When A DIY Lambda & ClamAV Antivirus Solution for S3 Isn't Worth It

Antivirus for Amazon S3 was built because our founders realized cloud application workflows that use Amazon S3 have become a massive attack vector. This is especially true for workflows that ingest third party files, store them in S3 and then share them downstream. 

While AWS offers tools such as Amazon Macie to manage the configuration and privacy of S3 buckets, it does not offer a native virus scanning solution to catch infected files before they end up on the machine of an end-user.

Over the years there have been a number of times where developers have described building a Lambda-based solution using the open-source antivirus toolkit ClamAV to enhance security and scan data for malware and viruses. Perhaps one of the earliest is a project by Luis Laviña undertaken in 2016. While a Lambda and ClamAV solution can be useful, there are many deficiencies in this approach. 

“Our home grown solution for scanning Amazon S3 for malware was becoming more time consuming to maintain. Antivirus for Amazon S3 delivers consistent real time virus scanning with minimal management required and at a lower cost than our previous solution utilizing AWS Lambdas and Amazon EFS.”

~Maxime Leblanc, Information Security Specialist, Poka

Read the full case study here >>

In fact, a number of the organizations that use Antivirus for Amazon S3 started out using a DIY Lambda-based solution, but quickly realized their solution was too expensive to run, required too much maintenance, didn’t meet performance expectations, and needed more management than they had time for.

This article explores the trade-offs between building your own Lambda and ClamAV-based solution versus implementing Antivirus for Amazon S3 — a security tool that’s trusted by SMBs, Enterprises, and the largest government agencies worldwide.  

 

Limitations of a DIY Amazon S3 Antivirus Solution

Limited Scanning Options

A homegrown Lambda-based deployment only provides new object scanning. You are not able to easily or automatically scan existing data to ensure files already uploaded to S3 are safe. Additionally, it doesn’t provide an option to scan data before it arrives in S3 if that is what the application workflow demands.

Antivirus for Amazon S3 provides 4 scan models (event based, retro based, API endpoint and scan on access) that allows users to scan for malware and manage problem files without disrupting their workflows.


Antivirus for Amazon S3 Scanning Models

AV for S3 - 4 Scanning Models


 

File Size Limits

ClamAV-based solutions have limitations on file size of 2GB and throughput performance due to limitations in the Lambda infrastructure. As the S3 workload of an organization increases, this can quickly lead to bottlenecks. 

Antivirus for Amazon S3 supports scanning using ClamAV with files up to 2GB in size and files up to  5TB in size using Sophos. With Antivirus for Amazon S3, a single agent can scan up to 7,000 1MB files with ClamAV in an hour and around 20,000 1 MB files using Sophos in an hour.

Antivirus for Amazon S3 gives you the option to choose from the enterprise Sophos or open-source ClamAV scanning engines for your antivirus deployment. You can also utilize both scanning engines at the same time should you choose to do so.

 

Maintenance is Not Easy

Ultimately, the biggest issue with build-your-own-solutions is that it puts companies in the business of having to maintain their own deployment rather than focusing on their core business offering. Antivirus for Amazon S3 is a self-hosted solution that can be used from day one and that will scale as your S3 file scanning needs increase.

Deployment through a Cloud Formation Template means that you’re up and running with a complete solution in 15 minutes. We also provide a GUI Management Console that makes configuring and managing the environment a breeze. All that dev time spent maintaining a homegrown solution can now be spent elsewhere. 

 

The ADEC Innovations team was able to deploy Antivirus for Amazon S3 more quickly than the other solutions they shortlisted on AWS Marketplace. Additionally, because Antivirus for Amazon S3 is a more modern, Fargate Container based solution, they determined that their total cost of ownership for the product would be 50% lower than the other Lambda and EC2 based solutions.

~ADEC Innovations Case Study

Read the full case study here >>

 

Dealing with Infected Files isn’t Easy

If a file is found to be infected, you may require additional analysis to verify if it is a legitimate threat. Using a DIY solution means you’ll have to download the file and perform testing on your local network, risking exposure to a threat.

With Antivirus for Amazon S3 you can send suspicious files to a cloud sandbox for detonation. The cloud detonation functionality can perform a simple Static Analysis or a Dynamic Analysis where the file is executed on a system and the outcome shared.

This leverages the Sophos Cloud Sandbox for detonation and the SophosLabs Intelix Platform for the analysis of the file. As part of the analysis you will also receive a VirusTotal report with an overview of the threat, providing you with an easy way to verify an infected file without having to download it to your local machine and go through the trouble of doing your own testing.

 

Ditch DIY for a Solution that Does the Work for You

Whether you need to scan a few gigabytes per month or a petabyte every week, Antivirus for Amazon S3 is a scalable, powerful, and effective solution that gets the job done. If you’re interested in trying Antivirus for Amazon S3, start a free trial on AWS Marketplace where you can scan up to 500GB in 30 days.