Product Portfolio

VMRay offers four product options designed for specific use-cases.

VMRay Analyzer: VMRay Analyzer is an automated malware analysis solution that enables analysts to monitor, analyze and identify threats and extract indicators of compromise (IOCs). VMRay Analyzer is our flagship product and can be deployed on-premises or in the Cloud.

VMRay Detector: VMRay Detector is an automated malware detection solution for enterprises that need rapid, highly accurate malware detection for high-volume use cases. VMRay Detector can be deployed on-premises or in the Cloud on top of an Analyzer license.

VMRay Email Threat Defender (ETD): VMRay Email Threat Defender is an email threat detection solution that fully automates the scanning of inbound email to detect malicious URLs and attachments. VMRay Email Threat Defender can be deployed on-premises or in the Cloud.

VMRay Investigator: VMRay Investigator is a malware analysis solution that enables analysts to monitor, analyze and identify threats and extract indicators of compromise (IOCs). VMRay Investigator is only available as a Cloud solution and submissions can only be submitted manually.

All VMRay products use our underlying Now, Near, Deep architecture.

VMRay Analyzer VMRay Detector
Designed for comprehensive, in-depth malware analysis and detection Designed for rapid malware detection for high-volume use cases
Provides in-depth analysis reports and detection results Provides only high-level detection results
Supports submission via Web Interface, API or IR Mailbox  Supports submission-only via API or IR Mailbox

Technology

“Now, Near, Deep” combines dynamic analysis with our static analysis engine and built-in reputation checking. Our groundbreaking dynamic analysis engine is at the heart of this approach. It utilizes hypervisor-based monitoring, which embodies four differentiating traits:

  • Evasion resistance
  • Full visibility
  • Precise, noise-free output
  • Scalability to support short-term spikes and long-term growth.

The Now, Near, Deep approach enables security teams to handle larger analysis volumes, speed up detection, and improve the productivity and efficacy of security personnel and infrastructure.

For more information on our Now, Near, Deep approach, read our blog post

Unlike traditional malware sandboxing solutions, VMRay monitors malware behavior solely from the hypervisor layer and does not need to modify a single bit in the analysis environment. This allows VMRay’s products to monitor the interaction between the malware and the system while remaining completely invisible to malware.

Today, malware is designed to recognize when it runs inside an analysis environment and can stall or exit inside a sandbox. Yet even the most evasive malware will reveal its behavior in VMRay’s products.

For more information on our hypervisor-based monitoring technology, read our Technology Whitepaper.

Privacy & Compliance

All samples uploaded to VMRay Cloud products are only accessible by users in your organization.

VMRay does not share any files or identifiable customer data with external parties. See our license agreement and DPA for our data protection policy under GDPR.

If you enable VirusTotal integration with your API key, then VirusTotal will receive a hash query during analysis and the sample may be uploaded to VirusTotal.

Yes, VMRay is GDPR compliant.

VMRay On-Premises customers can ensure that their data never leaves their network. For organizations choosing a cloud solution, personal data and other sensitive information is protected in accordance with some of the strictest data privacy laws in the world.

VMRay allows customers to create a completely isolated environment for analyzing advanced malware threats, without the risks posed by open-source tools and services. Our Data Processing Agreement (DPA) for GDPR compliance is available here.

Yes, VMRay is ISO27001 certified.

Yes. VMRay features SAML 2.0 support for single sign-on (SSO), making it easy to integrate our platform with your company’s chosen identity provider.

Yes. Users can enable 2FA and use a Time-based One-Time Password (TOTP) token generated from another device to access their VMRay account. Popular 2FA apps such as Google Authenticator or Duo can be used to scan and generate codes required for authentication. In addition, VMRay’s SSO support can be leveraged to use the identity provider’s MFA support.

Yes. VMRay offers two data center locations, one in the EU and the other in the US, to our customers. While located in different regions, both are ISO27001 compliant, meet GDPR standards for data protection and privacy, and meet the Singapore Monetary Authority guidelines for cloud services for the financial sector. Read more here.

Support

Support is available during European and US office hoursSupport tickets can be opened via email or our Zendesk portal or by calling our toll-free number +1(888)958-5801 (in North America).

More details are available in our license agreement at www.vmray-legal.com or see our Contact page.

VMRay Analyzer

Deployment

VMRay Analyzer Cloud and On-Premises both have the same core functionality and ability to analyze and detect malware. The main difference between Cloud and On-Premises is the level of customization offered.

VMRay Analyzer On-Premises supports extensive customization of:

  • Target VMs: Security teams can analyze files and URLs in fully customized VM images, such as the organization’s own Gold Image.
  • Detection Rules and the Analysis Scoring System: Security teams can add their own detection rules and customize the built-in analysis scoring system (VMRay Threat Identifier or VTI Score as well as Yara rules )
  • Backend Global Settings: This includes the ability to create independent user groups, modify advanced network configuration settings, change other advanced settings such as the total size and number of memory dumps per analysis etc.

VMRay Analyzer On-Premises is a “bring your own hardware” deployment. Our team works with customers to determine the appropriate hardware configuration and specifications. Our installer pulls down all required components automatically, starting with the OS, simplifying the install and configuration process.

