Explained: VMRay Verdict System

Oct 08th 2020

When users submit a file or URL to VMRay for analysis, they are usually most interested in answering the question “Is this malware? Yes or no.”

Previous to our most recent 4.0 release, this question was answered in the VMRay Platform with a severity score (or VTI Score, explained here). But now with our most recent release, this answer has been simplified. No longer will the VMRay Platform use a numerical score to indicate potential maliciousness. From now on, the system will instead render a “Verdict” to replace the severity score.

In the new verdict system, submitted files and URLs will now be judged either as:

  • Malicious
  • Suspicious
  • Clean
  • Not available

These four possible verdicts mark a reduction in number from the eight possibilities in the previous system.

 

 

This new system will be applied at all levels: analyses, samples, IOCs and artifacts. To increase clarity and avoid confusion, the numerical VMRay Threat Identifier (VTI) Score from 0 – 100, has been removed from the UI.  However, for backward compatibility, these values are still available via API.

The way VMRay calculates the verdict score has not been changed, only the way it presents the result. Each VTI still has a score of 1-5. In the release of VMRay Platform 4.0,  we introduced the -1 score (displayed as “-“) to be able to map a known benign. When a VTI with a -1 score is triggered, the sample or the artifact is prevented from having a Malicious verdict. This can happen in special situations, such as when a PE sample has a trusted digital signature, or when a reputation analysis has a Clean verdict. It is also possible to write YARA rules with a -1 score.

While the VTI Score has been removed from the UI, it is still available via the API with these new verdict keys in the responses:

 

Endpoint New verdict keys in response
/rest/analysis analysis_verdict

analysis_verdict_reason

analysis_verdict_reason_code

/rest/sample sample_verdict

sample_verdict_reason

sample_verdict_reason_code

/rest/submission submission_verdict

submission_verdict_reason

submission_verdict_reason_code

/rest/sample//iocs verdict

verdict_reason

verdict_reason_code

 

By reducing the number of available possible verdicts from eight to four, our new system will bring greater clarity to malware analysis results and assist SOC teams in making effective decisions in the incident response process.