Table of contents

Handle scan errors in AWS

There are several ways to re-scan your files.

Re-scan the file manually

According to the Scan Time, Storage Name, and File Name -- if only the file name is set to be recorded in the File Storage Security backend -- in Scan Error Events table, you can locate the file for which the scan failed. You also can find the scan error files with the tag "fss-scan-result" = "failure" in S3 bucket.

To re-scan those files, you can copy them back into the same bucket by selecting Actions > Copy in S3. The Copy action will trigger the scanner to re-scan those files.

Re-scan the file by Python script

Please refer to the sample code. The sample code shows how to re-scan a list of files by using file URLs. You can customize this code to run it in Lambda or with a Python command and valid AWS credential.

Note:

  • <My_Bucket_Listener_ARN>: replace it as the ARN of bucketListener Lambda of the bucket.
  • [<My_File_URL_1>, <My_File_URL_2>, <My_File_URL_3>, ...]: replace this list with file URLs that you want to re-scan.
  • It requires the permission to invoke Lambda to run the Python script

More ways to find the scan failed files

Get scan error file list from scan logs

  1. In AWS, go to the CloudWatch service.
  2. On the left, under Logs, select Insights.
  3. In the main pane, select inside the Select log group(s) field, and type PostScanTagActionLambda into the search box.
  4. Select the File Storage Security log group. It looks similar to:

    /aws/lambda/FileStorageSec-PostScanTagActionLambda-2R3P1J2HTVPU

  5. Replace the contents of the text box with the following lines:

json fields @timestamp, @message</br> | filter @message like "scanning_result"</br> | filter scanner_status != "0"</br> | display scanner_status, scanner_status_message, scanning_result.Error, file_url</br> | limit 100</br>

  • This query lists the URLs of all files that had a scan error in the "file_url" field, up to a maximum of 100.
  • You can customize the Python script above with the output file_url list to re-scan those files.

Subscribe scan result from SNS ScanResultTopic to get scan error file list

  1. Refer to the steps in Be notified of scan results through AWS SNS to receive the scan error notification from SNS ScanResultTopic.
  2. You can create a Lambda function to parse the scan result and trigger another scan.

Handling "network errors"

This means that the scanner cannot access the file to scan. SQS ScannerQueue can process up to 1000 events simultaneously. If hundreds of thousands of files are uploaded to a bucket at the same time, the scan message might be queued for more than one hour. In this case, the scanning process would time out and raise this scan error.

Check if the scan request messages have been queued in SQS for more than one hour:

  1. Go to AWS Console > SQS and find the ScannerQueue. It looks similar to -ScannerQueue-

    find scanner queue

  2. Open the ScannerQueue > Monitoring, see if Approximate Age of Oldest Message is increasing and is larger than one hour.

    approximate age of oldest message

If the Approximate Age of Oldest Message is larger than one hour, we suggest that you upload the files to different buckets or folders in a distributed way. Deploy one dedicated set of a Scanner Stack and a Storage stack for each bucket or folder. You can visit AWS performance and scaling for more information.

This article doesn't contain all errors generated by File Storage Security. If you are getting an error that isn't listed here, you can contact TrendMicro Support for help.