Guides

Update Guide

We regularly release new bucketAV versions to add features, improve performance, or patch vulnerabilities (see our release notes). The latest versions are:

  • bucketAV for Amazon S3 powered by ClamAV®: v2.29.0
  • bucketAV for Amazon S3 powered by Sophos®: v2.21.0
  • bucketAV for Amazon S3 powered by multiple engines: v2.0.0
  • bucketAV for Cloudflare R2 powered by ClamAV®: v2.8.0
  • bucketAV for Cloudflare R2 powered by Sophos®: v2.8.0

bucketAV supports updates without downtime. You don’t need to be afraid of updating bucketAV, even when files are scanned.

There are two ways to update bucketAV: The preferred Quick Update and the legacy Manual Update.

Quick Update

Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.15.0, bucketAV for Amazon S3 powered by Sophos® version >= 2.5.0, or any version of bucketAV for Cloudflare R2. If you are using an older version, perform a manual update instead.

  1. Visit the AWS CloudWatch Management Console.
  2. Navigate to Dashboards.
  3. Select the dashboard starting with the name bucketav followed by the name of the AWS region—for example, bucketav-eu-west-1. Step 1
  4. Find the Update tile. Click the Update button. If there is no Update tile in your dashboard, perform a manual update. Step 2
  5. You are redirected to AWS CloudFormation. Click on Next. Step 3
  6. Scroll to the bottom of the page and click on Next. Step 4
  7. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Next. Step 5
  8. Scroll to the bottom of the page and click on Submit. Step 6
  9. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and … Step 7
  10. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE. Step 8

Don’t forget to update your Add-Ons in the dashboard!

Manual Update

Before you update bucketAV to the latest version, you need to find out the current version, engine, and fulfillment option you are using.

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. Click on the Outputs tab.
  6. The output Platform shows aws or cloudflare. In case, the output Platform is missing, you are running aws.
  7. The output Engine shows clamav, sophos or multi. In case, the output Engine is missing, you are running clamav.
  8. The output Version shows the current version of bucketAV.
  9. The output FulfillmentOption shows the fulfillment option.

Afterward, pick the Amazon S3 URL of the matching CloudFormation template from the following table.

Fulfillment OptionAmazon S3 URL
dedicated-public-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/6e4bfc02-4ebd-4a7f-bda9-894fb1cec50f/6e4bfc02-4ebd-4a7f-bda9-894fb1cec50f/2b307b6c-8135-4f39-a086-880f7f3ed25e/9a92d64d-126c-46ce-84e3-888bd2fe7827/dedicated-public-vpc.yaml Copy
dedicated-private-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/618fe709-7239-4137-a2ac-d38049cfd82d/618fe709-7239-4137-a2ac-d38049cfd82d/2b307b6c-8135-4f39-a086-880f7f3ed25e/bd7d13cf-058f-4414-960d-d5f28cbb2c04/dedicated-private-vpc.yaml Copy
shared-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/d21d8423-cd12-4e91-902d-19ac60d5fda1/d21d8423-cd12-4e91-902d-19ac60d5fda1/2b307b6c-8135-4f39-a086-880f7f3ed25e/f4a2f6f0-f9a9-474e-8d9e-0abf667601b2/shared-vpc.yaml Copy
Fulfillment OptionAmazon S3 URL
dedicated-public-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/47046286-8ab6-49a1-b441-28d0851aa946/47046286-8ab6-49a1-b441-28d0851aa946/39d58953-9c3f-4b5d-a00c-3df2aa282f32/7f12a75f-a41c-4bab-97ea-3eba538a110d/dedicated-public-vpc.yaml Copy
dedicated-private-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/d1b50f49-0eb8-4248-b592-3b908d94297d/d1b50f49-0eb8-4248-b592-3b908d94297d/39d58953-9c3f-4b5d-a00c-3df2aa282f32/f8fc25a1-4860-46bf-9ab9-6d5e6ab0bb19/dedicated-private-vpc.yaml Copy
shared-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/a81efcb5-1ee6-4bf3-a847-c29c6e837550/a81efcb5-1ee6-4bf3-a847-c29c6e837550/39d58953-9c3f-4b5d-a00c-3df2aa282f32/029ec1f8-f227-4d34-b46f-3a37e3a7e69b/shared-vpc.yaml Copy

In case the current version is 1.x, follow the Migration Steps first!

When upgrading to bucketAV with engine ClamAV, fulfillment option dedicated-private-vpc, and version <=2.13.0 expect an increase in VPC costs by about $68/month, as we replaced the NAT Gateway with 7 VPC Endpoints to enhance network security.

