Blog

VMRay Analyzer V 2.0: Introducing the Reputation Engine

VMRay Analyzer V 2.0 will be released this week and we’ll be presenting it at the RSA Conference next week. If you are attending, contact us  for a demo. The latest release has many new features including the addition of a built-in reputation engine that identifies known malicious or known benign files in milliseconds, support for the analysis of new sample types such as Microsoft Access, Visio, Project and Publisher files, a new severity status label for threat classification, redesigned dashboards, simpler ways to create database backups and several improvements to the VMRay analyzer engine.

Here’s an overview of the new features:

Built-In Reputation Engine

The new VMRay reputation engine contains a database of known malicious file hashes and known benign file hashes that can be looked up before starting an analysis. The ability to identify known good or bad files (also called a reputation lookup) in milliseconds has several advantages. The most significant being that it enables an extremely large number of reputation lookups and analyses to be performed. The reputation engine can be configured to operate in any of the following modes.

  • Triage mode: In this mode, a reputation lookup is performed and if the file is known good or known bad, no analysis is performed.
  • Auxiliary mode: In this mode, a reputation lookup is performed but the file is always analyzed irrespective of the reputation lookup result.
  • Exclusive mode: In this mode, only a reputation lookup is performed. The file is not analyzed.
Built-in Reputation Engine - VMRay Analyzer
Figure 1: Built-in reputation engine options

Analysis of new sample types: Microsoft Access, Visio, Project and Publisher files

We have started to see malware authors use embedded VBA macros in many unconventional file types to attack hosts. In response to this trend, VMRay Analyzer V 2.0 supports the analysis of MS Access, Publisher, Project and Visio files.

Microsoft Access, Visio, Project and Publisher File Support - VMRay Analyzer
Figure 2: Support for Analysis of Microsoft Access, Visio, Project and Publisher files

New severity status label for threat classification

The new severity status is based on the reputation lookup, analysis result (VTI Score) and VirusTotal and Metadefender results (if enabled). The severity status is displayed on the UI and is also returned by the VMRay Analyzer API’s. There are six new severity status labels (see below) to classify a file after it has been analyzed.

Severity status types displayed in the new UI

More details related to the interpretation of the severity status are included in the online documentation.

Redesigned Dashboards

We have redesigned the user dashboard to incorporate the new severity status and the additional functionality introduced by the reputation engine. A cleaner user dashboard now displays file name, file type, analysis status and a color-coded severity status. Also included on the V 2.0 user dashboard is daily quota usage.

2.0 Redesigned Dashboard- VMRay
Figure 3: Redesigned user dashboard

Database Backups from the UI

V 2.0 allows users to create backups from the web interface. Users can choose the components they want to include in a backup. Components include the SQL database on the VMRay server machine, sample files, prescript files, all analyses files, hook files and relevant settings files.

  • Backups can be created manually or automatically using pre-defined backup time intervals.
  • Backups can be created while the server is in operation i.e. without interrupting the server.

VMRay Analyzer Engine Improvements

In V 2.0, several improvements have also been made to the core VMRay Analyzer engine. These include:

  • Improved script analysis and new VTI rules for better scoring of suspicious files.
  • Addition of new anti-evasion features to thwart the latest malware evasion techniques.

Additional Improvements in v 2.0

  • Added new configuration features in the UI
    • Delete database feature for administrator
    • Factory reset feature for administrator
    • Restart VMRay server feature for administrator
    • Enable user to delete own submissions
    • Enable user to create and download support package for diagnostics
    • Configurable ‘Automatic cleanup’ feature for automatic deletion of old analyses
  • Improved document interaction of PowerPoint files in analysis VM
  • Improved YARA support
  • Improved process graphs in analysis reports

For the full list of changes and fixes, customers can consult the changelog in the online documentation.

*Note: The analysis of Microsoft Project and Visio files is only supported in the on-premise version of VMRay

Follow us on Twitter @VMRay to get updates on future blog posts like this.