Nifty

VMRay Analyzer

For Total Visibility and Defense Against Evasive Malware


In the battle against malware, behavior-based analysis is one of the Key Benefits keys for security teams to detect and mitigate advanced threats. In the controlled environment of a network sandbox, suspect files are detonated and monitored to determine if they’re harmful and should be blocked.
Established sandbox solutions have shortcomings that undermine detection and analysis. Some signal their presence, triggering evasion by the malware. Other solutions struggle to scale, or generate needlessly large quantities of data, reducing the speed and accuracy of analysis.

THE POWER OF AN AGENTLESS APPROACH

VMRay Analyzer overcomes these weaknesses with a revolutionary departure from prior methods. Using an agentless, hypervisor-based approach to monitoring, combined with a built-in rapid reputation engine, VMRay Analyzer delivers four traits critical for SOC Analysts and CERTs:

STEALTH

VMRay Analyzer defeats advanced malware evasion techniques

SPEED

Bare-metal performance powers rapid threat detection at scale

VISIBILITY

Comprehensive dynamic malware analysis enables full insight into malware behavior

DEFENSE

Actionable intelligence for even the most evasive malware
With VMRay Analyzer digital forensics and incident response (DFIR) specialists can quickly determine whether files are malicious and remedial action needs to be taken. With flexible alerting for SIEM and out-of-the-box connectors for top security platforms, VMRay Analyzer integrates easily into an automated solution for enterprises, solution providers, and OEMs.

KEY BENEFITS:

  • Rapid threat detection at scale, with the industry’s most comprehensive dynamic threat analysis
  • Agentless, hypervisor-based: resistant to detection and evasion by malware
  • Reputation engine with severity classification provides fast, automated, actionable intelligence
  • Bare metal performance by leveraging CPU hardware virtualization extensions
  • Monitors all relevant activity with total visibility into low-level control flow
  • Flexible results formats for forensic specialists, IR teams and managers
  • Seamless integration with 3rd party security platforms
  • Deployed by leading enterprises, security solution providers and OEMs

WHY THE HYPERVISOR?

VMRay brings an agentless approach to dynamic malware analysis. Embedded in the hypervisor, VMRay Analyzer monitors and analyzes malware behavior from that vantage point. Because VMs in the sandbox aren’t instrumented, threats execute as they would in the wild, and the analysis is invisible, even to evasive malware strains.

REAL-TIME, HIGH - VOLUME DETECTION OF KNOWN FILES

VMRay’s reputation engine leverages the industry’s most comprehensive source of reputation data on files. It detects known goodware and malware in milliseconds and returns a status — without executing the files.

COMPREHENSIVE NETWORK COMMUNICATION ANALYSIS

VMRay analyzes and captures all network communication, looking for malicious intent. It maps out domains and IP addresses accessed by malware and the protocols used. PCAP files can be opened in a tool like WireShark for deep packet inspection and analysis. VMRay can run analyses against multiple environments: the combinations of operating system, applications and localization that are of most concern to the IR team.

ACTIONABLE MALICIOUS BEHAVIOR SCORING

Using threat identifier rules, the system generates a severity score and delivers actionable intelligence to relevant tools: SIEM, EPP, NGFW and others. These tools can automatically block, allow, report, alert, quarantine or remediate.

EXTENSIVE COVERAGE

EVASION RESISTANCE

  • Immune to advanced evasion techniques
  • Survives system reboot and monitors autostart operations


CUSTOMIZABLE YET AUTOMATED

  • Built-in Yara ruleset can be customized and extended
  • Supports custom pre-analysis scripts to tailor the environment for each analysis
  • Manual interaction with malware using VNC


SEAMLESS INTEGRATION

  • Out-of-the-box support for third-party platforms: Carbon Black, Splunk, ThreatConnect, Ayehu, VirusTotal, MISP, Phantom, and Cisco CloudLock
  • Flexible REST/JSON API provides seamless integration into other products

EXTENSIVE COVERAGE

  • Broad coverage of user- and kernel-level malware types Complete visibility into low-level control flow
  • Detailed behavioral analysis and network semantics

EASY DEPLOYMENT AND USE

  • Offered as a cloud service or on premises
  • Access to all functionality via a user-friendly Web interface or REST APIs
  • Flexible REST/JSON API provides seamless integration into other products

FLEXIBLE RESULT FORMATS

  • High-level, summary reports for non-security experts and managers
  • Fine-grained, function-level logs with all input and output parameters
  • Output formats for automated processing or manual review: HTML, XML, CybOX/STIX, JSON and text files