VMRay Analyzer 3.2: Email Security, Front & Center. Automated Analysis & Detection Under the Hood

What’s New in VMRay Analyzer 3.2?

Dec 03rd 2019

In VMRay’s first major product release since completing our Series B funding, we’ve introduced significant enhancements to VMRay Analyzer Version 3.2, our flagship platform for automated malware analysis and detection.

Among the key capabilities announced, Version 3.2 expands and automates email analysis while complementing email protections already in place in most organizations. The new release:

  1. Provides streamlined and flexible ways to submit email samples for analysis, both manually, via IR Mailbox, and automatically by leveraging our REST API.
  2. Strengthens protection against phishing attacks with new capabilities for detecting credential-harvesting websites.
  3. Adds VMRay Email Threat Defender (ETD) Version 1.1 to our offerings, featuring a web-based ETD Manager.

Beyond these email-specific capabilities, Version 3.2 also:

  1. Supports the automation of other high-volume use cases, such as integration with complementary security solutions, monitoring web traffic, and validating SOC alerts.
  2. Further strengthens our industry-best dynamic analysis, offering new capabilities for macOS support, expanded anti-evasion features, and advanced features for expert DFIR analysts.
  3. Adds numerous features that improve the user experience.

All these capabilities highlighted below, reinforce VMRay’s position as a leader in advanced, automated threat detection.

 

Putting Email Security Front and Center

With the simultaneous release of VMRay Analyzer Version 3.2 and VMRay Email Threat Defender (ETD) Version 1.1, we’ve put email security front and center. For starters, we enhanced all three options that VMRay offers for submitting email samples for analysis.

  • Suspect emails can now be submitted directly to VMRay Analyzer in either .EML or .MSG native file formats, enabling analysts to submit emails in the same way as Word documents or PDF files. .EML/.MSG samples can also be submitted automatically by other security tools that have been integrated with VMRay Analyzer, via our REST API.
  • We enhanced the IR Mailbox feature, which lets enterprise email users and security team members submit suspicious emails to VMRay directly from Outlook using our plug-in or by forwarding the email sample to a centralized mailbox address. Links embedded in emails are detonated during analysis, as are attachments. We also made it easier for cloud customers to configure the mailbox, and we added a built-in IR mailbox for on-premises deployments.

 

Setting-Up IR Mailbox - VMRay Analyzer 3.2

Figure 1: Configuring the IR Mailbox is now much easier for cloud deployments.

 

  • Building on an initial release earlier this year, VMRay Email Threat Defender (ETD) Version 1.1 is now available and includes an ETD Manager component with an intuitive web interface. The ETD Manager allows centralized management of multiple sensors in different locations. Version 1.1 also provides cloud support to complement existing on-premises support.

 

ETD Management Console - VMRay Analyzer 3.2

Figure 2: VMRay Email Threat Defender features a management console with an intuitive ‘Outlook-like’ UI.

 

To strengthen protections against targeted phishing attacks, VMRay Analyzer incorporates new capabilities for detecting credential-harvesting web sites, which closely mimic legitimate sites. In a future post, we’ll provide details on these improvements, including more sophisticated detection mechanisms and new threat identifiers (VTIs).

As a result of all these enhancements, VMRay complements existing email security controls right out of the box, with the entire analysis happening automatically in the background. Regardless of the submission method, all email samples are subjected to the same fast, accurate and noise-free analysis process that is the hallmark of VMRay Analyzer and our Now Near Deep architecture.

 

Automated Archive Analysis - VMRay Analyzer 3.2

Figure 3: v3.2 automates the analysis of nested archives, a common obfuscation method.

 

Under the Hood, Using VMRay for High-Volume Analysis & Detection

With this new release, we’ve made big strides towards a top goal: empowering organizations to automate diverse use cases for high-volume analysis and detection. Examples include integration with complementary security solutions such as EDR and SOAR, monitoring web traffic using VMRay ICAP connector, validating SOC alerts, as well as continuously scanning shared folders.

As part of the v3.2 release, we introduced the following:

  1. Easy API Setup: To enable new use cases and better control of how integrations work, version 3.2 gives organizations more flexibility in defining how a given API key will be used. These settings include the ability to pre-filter known malicious or benign samples, limit the number of dynamic analyses per sample, and limit the number of samples that can be submitted recursively. Together, these features help to achieve the right balance between performance and analysis depth.
  2. Enhanced pre-filtering of benign documents: We implemented major improvements to Office and PDF static analysis, which improves the pre-filtering rate of known benign samples.
  3. Automated archive analysis: In archiving a sample, Version 3.2 maintains the relationship between the archive itself and the files inside. In turn, analysts can get a verdict for the archive without examining its content, and they can more easily analyze a nested archive (e.g., a PDF inside a Zip inside a Zip), a common obfuscation technique.
  4. IOC Scoring: Another key use case for high volume analysis is using VMRay’s dynamic engine for generating IOCs. To better address the automated ingestion of IOCs into 3rd party platforms, this release includes a severity attribute for IOCs based on reputation, local AV and YARA matches.

 

Always Raising the Bar for DFIR

We continue to enhance our industry-best sandbox for dynamic malware analysis, which is the bedrock of VMRay’s solution portfolio and the tool of choice for top malware analysts and DFIR teams.

  1. In response to enthusiastic customer feedback on macOS support, which we introduced in Version 3.0, we are continuing to add new capabilities. New macOS dynamic engine features include DMG file support and memory dumping.
  2. We have also expanded anti-evasion features and added new VTIs for both Windows and macOS engines
  3. Among the enhancements specifically designed for advanced users is the ability to extract strings from function calls during dynamic analysis, enabling users to create powerful detection rules. These strings may contain valuable forensics information in the c2 callback that would otherwise be obfuscated and lost.

 

Harvesting Strings - VMRay Analyzer 3.2

Figure 4: Extract strings from function calls during dynamic analysis

 

Enhancing the User Experience

Alongside all these advances, other new features improve the VMRay user experience, already known for being streamlined and intuitive.

  1. New ‘Quick Filters’ in the submission table allow analysts to efficiently navigate, search and filter through a mass of file submissions based on diverse criteria: sample type, severity score, job status, interface type, and more.
  2. In organizations with multiple users, a new dashboard feature allows team members to toggle back and forth between an All Submissions tab and a My Submissions tab.
  3. Account managers can also configure user accounts in Isolated Mode to ensure individuals only see their own submissions and no one else’s.

 

Quick Filters - VMRay Analyzer 3.2

Figure 5: “Quick Filters” let analysts flexibly filter submitted samples using diverse criteria

 

Submissions Tab - VMRay Analyzer 3.2

Figure 6: Authorized users can toggle between a view of All Submissions and My Submissions, which only displays the individual’s own submissions.

 

Don’t take our word for it. Get hands-on to check out VMRay Analyzer Version 3.2 for yourself. Click here to get started.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator