Innovation is our DNA.
VMRay was founded by early pioneers in automated threat detection and analysis. Since then, we keep thinking outside the box to find new ways to find solutions for the challenges of our customers.With every new release, we keep adding new building blocks to our technologies that enable immediate detection of unknown threats.
Explore our 20+ unique technologies that empower our customers to detect the undetectable.
An analysis engine leveraging the VMRay Reputation Service for known files, URLs, domains, and IPs, to detect known malicious and known benign samples.
The Reputation Service is hosted by VMRay and continuously updated. It can be used by all VMRay's customers, both Cloud and On-Premises, regardless of licensed product.
A global caching mechanism that determines how to handle re-submissions in order to optimize performance without degrading efficacy.
Static Analysis is an analysis engine performing deep examination of file and email samples without detonation.
The Static Analysis uses a combination of proprietary technologies to parse the samples and extract embedded contents, while performing structural and code-based evaluations.
This includes digital signature verification, macro de-obfuscation, antivirus scanning as well as YARA rule checks.
During Static Analysis, a decision can be made whether a sample requires a detonation and what analysis environments should be used.
Content-based antivirus engine that uses signature and behavior-based heuristics to complement Dynamic File Analysis and Dynamic Web Analysis.
The Built-in AV is used to scan all objects that are extracted during Static and Dynamic scans.
An important part of our detection & analysis technologies that brings the ability to extract text from images using Optical Character Recognition (OCR) in order to detect social engineering techniques used in phishing campaigns.
Fully extract all embedded content from samples, no matter how deep they were hidden. After extraction these objects are sent for further analysis.
This includes extracting embedded objects and links from documents, links and attachments from emails, archive unpacking with no depth limit, as well as decrypting password protected samples.
Verification of the digital signature of Portable Executable (PE) samples (including checking for revoked certificates) to improve efficacy and enrich report metadata.
Proprietary parsers which identify the exact file type based on the file structure, as well as detect partially-corrupted samples that cannot be executed during Dynamic File Analysis.
Deobfuscation of macro code in Office files, such as elimination of dead code. This reduces malware-forensic efforts and it enables the detection of malicious macros.
Protect against malicious password-protected attachments by searching for the password in the email body and subject.
Prefilter samples from being detonated in order to optimize performance. This includes known benign files, files with no active content, as well as highly advanced content inspection, such as PDFs with non-standard structures and documents with benign macros.
Attributes-based rules that determine if links embedded in emails and documents should be detonated using VMRay Web Analysis (e.g., domain age, reputation score, abnormal URL string).
Compares the compiled macro code (p-code) with the source code (VBA) to detect a VBA Stomping attack technique.
Detection rules that look for certain characteristics in files. The YARA rulesets are used to scan all objects that are extracted during Static and Dynamic analysis.
DYNAMIC FILE ANALYSIS
The Dynamic File Analysis monitors and records the file's complete behavior and provides a detailed report including memory dumps, function calls and the judgement of whether the sample is a threat is provided. Multiple other VMRay's technologies contribute to Dynamic File Analysis thereby making it both comprehensive and precise.
DYNAMIC WEB ANALYSIS
An analysis engine detonating URLs and other Web objects (such as HTML files) within a Virtual Machine. The Dynamic Web Analysis allows for real-time monitoring of the complete DOM (Document Object Model) structure of the analyzed webpage, and thus provides highly detailed and precise visibility into potential phishing threats and malicious downloads.
Certain phishing attacks delivered via web pages may only be triggered if the user clicks on a button (e.g., the download button in file sharing sites such as Dropbox).
This feature detects and clicks on these buttons to automatically trigger the payload delivery.
When detecting persistence behaviors (e.g., file dropped to autostart), the sandbox will automatically reboot the VM as part of the analysis.
Simulating user behavior so that the execution can continue and no behavior is missed.
This includes mouse movements and clicks, as well as clicking on dialog boxes and providing expected responses (e.g., ‘accepting’ the EULA in an installer).
The core technology behind VMRay Dynamic File Analysis. Intelligent Monitoring allows VMRay to stay invisible to highly evasive malware as it runs solely in the hypervisor layer and does not need to modify even a single bit in the analysis environment. It is monitoring every interaction between the malware and the system, thus providing best-in-class detection rates of zero-day, targeted and advanced threats.
Intelligence Monitoring works much like the zoom lens on a camera as it automatically adjusts itself to the optimal monitoring granularity depending on the behavior exhibited by the sample. This resulting in noise-free analysis reports, distinguishing between true malware behavior and unrelated system activity, while delivering complete visibility into every interaction between the malware and the operating system.
Advanced triggers to accurately dump and store relevant memory buffers of analyzed malware in real time.
This includes timely detection of when exactly the dump should be taken based on malware behavior, defining what exactly should be captured to get relevant forensics and malware configs and more.
Memory dumps can later be submitted loaded in IDA with the help of the VMRay IDA plugin for further analysis.
Allows security teams to deploy analysis environment images that have been replicated from the customer’s real-world production environment. This enhances detection of targeted malware by revealing more precisely how a particular malware sample would affect users. (Note: This feature is only available with On-Premises deployments.)
Allows users to manually interact with the sample during Dynamic File Analysis and Dynamic Web Analysis.
Machine learning is used to provide an additional layer of protection to further identify hard to detect phishing threats.
The ML engine processes the results generated by Dynamic Web Analysis to recognize new patterns and determine risk based on over a hundred different characteristics.
Ability to decrypt TLS/SSL traffic in the VM without the use of a forged certificate, thus providing complete visibility into c2 traffic while remaining invisible to malware.
Post-processing is where the real magic happens. In this phase, VMRay Platform turnes the input of analysis into concise and noise-free actionable insights.
In a way, it's fair to say that the final decision is made at this phase. VMRay uses unique technologies to provide clear verdicts and noise-free reports for the teams and detailed logs for the tools.
VMRay's proprietary detection rules, applied during each performed analysis, to detect and classify threats. Applies advanced heuristics to detect credential harvesting pages.
Mapping of malicious characteristics of submitted samples to the industry-standard MITRE ATT&CK framework.
Sandbox-generated Indicators of Compromise (IOCs) are an under-utilized source of threat intelligence, due to the difficulty of extracting actionable, trusted IOCs in an efficient way.
VMRay Analyzer uses behavior signatures to automatically filter out noise and flag artifacts that exhibit unusual behavior as IOCs. IOCs produced by VMRay Analyzer can be used for automated threat hunting without any additional filtering. This also includes the aggregation of IOCs from multiple analysis reports.