VMRay Analyzer employs a ‘Now, Near, Deep’ architecture – files can first be triaged by our ultrafast reputation engine (‘Now’), then statically analyzed for active and potentially malicious components (‘Near’) before a full dynamic sandbox analysis (‘Deep’). Our sandbox analysis is the fastest and most scalable on the market, delivering bare-metal performance in a cost-effective virtualized environment.

For more information read our Hyperscaling blog post.

Yes. The VMRay Analyzer updates can be downloaded from our portal then copied on media and subsequently applied.

Users will not be able to update the file reputation service when air-gapped. Users will still need to manually update the AV definitions for the AV engines they are running.

Yes. VMRay ETD integrates quickly and easily into your email infrastructure.

Capabilities

A VMRay Analyzer Report provides:

  • High-level sample verdict (Malicious, Suspicious or Not Suspicious)
  • Threat Indicators (VTI Rules)
  • Mapping of VTI rules to the MITRE ATT&CK Enterprise Matrix
  • Screenshots taken during analysis
  • Network Behavior
  • IOCs
  • Downloadable Function Log
  • And much more

View our Malware Analysis Reports page to see interactive VMRay Analyzer Reports.

View our Malware Analysis Reports page to see interactive VMRay Analyzer Reports.

We currently support Windows Operating Systems (Windows 7 to Windows 10) and macOS (High Sierra) in our cloud service. Additional Windows targets are supported for on-premises.

We support all major formats for office documents, scripts, archives, drivers, executables as well as URLs. We are constantly expanding the range of file types supported as malware authors seek new infection vectors.

For more information about our supported file types, contact our Sales Team.

Yes, you can manually interact with malware via VNC. For more information on our interactive mode read our blog post on our interactive analysis capabilities.

VMRay Analyzer provides out-of-the-box support for third-party platforms across the security ecosystem – End Point Protection (EPP), SIEM, SecOps (SOAR) Threat Intelligence (TIP) and more. We also have a documented REST API and sample python libraries for custom integrations.

View a complete list of VMRay Analyzer’s out-of-the-box integrations.

An Indicator of Compromise (IOC) is a piece of forensics data derived from manual or automatic analysis, which is useful in characterizing the behavior of a given threat and can be used to identify that threat in other contexts.

IOCs are a subset of a larger universe: artifacts that encompass all forensics information related to the threat. This includes files, URLs, IPs, processes, registries and other data that’s observed during runtime in the sandbox or statically extracted from the analyzed file, such as links in an email sample.

VMRay Analyzers uses the VMRay Threat Identifier (VTI) system to flag and score artifacts and determines which qualify as IOCs.

The paths to submit samples include manual submission via WebUI, email submission via IR Mailbox, custom built integration via REST API, and out-of-the-box connectors for 3rd party integrations, as well as integration with your organization’s email infrastructure using the ETD product.

Licensing

VMRay Analyzer Cloud or On-Premises are annual subscriptions. Licensing is based on the number of dynamic analyses performed per day. A perpetual license option is available for on-premises customers.

VMRay Detector

Deployment

VMRay Detector requires an underlying VMRay Analyzer deployment (either On-Premises or Cloud). Refer to the Deployment section of VMRay Analyzer for more details.

Capabilities

VMRay Detector provides only high-level detection results. These include:

  • High-level sample verdict (Malicious, Suspicious or Not Suspicious)
  • VTI scores associated with dynamic and static analyses
  • Threat Indicators (VTI Rules)
  • Sample reputation information.

Since VMRay Detector requires an underlying VMRay Analyzer deployment, the Analyzer license can be used to unlock detailed VMRay Analyzer reports associated with a sample. Refer to the Capabilities section of VMRay Analyzer for information on what is available in a detailed analysis report.

VMRay Detector employs a ‘Now, Near, Deep’ architecture – files can first be triaged by our ultrafast reputation engine (‘Now’), then statically analyzed for active and potentially malicious components (‘Near’) before a full dynamic sandbox analysis (‘Deep’). Our sandbox analysis is the fastest and most scalable on the market, delivering bare-metal performance in a cost-effective virtualized environment.

We currently support Windows Operating Systems (Windows 7 to Windows 10) and macOS (High Sierra) in our cloud service. Additional Windows targets are supported for on-premises.

We support all major formats for office documents, scripts, archives, drivers, executables as well as URLs. We are constantly expanding the range of file types supported as malware authors seek new infection vectors.

For more information about our supported file types, contact our Sales Team.

Together with VMRay Analyzer, Detector provides out-of-the-box support for third-party platforms across the security ecosystem: End Point Protection (EPP), SIEM, SecOps (SOAR), Threat Intelligence (TIP) and more. We also have a documented REST API and sample python libraries for custom integrations.

View a complete list of VMRay’s out-of-the-box integrations.

Licensing

VMRay Detector Cloud or On-Premises are annual subscriptions. They are only available as add-on licenses for a VMRay Analyzer Cloud or On-Premises deployment. Licensing is based on the number of detections performed per day.