VMRay Analyzer Overview

What is VMRay Analyzer?

VMRay Analyzer is an automated, agentless malware analysis and detection solution that enables malware analysts and incident response teams to monitor, analyze and identify threats and extract indicators of compromise (IOCs), while remaining invisible to malware.

What is “agentless” monitoring?

Unlike traditional sandbox solutions, VMRay Analyzer runs solely in the hypervisor layer and does not need to modify a single bit in the analysis environment. This allows VMRay Analyzer to monitor the interaction between the malware and the system while remaining completely invisible to malware.

Today, malware is designed to recognize when it runs inside an analysis environment and can stall or exit inside a sandbox. Yet even the most evasive malware will reveal its behavior in VMRay Analyzer.

For more information on our agentless monitoring technology, read our Technology Whitepaper.

What is the difference between VMRay Analyzer Cloud and VMRay Analyzer On-Premises?

VMRay Analyzer Cloud and VMRay Analyzer On-Premises both have the same core functionality and ability to analyze and detect malware. The main difference between Cloud and On-Premises is the level of customization offered.

VMRay Analyzer On-Premises supports extensive customization of:

  • Target VMs: Security teams can analyze files and URLs in fully customized VM images, such as the organization’s own Gold Image.
  • Detection Rules and the Analysis Scoring System: Security teams can add their own detection rules and customize the built-in analysis scoring system (VMRay Threat Identifier or VTI Score as well as Yara rules)
  • Backend Global Settings: This includes the ability to create independent user groups, modify advanced network configuration settings, change other advanced settings such as the total size and number of memory dumps per analysis etc.


What type of information is available in a VMRay Analyzer Report?

A VMRay Analyzer Report provides:

  • High-level sample verdict (Malicious, Suspicious or Not Suspicious)
  • Threat Indicators
  • Screenshots taken during analysis
  • Network Behavior
  • IOCs
  • Downloadable Function Log
  • And much more

View our Malware Analysis Reports page to see interactive VMRay Analyzer Reports.

What operating systems are supported by VMRay Analyzer?

VMRay Analyzer currently supports Windows Operating Systems (Windows 7 to Windows 10) and macOS High Sierra (10.13)* in our cloud service. Additional Windows and macOS* targets are supported for on-premises.

*Early Availability

What file types can VMRay analyze?

We support all major formats for Office documents, scripts, archives, drivers, executables as well as URLs. We are constantly expanding the range of file types supported as malware authors seek new infection vectors by leveraging obscure and outdated formats.

For more information about our supported file types, contact our Sales Team.

Does VMRay Analyzer support manual interaction with a malware sample?

Yes, you can manually interact with malware via VNC. For more information on our interactive mode read our blog post on our interactive analysis capabilities.

Does VMRay Analyzer support customization of the analysis environment?

For Cloud users, the analysis environment can be customized by submitting a prescript along with the file or URL to be analyzed. The prescript can be used for several reasons such as changing some of the system settings, copying required files into the system or installing a driver that is necessary to execute the sample correctly.

With an on-premises deployment, users can analyze files and URLs in fully customized Virtual Machine images, such as the organization’s own Gold Image.

Are third-party integrations available with VMRay Analyzer?

VMRay Analyzer provides out-of-the-box support for third-party platforms across the security ecosystem – Endpoint Protection, SIEM, SecOps (SOAR) and Threat Intelligence (TIP). We also have a documented REST API and sample python libraries for custom integrations.

View a complete list of VMRay Analyzer’s out-of-the-box integrations.

Privacy & Compliance

Are files submitted to VMRay Analyzer Cloud private?

All samples uploaded to VMRay Analyzer are only accessible by users in your organization.

If you decide to enable our VirusTotal and OPSWAT Metadefender connectors those samples will be sent out to the respective third parties.

Is VMRay GDPR compliant?

Yes, VMRay is GDPR compliant. VMRay Analyzer allows customers to create a completely isolated environment for analyzing advanced malware threats, without the risks posed by open-source tools and services. Our Data Processing Agreement (DPA) for GDPR compliance is available here.

VMRay Analyzer On-Premises customers can ensure that their data never leaves their network. For organizations choosing a cloud solution, hosted at our headquarters in Germany, personal data and other sensitive information are protected in accordance with some of the strictest data privacy laws in the world.


How does VMRay Analyzer scale?

VMRay Analyzer employs a ‘Now, Near, Deep’ architecture – files can first be triaged by our ultrafast reputation engine (‘Now’), then statically analyzed for active and potentially malicious components (‘Near’) before a full dynamic sandbox analysis (‘Deep’). Our sandbox analysis is the fastest and most scalable on the market, delivering bare-metal performance in a cost-effective virtualized environment.

For more information read our Hyperscaling blog post.

How is VMRay Analyzer deployed on-premises? (hardware/software)

VMRay Analyzer On-Premises is a “bring your own hardware” deployment. Our team works with On-Premises customers to determine the appropriate hardware configuration and specifications. Our installer pulls down all required components automatically, starting with the OS, simplifying the install and configuration process.

Can VMRay Analyzer be run in an air-gapped environment?

Yes. The initial install needs to be connected to the internet. The VMRay Analyzer updates can be downloaded from our portal then copied on media and subsequently applied. We update the on-premises software on a semi-annual basis.

Users will not be able to update the file reputation service when air-gapped. Customers can use OPSWAT Metadefender On-Premises in air-gapped environments to incorporate multi-AV results. Users will still need to manually update the AV definitions for the AV engines you are running.


How is VMRay Analyzer supported?

Support is available during European and US office hours. Support tickets can be opened via email or our Zendesk portal or by calling our toll-free number +1 (888) 958-5801 (North America).

More details are available in our license agreement at www.vmray-legal.com or see our Contact page.


How is VMRay Analyzer licensed?

VMRay Analyzer Cloud or On-Premises are annual subscriptions. Licensing is based on the number of dynamic analyses performed per day. A perpetual license option is available for on-premises customers.