drs-malware-scan - Automated Malware Detection and Recovery Tool

In Cyber Security Tools 0 comments

Malware detection on on-premises servers is a critical aspect of maintaining a secure IT environment. However, traditional approaches often fall short due to resource constraints, lack of visibility, and the complexity of modern malware.

This guide provides a step-by-step approach to using AWS services for automated malware detection and recovery in on-premises environments.

Challenges with On-Premises Malware Detection

  1. Resource Constraints: Continuous monitoring of all servers can be expensive and resource-intensive.

  2. Ineffectiveness of Signature-Based Antivirus: Modern malware uses obfuscation techniques, making traditional antivirus tools insufficient.

  3. Lack of Centralized Monitoring: Admins often struggle to track security events across multiple servers over time.

  4. Safe Backup Identification: Without comprehensive threat intelligence, identifying safe backups for restoration is challenging.

  5. Manual Setup and Maintenance: Setting up advanced threat detection tools can be time-consuming and complex.

  6. Rapid Incident Response: Without automation, detecting and remediating infections quickly is difficult.

How AWS Services Address These Challenges

AWS offers a combination of services that streamline malware detection and recovery for on-premises servers:

Key AWS Services Used

  1. AWS Elastic Disaster Recovery (AWS DRS): Enables fast recovery of on-premises servers by replicating them to AWS with point-in-time recovery capabilities.

  2. Amazon GuardDuty: Continuously monitors workloads for malicious activity and provides detailed security findings.

  3. AWS Security Hub: Aggregates alerts, performs security checks, and automates remediation.

This integrated solution offers cost-effective, automated malware scanning while pinpointing safe recovery points.

Architecture Overview

The solution architecture includes the following components:

  1. AWS DRS replicates on-premises servers to AWS.

  2. Amazon GuardDuty Malware Protection scans replicated servers for malware.

  3. AWS Security Hub aggregates findings and provides actionable insights.

  4. A series of Lambda functions, EventBridge rules, DynamoDB tables, SQS queues, and CloudWatch logs orchestrate the scanning process.

Step-by-Step Implementation Guide

Prerequisites

  • An active AWS account.

  • Configured AWS Elastic Disaster Recovery (DRS) with at least one source server in sync.

  • Amazon GuardDuty and AWS Security Hub enabled.

  • IAM privileges to deploy the solution components.

Warning: Amazon GuardDuty Malware Protection does not support EBS volumes encrypted with default AWS-managed keys. Use a custom-managed key (CMK) from AWS KMS for EBS encryption.

Deployment Steps

1. Set Up the Environment

  • Create a Cloud9 environment in your AWS account (use an Ubuntu image with at least t3.small for better performance).

  • Clone the repository containing the solution code:

git clone https://github.com/aws-samples/drs-malware-scan

cd drs-malware-scan

sh check_loggroup.sh

2. Deploy the Solution

Run the following commands in your Cloud9 terminal:

npm install

cdk bootstrap

cdk deploy --all

The solution consists of two stacks:

  • DrsMalwareScanStack: Deploys resources for malware scanning (mandatory).

  • ScanReportStack: Deploys resources for reporting (optional).

3. Configure Source Servers for Scanning

  • Identify source servers from the AWS DRS console.

  • Update the DrsMalwareScanStack-SourceServersDDBTable DynamoDB table with server details.

4. Schedule Malware Scans

  • Edit the EventBridge rule (DrsMalwareScanStack-ScheduleScanRule) to set scan frequency (e.g., daily or weekly).

  • Enable the rule to start scheduling scans.

5. Verify Scan Operations

  • Check Amazon GuardDuty’s Malware Scans console for active scan jobs.

  • Use AWS Security Hub to view findings related to infected servers.

6. Optional: Generate Malware Scan Reports

If you deployed ScanReportStack, you can:

  • Schedule report generation using the ScanReportStack-ScanReportRule.

  • Access reports stored in an S3 bucket (scanreportstack-scanreportbucket).

Incident Response

In case of malware detection:

  1. Use findings from Security Hub to identify compromised servers.

  2. Perform point-in-time recovery using AWS DRS snapshots taken before the infection date.

Cost Estimation

Here’s an example cost breakdown based on a fictitious scenario:

Service Name

Description

Monthly Cost (USD)

AWS Elastic Disaster Recovery

2 source servers, 100GB storage

$71.41

Amazon GuardDuty

Scanning 3TB/month

$94.56

Amazon DynamoDB

Read/Write capacity

$3.65

AWS Security Hub

Findings ingestion

$0.10

Amazon EventBridge

Custom events

$1.00

Amazon CloudWatch

Log ingestion

$0.50

Total

$171.22

Note: Costs may vary based on usage and region.

Troubleshooting Tips

  1. Check CloudWatch logs (/aws/lambda/DrsMalwareScanStack-*) for Lambda function execution details.

  2. Monitor SQS FIFO queues for message flow issues.

  3. Ensure DRS replication is healthy (ReadyforRecovery=Ready).

  4. Review skipped scan reasons in Amazon GuardDuty documentation.

Cleanup

To remove all deployed resources:

cdk destroy --all

Optionally, delete associated CloudWatch log groups.

Security Considerations

Ensure compliance with your organization’s security policies when deploying this solution.

By leveraging this guide, organizations can effectively enhance their malware detection capabilities while ensuring seamless recovery from potential threats using AWS services like Elastic Disaster Recovery, GuardDuty, and Security Hub. You can learn more and Download drs-malware-scan in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

, ,

RELATED ARTICLES

PingRAT - Covert C2 Communication via ICMP Tunneling
PingRAT - Covert C2 Communication via ICMP Tunneling
APIDetector - Advanced Swagger Endpoint Testing and Vulnerability Analysis
APIDetector - Advanced Swagger Endpoint Testing and Vulnerability Analysis
IMDSPOOF - Spoof AWS Metadata to Detect and Deceive Attackers
IMDSPOOF - Spoof AWS Metadata to Detect and Deceive Attackers
MSSqlPwner - Powerful Tool for MSSQL Server Security Testing
MSSqlPwner - Powerful Tool for MSSQL Server Security Testing
RTI-Toolkit - PowerShell for RTI Attacks and Defense
RTI-Toolkit - PowerShell for RTI Attacks and Defense
DIAL - Deploying Parent and Child Controllers on AWS
DIAL - Deploying Parent and Child Controllers on AWS
Shortscan - Identifying and Resolving Short Filenames on IIS Web Servers
Shortscan - Identifying and Resolving Short Filenames on IIS Web Servers
Invoke-SessionHunter - Remote User Session Retrieval Tool
Invoke-SessionHunter - Remote User Session Retrieval Tool