Threat Visibility on your S3 Bucket with Valkyrie Verdict

One of the key benefits of Valkyrie Verdict is its ability to give a trusted verdict within 45 seconds on 92% of files (after automated analysis), and 4 hours on the remaining 8% (after human analysis). Our industry leading auto-analysis consists of several static and dynamic techniques, including state-of-the-art machine learning, precise detectors and dynamic behavior signatures.

Nevertheless, it is impossible to provide 100% threat visibility using automated techniques alone as many problems in malware analysis have been shown to be undecidable [1, 2]. Many of these results are based on the fact that precisely deciding whether a given program/input satisfies a certain post-condition, for an arbitrary post-condition, is undecidable. The proofs are based on two general techniques:

* Either they build a self-contradictory program assuming the existence of a decider for the given problem, similar to [3]

* They give a reduction from a well-known undecidable problem, such as the Halting Problem, similar to [4]

The 8% of unclassified files that require further testing are then analyzed by human experts who specialize in identifying complex and zero-day malware samples. Verdicts on these files are available to our users after 4-hours according to our SLA. Valkyrie customers can be confident that 100% of threats have been correctly identified after this 4 hour period. This isn’t some wild marketing claim - it is a scientific ‘100%’ built on the candid recognition that even the most advanced automatic tests available today cannot provide the correct verdict on all files. For those that remain, human analysis is absolutely essential. Users should always beware vendors that claim total protection based on automated mechanisms alone.

Customers who also use Comodo security solutions on their network are, of course, completely safe during this four-hour period. The 8% of unknown files will be isolated in a secure virtual container which cannot access other processes, system files or user data.

But what about the terabytes of data that is outside of your network – such as the files stored on Amazon S3 buckets? Amazon does not offer an out of the box file security solution that will ensure your files on the cloud are safe. Don’t worry, now you can use the AWS Lambda extension of Valkyrie Verdict to have 100% confidence that your S3 Bucket is safe from all threats.

How it Works

Lambda functions that are connecting the S3 Bucket to Valkyrie Verdict are triggered by S3 Event Notifications, when a new file is uploaded for example, or by periodic CloudWatch Events, that is user configurable. The functions will calculate the SHA1 hash of the files and query Valkyrie Verdict database.

  • If the SHA1 already exists on Valkyrie Verdict, then the trusted verdict tags are instantly added to the S3 Object without any need to upload the file or wait for any analysis.

  • If the file has not been analyzed by Valkyrie Verdict before, then it is uploaded and analyzed.

  • By using the S3 Bucket policies, the user can prevent download and execution of files that are tagged as Malware and PUA.

How to set up

Connecting S3 Bucket with Valkyrie Verdict and AWS Lambda

AWS Lambda lets running code without provisioning or managing servers. All you need to do is just uploading the ZIP archives required for connecting your S3 Bucket with Valkyrie Verdict and configure your S3 bucket in a couple of simple steps.

Object Created Function will be invoked every time a new file is uploaded to the S3 Bucket. For initial scanning of your existing files in your S3 Bucket and for synchronizing verdicts, a CloudWatch Event Function is triggered periodically and locally scans all the files without a verdict tags in your S3 Bucket.

Configuring your S3 Bucket

There are 6 simple configuration steps for connecting Valkyrie Verdict with your S3 Bucket.

  • The first step is to create the ObjectCreate event function calls from the AWS Lambda menu.

  • A custom role should be created to allow Valkyrie Verdict functions to read & write object tags and to log each activity. After creating the custom role, ObjectCreate event function shall be saved by selection the new role.

  • After saving the function, the triggers should be configured as selecting the ‘Object Created (All)’ event type and enabling the triggers by clicking the checkbox.

  • After saving the trigger, the latest version of the ZIP archives required for connecting your S3 Bucket with Valkyrie Verdict shall be uploaded.

    You can download latest Lambda handler:

    Verdict AWS S3 Scanner Latest Lambda

    Archive SHA-256: 750d20b191f53d9de13e9ec819078c7775cb665c1962305d6c5a838fe0f79710

  • After you uploaded the zip file you can set your Valkyrie Verdict API key by using environment variables. It is also possible to give control of file read permissions to Valkyrie Verdict. Once you update VV_CHANGE_PERMISSION environment variable as True, you could define for which verdict types Valkyrie Verdict shall allow file read (using VV_ALLOWED_VERDICTS). List one or more comma separated verdict types listed below for this environment variable:
    • CLEAN
    • PUA

  • The logs for all the activities of Valkyrie Verdict lambda functions can be reach from the AWS CloudWatch console.

  • [1] Ali A. Selçuk, Fatih Orhan, Berker Batur, "Undecidable Problems in Malware Analysis", 12th International Conference for Internet Technology and Secured Transactions (ICITST), 2017.

    Online version:

    [2] David Evans, "On the Impossibility of Virus Detection", 2017.

    Online version:

    [3] Fred Cohen, “Computer viruses: theory and experiments”, Computers and Security, 6(1):22-35, 1987

    [4] Fred Cohen, “Computational aspects of computer viruses”, Computers and Security, 8(4):325-344, 1989.