While employees, contractors, and automated workflows constantly send files to enterprise cloud storage, few files go through real-time security checks.
There might be scheduled scans policies in place, but this leads to malicious files sitting in an S3 bucket or SharePoint library for days or weeks before it is detected. During that time, it may already have been accessed, shared, or processed by downstream systems.
Aside from the threat potential, legacy scheduled scans can lead to compliance violations, as global information security frameworks like PCI DSS v4.0 requires organizations to establish a scanning cadence based on a Targeted Risk Analysis (TRA), which is reviewed and updated when significant changes occur or at a defined periodic frequency.
For many security teams, that means a recurring full-bucket scan: every file, every folder, every 60 days. It's exhausting, expensive, and increasingly difficult to manage on a petabyte scale.
There is a better way.
Event-based scanning, identity scanning, and flexible scan workflows in MetaDefender Storage Security™ let organizations maintain real time protection, reduce redundant scanning, and produce the kind of per-user audit trail that auditors want to see.
Why Cloud Storage Requires More Than Scheduled Scans
Scheduled full-bucket scans were designed for a world where cloud storage was a backup destination, not a primary collaboration surface. That world no longer exists.
Today, a financial institution might have 50 million files in a single S3 bucket. A healthcare organization might have SharePoint Online serving as the document repository for thousands of clinicians.
A full malware scan across that entire estate every 30 or 60 days consumes significant compute time, generates enormous API traffic, and often completes after the threat has already moved laterally.
Moreover, there's the structural problem: that periodic scanning is a snapshot, not a full diagnosis. While it shows what was clean at a point in time, it can tell you anything about files which were uploaded after the last scan was completed. And by the time you run the next scan, it might be too late.
Realistically speaking, if scheduled scans consume too much computing power, provide an incomplete picture, and risk leading to non-compliance, the next logical solution is real-time protection on cloud storage matter. Combining event-based triggering and identity-aware scanning changes what compliance looks like in practice.
Protecting New Files with Event-Based Scanning via MetaDefender Storage Security
MetaDefender Storage Security performs event-based scanning, shifting the detection model from "check everything on a schedule" to "scan immediately when something changes." Rather than polling a bucket at fixed intervals, its RTP (Real Time Processing) capability listens for file events directly from the cloud platform and processes new or modified files as they arrive.
For Amazon S3, event-based scanning is implemented through AWS EventBridge. When a file is uploaded to a monitored bucket, EventBridge pushes a notification to MetaDefender Storage Security's webhook, which triggers scanning immediately, without the latency of a polling loop. This push-based model makes fewer API requests than polling, which reduces both response time and operating cost at scale.
For Azure Blob Storage, MetaDefender Storage Security introduced automatic container discovery; when you connect a storage account, the platform discovers all containers automatically, applying consistent RTP policy without manual configuration. Similar event-driven handling is available across the supported storage connector library, including SharePoint Online, Microsoft Teams, NetApp, Box, and others.
In practice:
- A file uploaded by a compromised user at 2:47 AM is scanned and, if malicious, quarantined before it can be accessed or shared
- New uploads from external partners land in a clean state before any internal process touches them
- The gap between file arrival and security verdict is measured in seconds, not hours or days
From the compliance standpoint, event-based scanning creates a continuous, timestamped record of every file evaluated in real time. That record is available in scan reports, is filterable by storage unit and date range, and directly supports audit inquiries.
Identity Scanning: Scan Files Based on User Activity, Risk, and Priority
One of the most operationally significant capabilities in MetaDefender Storage Security is identity scanning, the ability to associate scan results with the specific user identity that uploaded or modified a file.
This changes the compliance conversation from "we scanned the bucket" to "we know which user uploaded every file that triggered a detection, when it happened, and what action was taken."
How Identity Scanning Reduces Redundant Scanning
Consider the traditional approach: schedule a full-bucket scan, scan every file regardless of when it was last scanned or who uploaded it, generate a report showing everything was checked. This is resource-intensive, slow, and doesn't distinguish between a file that has been clean and unchanged for 18 months and a file uploaded yesterday by an account that was compromised last week.
Identity scanning enables a smarter approach:
- Files from known, trusted users or service accounts that were scanned during the previous cycle can be treated with higher confidence .
- New files or files modified by high-risk identities like external accounts, contractor credentials, recently flagged users etc., can be prioritized or rescanned immediately
- Audit reports can show, per user identity, which files were scanned, when, and with what result; a format that maps directly to what PCI DSS auditors and ISO 27001 assessors look for.
The result is a compliance posture that is both stronger and more efficient. Instead of scanning the same static files repeatedly, you are responding to context-aware events: what was changed, and by whom.
On-Demand, Scheduled, and RTP Workflows: Choosing the Right Approach for Each Scenario
MetaDefender Storage Security supports three scanning modes, and effective compliance programs typically use all three in combination.
Real-Time Processing Provides Continuous Protection for Active Storage
Real-Time Processing is the primary mechanism for catching threats as they arrive. It is event-driven, always-on for monitored storage units, and designed to handle the volume and velocity of modern cloud file workflows.
Since the MetaDefender Storage Security 4.4.1 update, administrators can use the new “Pick files modified since” date picker in the RTP scan model to include files that predate the current RTP configuration. This improves compliance coverage for previously uploaded files, such as OneDrive files that retain their original LastModified date instead of the upload timestamp.