Fulfillment OptionAmazon S3 URL
dedicated-public-vpchttps://bucketav-templates.s3.eu-west-1.amazonaws.com/aws/multi/2.0.0/dedicated-public-vpc.yaml Copy
dedicated-private-vpchttps://bucketav-templates.s3.eu-west-1.amazonaws.com/aws/multi/2.0.0/dedicated-private-vpc.yaml Copy
shared-vpchttps://bucketav-templates.s3.eu-west-1.amazonaws.com/aws/multi/2.0.0/shared-vpc.yaml Copy
Fulfillment OptionAmazon S3 URL
dedicated-public-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/27599a21-b101-46f5-bd40-11d916c8c447/27599a21-b101-46f5-bd40-11d916c8c447/09b8aae1-fbef-41bb-8f14-9ab32becff6b/37d32b3f-ae0a-4685-97a6-20f4d6aeb5c0/dedicated-public-vpc.yaml Copy
dedicated-private-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/7a970c34-70c4-4f18-8af5-15f13f2e8bca/7a970c34-70c4-4f18-8af5-15f13f2e8bca/09b8aae1-fbef-41bb-8f14-9ab32becff6b/9a6fbae1-4fed-449f-bef9-4aa13a0149dd/dedicated-private-vpc.yaml Copy
shared-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/418d9b0e-0819-4835-b3d9-0102d1fe5877/418d9b0e-0819-4835-b3d9-0102d1fe5877/09b8aae1-fbef-41bb-8f14-9ab32becff6b/9b1cc3ce-95e8-432f-83b4-77df0be3a44b/shared-vpc.yaml Copy
Fulfillment OptionAmazon S3 URL
dedicated-public-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/ca2789e6-0c39-4f78-937c-07de2cf365a7/ca2789e6-0c39-4f78-937c-07de2cf365a7/prod-7xkrsknzsjzbe/8835cce4-958a-436d-aaf8-3c26e5f32e9a/dedicated-public-vpc.yaml Copy
dedicated-private-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/1686a43a-c35a-4955-8608-f26647e05445/1686a43a-c35a-4955-8608-f26647e05445/prod-7xkrsknzsjzbe/b2cd9daf-b38f-4b39-a7f0-5205db3df811/dedicated-private-vpc.yaml Copy
shared-vpchttps://awsmp-cft-992382380361-1708727387563.s3.us-east-1.amazonaws.com/93e7dfe7-6266-4d25-ba8b-52d87111bffa/93e7dfe7-6266-4d25-ba8b-52d87111bffa/prod-7xkrsknzsjzbe/6a8919ea-f00b-41c6-8ab1-e92b42f285e9/shared-vpc.yaml Copy

Next, you are ready to update bucketAV.

  1. Select the bucketAV stack (e.g., bucketav) and press the Update stack button; press Make a direct update. Step 1
  2. Select Replace existing template and paste the Amazon S3 URL that you picked above. Step 2
  3. Click on Next.
  4. Scroll to the bottom of the page and click on Next. Step 3
  5. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Next. Step 4
  6. Scroll to the bottom of the page and click on Submit. Step 5
  7. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and … Step 6
  8. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE. Step 7

Don’t forget to update your Add-Ons!

Migration Steps

v1 to v2

  • The product was renamed from VirusScan for Amazon S3 to bucketAV - Antivirus for Amazon S3.
  • EC2 instances now run on spot capacity. Set the CapacityStrategy configuration parameter to OnDemandOnly to launch on-demand instances as before (more expensive).
  • The parameter configuration VolumeSize was removed. No action is needed.
  • The SNS message subject changed from s3-virusscan s3://${BUCKET_NAME} to bucketAV Scan Result for S3 Bucket ${BUCKET_NAME}. No topic subscriber should rely on the subject.
  • The configuration parameter TagKey now defaults to bucketav (previously s3-virusscan) for new installations. You can change the default if needed.
  • If the configuration parameter OpsCenterIntegration is set to true, the source in Ops Items changes from s3-virusscan to bucketAV.
  • Add-Ons
    • The configuration parameter S3VirusScanStackName changed to BucketAVStackName.

v1.3 to 1.4

If you use bucketAV in a Multi-Account setup, please allowlist all accounts by adding them (comma separated) to the AWSAccountRestriction configuration parameter.

Stay up-to-date

Monthly digest of security updates, new capabilities, and best practices.