Healthcare Blocks uses the open source ClamAV antivirus engine for detecting trojans and malware.

Scans are performed daily by AWS Systems Manager. The State Manager page shows the latest status and history.

Scan results are published to a CloudWatch Logs group named /var/log/clamav. The log group is associated with a metric filter and alarm that expects a successful scan every 24 hours. If this condition is not met, an alarm named clamav-scan-unsuccessful is triggered and an alert is sent a Simple Notification Service (SNS) topic named malware-scan. You can subscribe to these alerts by selecting the topic and creating an "email" subscription to an external address. We recommend using an email alias or a Slack email-to-channel address to be able to easily share these alerts with your team.

The configuration of the ClamAV scan process is managed by an AWS Systems Manager Document named Run-clamscan.