VMRay Platform v4.1.0 Release Highlights

Dec 03rd 2020

Something New to Usher in the New Year

As the world prepares to say “Goodbye (and good riddance!) to 2020,” VMRay is looking ahead to the New Year by unveiling VMRay Platform Release v4.1.0, which builds on major innovations introduced in September.

VMRay Platform Platform v4.1.0 incorporates dozens of new features and enhancements, which continue to raise the bar for advanced threat analysis and protection.

Below, we highlight just a few of the most notable improvements. Existing customers can access the complete list of features in the updated release notes document within their account.

 

Signature Validation Against CRLs

A major challenge facing security teams is the need to prevent legitimate application installers and setups from triggering false positives, due to the software’s essential behavior being mistaken for malicious activity.

Tackling this problem in VMRay Platform v4.0.0, VMRay introduced the ability to verify the digital signature of portable executables (PEs) during static analysis. Where a known certificate authority (CA) has issued a certificate that has not been revoked, VMRay overrides likely false positives.

For digital signatures, Platform v4.1.0 takes the added step of checking the relevant Certificate Revocation List (CRL). If the certificate used to sign the sample has been revoked by the CA, a VTI Rule will be triggered. For additional context, users can see the certificate details in the Files tab.

 

Figure 2 – Certificate details accessible in the Files Tab

 

Smart Regeneration of Reports

This feature is an extension to the Smart Caching capability introduced in Platform 4.0.0. It improves performance and detection efficacy in situations where previously analyzed samples must be reanalyzed so newly available detection rules, signature updates, and YARA rules can be applied.

When running an analysis of a previously detonated sample, an issue a user might uncover is no longer seeing the complete behavior because of the sample’s command and control being down. In v4.1.0, we’ve solved this.

Rather than re-detonating the original sample—VMRay updates the original dynamic analysis, statically enriches it, and generates a new report.

 

Figure 3: Report Dashboard – Icon next to analysis indicating regeneration

 

Enhanced MISP Connector

VMRay Platform v4.1.0 updates VMRay’s connector for MISP, the open-source solution for malware information sharing. Our MISP connector facilitates the import of VMRay verdict information, IOCs, and artifacts that are generated during dynamic analysis. In turn, other security tools can leverage VMRay-enhanced threat intelligence that’s unique to the customer’s environment. Imports can be done on-demand via API or through a manual upload of Summary JSON v2 files. Our new JSON format from VMRay Platform v.4.0.0 makes it easier for customers to export machine-readable results and feed them into their existing security stack.

 

Figure 5: In the event details, users will be able to see attributes extracted during analysis including verdict, IOCs, and artifacts.

 

Enhanced Email Notifications

VMRay Platform v4.1.0 enhances email notifications for all products: VMRay Analyzer, VMRay Detector and VMRay Email Threat Defender. With the improved design, notifications have a consistent, user-friendly look and feel. Users will be able to visualize actionable information directly in the email notifications including verdict and grouped recursive submissions.

 

Figure 6: Enhanced Email Notification – Confirmation for analysis in-progress

Figure 7: Enhanced Email Notifications – Verdict sent to the user

For On-Premises customers, administrators can easily build and tailor the content of notifications for different audiences and purposes using predefined information blocks and/or custom HTML.

Enhanced notifications also benefit IR Mailbox users, including SOC analysts and end-user email recipients. When someone directly submits a suspicious email message to the VMRay Platform for analysis (via a dedicated mailbox address) the newly added IR Mailbox Submitter Confirmation notice affirms the submission has been received and is being analyzed. And it typically cautions end-users to wait for the analysis verdict before taking any action on the suspect message.

 

Figure 8: New IR Mailbox Notification

 

Password Policy

Resource-constrained IT departments rely on system administrators and account managers to efficiently implement security policy while also complying with industry standards and regulatory requirements. New features in Platform v4.1.0 make the task easier, both for on-premise and cloud-based deployments. System administrators and account managers can:

    • Configure and enforce policy for password quality, expiry, and reuse without requiring input from end-users. Automated enforcement ensures consistent protection, without gaps in coverage.
    • Enhancing existing IP-based brute-force protections by configuring a policy to temporarily disable a login under attack

 

Figure 9: Password Policy Page

    • Enable the enforcement of 2-factor authentication (2FA) for higher security needs

 

Figure 10: Enforced 2FA Message

 

Every organization wants the latitude to manage security in its own way. VMRay provides the flexibility to balance competing needs for security, availability, and consistent enforcement.

We are excited about the new additions to VMRay Platform v4.1.0. Customers can access a complete list of the new v4.1.0 features in the changelog within your VMRay account.

Not a VMRay customer, and want to put our Platform to the test? Start your 30-day trial today.