
drs-malware-scan - Automated Malware Detection and Recovery Tool
Share
Malware detection on on-premises servers is a critical aspect of maintaining a secure IT environment. However, traditional approaches often fall short due to resource constraints, lack of visibility, and the complexity of modern malware.
This guide provides a step-by-step approach to using AWS services for automated malware detection and recovery in on-premises environments.
Challenges with On-Premises Malware Detection
-
Resource Constraints: Continuous monitoring of all servers can be expensive and resource-intensive.
-
Ineffectiveness of Signature-Based Antivirus: Modern malware uses obfuscation techniques, making traditional antivirus tools insufficient.
-
Lack of Centralized Monitoring: Admins often struggle to track security events across multiple servers over time.
-
Safe Backup Identification: Without comprehensive threat intelligence, identifying safe backups for restoration is challenging.
-
Manual Setup and Maintenance: Setting up advanced threat detection tools can be time-consuming and complex.
-
Rapid Incident Response: Without automation, detecting and remediating infections quickly is difficult.
How AWS Services Address These Challenges
AWS offers a combination of services that streamline malware detection and recovery for on-premises servers:
Key AWS Services Used
-
AWS Elastic Disaster Recovery (AWS DRS): Enables fast recovery of on-premises servers by replicating them to AWS with point-in-time recovery capabilities.
-
Amazon GuardDuty: Continuously monitors workloads for malicious activity and provides detailed security findings.
-
AWS Security Hub: Aggregates alerts, performs security checks, and automates remediation.
This integrated solution offers cost-effective, automated malware scanning while pinpointing safe recovery points.
Architecture Overview
The solution architecture includes the following components:
-
AWS DRS replicates on-premises servers to AWS.
-
Amazon GuardDuty Malware Protection scans replicated servers for malware.
-
AWS Security Hub aggregates findings and provides actionable insights.
-
A series of Lambda functions, EventBridge rules, DynamoDB tables, SQS queues, and CloudWatch logs orchestrate the scanning process.
Step-by-Step Implementation Guide
Prerequisites
-
An active AWS account.
-
Configured AWS Elastic Disaster Recovery (DRS) with at least one source server in sync.
-
Amazon GuardDuty and AWS Security Hub enabled.
-
IAM privileges to deploy the solution components.
Warning: Amazon GuardDuty Malware Protection does not support EBS volumes encrypted with default AWS-managed keys. Use a custom-managed key (CMK) from AWS KMS for EBS encryption.
Deployment Steps
1. Set Up the Environment
-
Create a Cloud9 environment in your AWS account (use an Ubuntu image with at least t3.small for better performance).
-
Clone the repository containing the solution code:
git clone https://github.com/aws-samples/drs-malware-scan
cd drs-malware-scan
sh check_loggroup.sh
2. Deploy the Solution
Run the following commands in your Cloud9 terminal:
npm install
cdk bootstrap
cdk deploy --all
The solution consists of two stacks:
-
DrsMalwareScanStack: Deploys resources for malware scanning (mandatory).
-
ScanReportStack: Deploys resources for reporting (optional).
3. Configure Source Servers for Scanning
-
Identify source servers from the AWS DRS console.
-
Update the DrsMalwareScanStack-SourceServersDDBTable DynamoDB table with server details.
4. Schedule Malware Scans
-
Edit the EventBridge rule (DrsMalwareScanStack-ScheduleScanRule) to set scan frequency (e.g., daily or weekly).
-
Enable the rule to start scheduling scans.
5. Verify Scan Operations
-
Check Amazon GuardDuty’s Malware Scans console for active scan jobs.
-
Use AWS Security Hub to view findings related to infected servers.
6. Optional: Generate Malware Scan Reports
If you deployed ScanReportStack, you can:
-
Schedule report generation using the ScanReportStack-ScanReportRule.
-
Access reports stored in an S3 bucket (scanreportstack-scanreportbucket).
Incident Response
In case of malware detection:
-
Use findings from Security Hub to identify compromised servers.
-
Perform point-in-time recovery using AWS DRS snapshots taken before the infection date.
Cost Estimation
Here’s an example cost breakdown based on a fictitious scenario:
Service Name |
Description |
Monthly Cost (USD) |
AWS Elastic Disaster Recovery |
2 source servers, 100GB storage |
$71.41 |
Amazon GuardDuty |
Scanning 3TB/month |
$94.56 |
Amazon DynamoDB |
Read/Write capacity |
$3.65 |
AWS Security Hub |
Findings ingestion |
$0.10 |
Amazon EventBridge |
Custom events |
$1.00 |
Amazon CloudWatch |
Log ingestion |
$0.50 |
Total |
$171.22 |
Note: Costs may vary based on usage and region.
Troubleshooting Tips
-
Check CloudWatch logs (/aws/lambda/DrsMalwareScanStack-*) for Lambda function execution details.
-
Monitor SQS FIFO queues for message flow issues.
-
Ensure DRS replication is healthy (ReadyforRecovery=Ready).
-
Review skipped scan reasons in Amazon GuardDuty documentation.
Cleanup
To remove all deployed resources:
cdk destroy --all
Optionally, delete associated CloudWatch log groups.
Security Considerations
Ensure compliance with your organization’s security policies when deploying this solution.
By leveraging this guide, organizations can effectively enhance their malware detection capabilities while ensuring seamless recovery from potential threats using AWS services like Elastic Disaster Recovery, GuardDuty, and Security Hub. You can learn more and Download drs-malware-scan in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here