For 60-day compliance cycles, this means you can target files modified within the last 60 days explicitly, without triggering a full-bucket scan from the beginning of storage history.
Scheduled Scanning to Match Your Audit Timeline
For periodic compliance requirements (PCI DSS, HIPAA, SOC 2, internal audit cycles), MetaDefender Storage Security supports flexible scan scheduling, configurable down to the minute as of version 4.3.0. This allows security teams to define precise scan windows that align with audit periods, run outside business hours to minimize impact, and generate timestamped reports that correspond directly to the compliance period under review.
Scheduled scans can be configured efficiently. Rather than rescanning an entire petabyte-scale storage estate, the scan can be targeted to specific buckets, containers, document libraries, or folders, and with identity scanning enabled, to files associated with specific users or roles.
On-Demand Scanning for Targeted Remediation and Incident Response
On-demand scanning is used for specific scenarios: a security incident has been identified and the team needs to immediately assess a specific storage unit, a compliance audit is imminent and a particular bucket was not covered in the last scheduled run, or a new storage integration was just connected and needs an initial full assessment.
MetaDefender Storage Security added Reprocess Failed Files, which allows administrators to create new scans covering only files that previously failed, avoiding the overhead of a full rescan while closing specific coverage gaps. Running scans can also be stopped directly from the Report tab, without navigating elsewhere in the interface.
Auto-Discovery and IAM Role Integration to Eliminate Manual Configuration Gaps
One of the most common compliance risks in cloud storage environments is unmonitored storage. Examples include a bucket or container that was never connected to a security tool, a new storage unit provisioned outside normal IT processes, an auto-generated container from a third-party integration.
MetaDefender Storage Security addresses this with automatic discovery across multiple cloud providers:
- Azure Blob Storage: Connect a storage account and all containers are discovered and added to the scanning policy automatically; no manual intervention required
- SharePoint Online: Connect your tenant and all sites are discovered automatically upon connection
- Alibaba Cloud with RAM (Resource Access Management) Role authentication, and AWS S3 with IAM (Identity and Access Management) Role, allow MetaDefender Storage Security to authenticate using short-lived, least-privilege credentials rather than static access keys, reducing credential exposure risk and simplifying credential rotation
For organizations operating under PCI DSS Requirement 12.3.1 (risk-based analysis of security controls frequency) or ISO 27001 Annex A controls for cloud environments, auto-discovery directly reduces the risk of coverage gaps that would otherwise go undetected until an audit or an incident.
The Terraform script auto-generation for AWS EventBridge configuration, available from the MetaDefender Storage Security web interface, means that even the initial setup of event-based handling requires minimal permissions and no custom scripting by the security team.
MetaDefender Storage Security: Purpose-Built for Cloud Storage Protection
MetaDefender Storage Security is OPSWAT's solution for detecting and preventing file-based threats across on-premises, cloud, and hybrid storage environments. It applies multiple prevention technologies in sequence to each file it processes:
- Metascan™ Multiscanning applies dozens of anti-malware engines simultaneously, increasing detection rates for known and unknown threats without relying on a single vendor's signatures
- Deep CDR™ Technology rebuilds files into a safe, functionally equivalent version by removing potentially malicious active content — effective against threats that evade signature-based detection
- Proactive DLP™ inspects and redacts files for sensitive data; payment card numbers, PII (Personally Identifiable Information), health records before they are stored, supporting both data security and compliance obligations
- File-Based Vulnerability Assessment identifies known vulnerabilities in files such as installers and packages before they enter the environment
- Adaptive Sandbox provides behavioral analysis for suspicious files that require deeper inspection
All this runs across a broad connector library that includes Amazon S3, Azure Blob Storage, SharePoint Online, Microsoft Teams, OneDrive, Google Cloud Storage, NetApp, Dell EMC Isilon, Box, Scality RING, and others, with more integrations added in each release.
For compliance-focused teams, MetaDefender Storage Security delivers centralized scan reporting, per-user identity attribution, timestamped audit logs, and configurable remediation actions (allow, block, delete, move, sanitize); all of which map to the documentation requirements of PCI DSS v4.0.1, HIPAA, ISO 27001, and SOC 2.
The platform is available as an on-premises deployment or as MetaDefender Storage Security Cloud. The latter added multitenancy support for organizations managing multiple business units or customer environments within a single deployment.
From Reactive Scanning to Proactive Cloud Storage Security
The compliance demands became more rigid, as auditors are no longer satisfied with evidence that you ran a scan. They want to see continuous coverage, identity attribution, and a clear policy for how new files are handled the moment they enter your environment.
- Event-based scanning answers the question of cadence and timing.
- Identity scanning answers the question of accountability.
- Flexible scheduled and on-demand workflows answer the question of periodic compliance documentation. Auto-discovery answers the question of coverage.
MetaDefender Storage Security brings these capabilities together in a platform designed specifically for the scale, complexity, and compliance obligations of enterprise cloud storage environments.
Whether your priority is catching a threat in real time, satisfying a 60-day audit window, or proving that every file in a regulated bucket was scanned by a specific user, the platform supports it.
