That’s absolutely a thing. It’s usually under the broader category of anti-malware. Why is the web server suddenly mining bitcoin?
Edit: Source: have been through a few SOC 2 audits, enough to understand why they ask for most of the things in there. My personal thoughts on the matter aside, modern audits spend a lot more time on other malware than viruses.
Seriously, that’s a legit plan. If you use GuardDuty, you can have it trigger EBS volume scans to look for malware if it sees strange behavior. I spun up an EC2 instance and ran an nmap port scan on another server and a bitcoin daemon. It caught both of those, triggered scans, and reported its findings.
I’m heading down that road instead of running a traditional on-OS process.
The agents take more resources than the services on some of my machines, which is lunacy if you ask me, but we have to check those audit boxes and the security team isn’t very capable…err…creative.
