BLOG
|

4 min read

When A DIY Lambda & ClamAV Antivirus Solution for S3 Isn't Worth It

DIY Lambda & ClamAV Antivirus Solution

Cloud Storage Security's (CSS) malware protection solution was built when our founders observed that cloud application workflows that rely on cloud storage have become a massive attack vector, and that building an in-house, end-to-end, malware detection system with sophisticated threat detection engines was a costly undertaking for any business with data in the cloud. This is especially true for workflows that ingest third party files, store them in the cloud and then share them downstream. 

Over the years there have been a number of instances where developers have attempted to build a home-grown, Lambda-based solution using open-source antivirus toolkits like ClamAV to enhance security and scan data for malware and viruses. While a Lambda and ClamAV solution can be useful, there are many deficiencies in this approach when it comes to the cloud. 

“Our home grown solution for scanning Amazon S3 for malware was becoming more time consuming to maintain. Antivirus for Amazon S3 delivers consistent real time virus scanning with minimal management required and at a lower cost than our previous solution utilizing AWS Lambdas and Amazon EFS.”

~Maxime Leblanc, Information Security Specialist, Poka

Read the full case study here >>

In fact, many organizations that use CSS’ malware protection solution started out using a DIY Lambda-based solution, but quickly realized their solution:

  • Was too expensive to run
  • Required too much maintenance
  • Didn't meet performance expectations
  • Lacked fundamental workflow, monitoring, and quarantining features
  • Needed more management than they had time for


This article explores the trade-offs between building your own Lambda and ClamAV-based solution versus implementing CSS’ malware protection solution — a security tool that’s trusted by SMBs, Enterprises, and the largest government agencies worldwide.   

Limitations of a DIY Antivirus Solution

Limited Scanning Options

A homegrown Lambda-based deployment only provides new object scanning. You are not able to easily or automatically scan existing data to ensure files already uploaded to cloud storage are safe. Additionally, it doesn’t provide an option to scan data before it arrives in cloud storage if that is what the application workflow demands.

CSS’ malware protection solution provides 3 scan models (event based for new files, retro based for existing files, and API endpoint for automation) that allows users to scan for malware and manage problem files without disrupting their workflows.


Malware Protection Scanning Models

MP_Scanmodels_website


 
Premium-Grade, Multilayered Protection

A homegrown solution built on ClamAV – while offering a baseline of threat detection – falls short of the advanced threat detection capabilities available in CSS’ malware protection solution. By combining several advanced malware engines, CSS’ solution provides a much more comprehensive defense to prevent malware and zero-day threats, many of which are the source of recent malware attacks. This multilayered approach is an application of the defense in depth security principle, which not only bolsters your security posture but reduces the risks of gaps in your defense. Our expertise in malware detection is built into CSS’ malware protection solution, delivering truly best-in-class storage protection.

File Size, File System, and Performance Limitations

Many malware engines have tight limitations on file sizes, while Lamba throughput is limited due to its design. As the volume of files ingested by an organization increases, this can quickly lead to bottlenecks. 

CSS’ malware protection solution supports scanning using ClamAV with files up to 2GB in size and files up to  5TB in size using advanced threat detection engines. With CSS’ malware protection solution, a single agent can scan up to 7,000 1MB files with ClamAV in an hour and around 20,000 1 MB files using Sophos in an hour.

CSS’ malware protection solution gives you the option to choose from the enterprise Sophos or open-source ClamAV scanning engines for your antivirus deployment. You can also utilize both scanning engines at the same time should you choose to do so.

Further, CSS’ malware protection solution supports S3, EFS, FSx, and other storage targets from the moment it is installed. Plus, you’ll gain access to new storage targets as we release support for them, requiring no additional development efforts from your IT team.

Maintenance is Not Easy

Ultimately, the biggest issue with build-your-own-solutions is that it puts companies in the business of having to maintain their own deployment rather than focusing on their core business offering. CSS’ malware protection solution is a self-hosted solution that can be used from day one and that will scale as your S3 file scanning needs increase.

Deployment through a CloudFormation Template means that you’re up and running with a complete solution in 10 minutes. We also provide a GUI Management Console that automates your entire threat detection workflow, making configuring and managing the environment a breeze. All that dev time spent maintaining a homegrown solution can now be spent elsewhere.  

 

The ADEC Innovations team was able to deploy Antivirus for Amazon S3 more quickly than the other solutions they shortlisted on AWS Marketplace. Additionally, because Antivirus for Amazon S3 is a more modern, Fargate Container based solution, they determined that their total cost of ownership for the product would be 50% lower than the other Lambda and EC2 based solutions.

~ADEC Innovations Case Study

Read the full case study here >>

 

Dealing with Infected Files isn’t Easy

If a file is found to be infected, you may require additional analysis to verify if it is a legitimate threat. Using a DIY solution means you’ll have to download the file and perform testing on your local network, risking exposure to a threat.

With CSS’ malware protection solution you can send suspicious files to a quarantine location, or to a cloud sandbox for detonation. The cloud detonation functionality can perform a simple Static Analysis or a Dynamic Analysis where the file is executed on a system and the outcome shared.

This leverages the Sophos Cloud Sandbox for detonation and the SophosLabs Intelix Platform for the analysis of the file. As part of the analysis you will also receive a VirusTotal report with an overview of the threat, providing you with an easy way to verify an infected file without having to download it to your local machine and go through the trouble of doing your own testing.

 

Ditch DIY for a Solution that Does the Work for You

Whether you need to scan a few gigabytes per month or a petabyte every week, CSS’ malware protection solution is a scalable, powerful, and effective solution that gets the job done. If you’re interested in trying our malware protection solution, start a free trial in AWS Marketplace where you can scan up to 100GB in 30 days.

angled bg image

Tired of Reading?

Want to watch something instead?

watch video blog cta image 614x261