With the September release of VMRay Platform v4.0.0, we’re pleased to introduce significant improvements to all three of our products ‑ Analyzer, Detector, and Email Threat Defender (ETD), particularly in matters related to handling malicious links. These enhancements include:
Further, VMRay Platform v4.0.0 offers several improvements to our products’ performance, platform management features, and UX. Several of these improvements are summarized below and the complete list will be available in the 4.0 release notes.
One of the most interesting features in version 4.0.0 is related to the analysis of malicious links in emails, a major attack vector for malware authors as it is an easy and flexible method to deliver malicious content. URL links can be used to tease a user to click in order to download a malicious file or send a user to a phony form page that resembles a popular page, such as PayPal, in order to fool them into submitting their personal information to a fraudulent site.
VMRay Platform v4.0.0 features automated link detonation in all three of our products – Analyzer, Detector, and Email Threat Defender (ETD). URLs contained in files, emails, and email attachments are now dynamically analyzed without any manual user interaction, allowing a fully-automated workflow to determine if the link is malicious.
Currently, many email security vendors rely on performing a reputation check on incoming emails and rewriting unknown URLs to point to a “safe link.” When users click on this modified safe link URL, they are redirected to a vendor Web proxy while the URL is scanned and shown a temporary message window informing them of the scan. For example, this is the message window shown to users of Office 365:
After scanning, if the connection is found to be malicious, the connection is blocked. While the time-of-click analysis method allows scanning the link only when the user accesses the web page, it also has several shortcomings, including:
VMRay’s unique advantage to address these shortcomings is detonating links in emails, as well as email attachments, at the time-of-delivery rather than time-of-click. When emails and documents are received, the VMRay Platform performs static and reputation analysis to all extracted links and, based on over 30 heuristics, determines if detonation is necessary. Links are detonated in this manner to avoid inadvertently triggering adverse side effects, such as unsubscribing a user from a mailing list.
A new feature in this release is ETD. VMRay Platform v4.0.0 now has built-in integration with Office 365. Just a few clicks and it’s all set. With this seamless integration, when a link is determined to be malicious, the email is marked as such and filtered to the junk folder. This time-of-delivery analysis closes up the gaps in existing email security solutions listed above.
With ETD, links that are contained in the attached documents are analyzed, even if the file is password-protected, as in the screenshot below:
VMRay Platform v4.0.0 also features several enhancements to our analysis workflow. This latest release includes Smart Caching to more effectively handle re-submissions. With this new feature, customers can enable caching mode so when a file is re-submitted, heuristics are run to see if the file should be analyzed again to guarantee the best results. If enabled, users will receive the following message if the file has already been submitted:
Building on a feature in our previous release which distinguishes IOCs from artifacts, IOCs are now aggregated across the analysis reports of each sample and displayed on one page as shown in the screenshot below:
The VMRay Platform v4.0.0 also features enhanced IOC extraction, giving users the ability to extract network artifacts from the process cmd line and extract artifacts from obfuscated macros.
In addition, the WHOIS service is now built-in as part of our reputation analysis for all customers, including on-premises.
And here’s some welcome news for SOC teams working long hours. With 4.0, in addition to our standard interface, users can now opt instead to view the interface in “dark mode” to reduce eye strain and make it easier to stay focused on your work. “Dark mode” can be set by going to “Profile → Preferences” and is displayed as shown below:
The Platform WebUI has been refreshed with a new glossary and, further, our entire scoring system for submitted samples, as well as IOCs, has also been simplified and improved. No longer does the system use a numerical scoring system to determine potential harm and instead renders a direct “Verdict.” In this new system, samples, submissions, analyses, as well as IOCs, are now determined to either be “Malicious”, “Suspicious”, “Clean”, or “Not available.” The previous numerical system (VTI Score) has been removed from the UI and only available in the API for backward compatibility.
Users can also now download analysis reports as PDFs and brand them with their company’s own logo as shown in the screenshot below:
In addition to these features and changes, we’ve introduced the following enhancements:
We are excited about these new additions and others to VMRay Platform v4.0.0. VMRay customers can access a complete list of the new v4.0.0 features in the changelog within your VMRay account. Not a VMRay customer, and want to put our Platform to the test? Start your 30-day trial today.