Literally do. Why don't you try to set up a server, and send Xor'd malware packages to it. Have your server decrypt it, then tell me if your instance is accessible.

Do you know what hash digests are? It doesn't "know" what the data is. It compares the data to a hash digest of know malware. { If (4D616C77617265{data scanned}==4D616C77617265 then (kill service) } This is not secret information.

GuardDuty malware detection scan engine - Amazon GuardDuty

Learn about Amazon GuardDuty malware detection methodology and which scan engines does it use.

" Signature-based detection not only includes matching of bytes but also a snippet of code that is potentially complex, and the scanner can parse content and make decisions." "With no restriction on the file formats that GuardDuty scans for malware, the scan engines that it uses can detect different types of malware, such as cryptominers, ransomware, and webshells." Any other bullshit you want to spout there, Genius?