.
  5. Click on the reporting state machine (if you followed the docs, the name is bucketav-reporting).
  6. Click the Start execution button.
  7. Keep the defaults and click the Start execution button.
  8. Wait for the Execution Status to switch to Succeeded (this can take a few minutes).

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email