VMRay offers two product options,
VMRay Analyzer: VMRay Analyzer is an automated malware analysis solution that enables analysts to monitor, analyze and identify threats and extract indicators of compromise (IOCs). VMRay Analyzer is our flagship product and can be deployed on-premises or in the Cloud.
VMRay Email Threat Defender (ETD): VMRay Email Threat Defender is an email threat detection solution that fully automates the scanning of inbound email to detect malicious URLs and attachments. VMRay Email Threat Defender can be deployed on-premises or in the Cloud.
Both VMRay Analyzer and ETD utilize our underlying Now, Near, Deep architecture.
VMRay offers a unique mix of stealthiness and efficacy that allows it to stand out from the pack. Traditional sandbox solutions either do not produce results at all due to being detected by malware (which then ceases operation) or produce too much data due to poor result filtering or slow performance.
VMRay delivers reliable results without adding the burden of filtering irrelevant data for your analysts. With years of experience and continuous efforts, VMRay is well-equipped both for current malware, as well as for staying ahead of the game when encountering new threats.
VMRay is capable of detonating each sample in multiple analysis environments (i.e. virtual machines with different configurations). This ensures that customers will be able to see as much behavior as possible from a submitted sample, no matter what system it is targeting.
The selection depends on the file type at hand, i.e. both the VMs themselves and their amount will depend on what has been submitted. A single file can lead to multiple analyses which will be deducted from the quota. The selection of the analysis environments can be controlled by the user, (e.g. by removing detonation environments from a submission or adding additional, non-standard ones).
“Now, Near, Deep” combines dynamic analysis with our static analysis engine and built-in reputation checking. Our groundbreaking dynamic analysis engine is at the heart of this approach. It utilizes hypervisor-based monitoring, which embodies four differentiating traits:
The Now, Near, Deep approach enables security teams to handle larger analysis volumes, speed up detection, and improve the productivity and efficacy of security personnel and infrastructure.
For more information on our Now, Near, Deep approach, read our blog post
Unlike traditional malware sandboxing solutions, VMRay monitors malware behavior solely from the hypervisor layer and does not need to modify a single bit in the analysis environment. This allows VMRay’s products to monitor the interaction between the malware and the system while remaining completely invisible to malware.
Today, malware is designed to recognize when it runs inside an analysis environment and can stall or exit inside a sandbox. Yet even the most evasive malware will reveal its behavior in VMRay’s products.
For more information on our hypervisor-based monitoring technology, read our Technology Whitepaper.
All samples uploaded to VMRay Cloud products are only accessible by users in your organization.
VMRay does not share any files or identifiable customer data with external parties. See our license agreement and DPA for our data protection policy under GDPR.
If you enable VirusTotal integration with your API key, then VirusTotal will receive a hash query during analysis.
Yes, VMRay is GDPR compliant.
VMRay On-Premises customers can ensure that their data never leaves their network. For organizations choosing a cloud solution, personal data and other sensitive information is protected in accordance with some of the strictest data privacy laws in the world.
VMRay allows customers to create a completely isolated environment for analyzing advanced malware threats, without the risks posed by open-source tools and services. Our Data Processing Agreement (DPA) for GDPR compliance is available here.
Yes, VMRay is ISO27001 certified.
Yes. VMRay features SAML 2.0 support for single sign-on (SSO), making it easy to integrate our platform with your company’s chosen identity provider.
Yes. Users can enable 2FA and use a Time-based One-Time Password (TOTP) token generated from another device to access their VMRay account. Popular 2FA apps such as Google Authenticator or Duo can be used to scan and generate codes required for authentication. In addition, VMRay’s SSO support can be leveraged to use the identity provider’s MFA support.
Yes. VMRay offers two data center locations, one in the EU and the other in the US, to our customers. While located in different regions, both are ISO27001 compliant, meet GDPR standards for data protection and privacy, and meet the Singapore Monetary Authority guidelines for cloud services for the financial sector. Read more here.
VMRay Analyzer Cloud and On-Premises both have the same core functionality and ability to analyze and detect malware. The main difference between Cloud and On-Premises is the level of customization offered.
VMRay Analyzer On-Premises supports extensive customization of:
VMRay Analyzer On-Premises is a “bring your own hardware” deployment. Our team works with customers to determine the appropriate hardware configuration and specifications. Our installer pulls down all required components automatically, starting with the OS, simplifying the install and configuration process.
VMRay Analyzer employs a ‘Now, Near, Deep’ architecture – files can first be triaged by our ultrafast reputation engine (‘Now’), then statically analyzed for active and potentially malicious components (‘Near’) before a full dynamic sandbox analysis (‘Deep’). Our sandbox analysis is the fastest and most scalable on the market, delivering bare-metal performance in a cost-effective virtualized environment.
For more information read our Hyperscaling blog post.
Yes. The VMRay Analyzer updates can be downloaded from our portal then copied on media and subsequently applied.
Users will not be able to update the file reputation service when air-gapped. Users will still need to manually update the AV definitions for the AV engines they are running.
Yes. VMRay ETD integrates quickly and easily into your email infrastructure.
A VMRay Analyzer Report provides:
View our Malware Analysis Reports page to see interactive VMRay Analyzer Reports.
VMRay is focused on delivering malware analysis and detection for the most common desktop operating systems. To that end, we currently support Windows Operating Systems (Windows 7 to Windows 10) and macOS (High Sierra) in our cloud service. Additional Windows targets are supported for on-premises.
We support all major formats for office documents, scripts, archives, drivers, executables as well as URLs. We are constantly expanding the range of file types supported as malware authors seek new infection vectors.
For more information about our supported file types, contact our Sales Team.
Yes, you can manually interact with malware via VNC. For more information on our interactive mode read our blog post on our interactive analysis capabilities.
VMRay Analyzer provides out-of-the-box support for third-party platforms across the security ecosystem – End Point Protection (EPP), SIEM, SecOps (SOAR) Threat Intelligence (TIP) and more. We also have a documented REST API and sample python libraries for custom integrations.
View a complete list of VMRay Analyzer’s out-of-the-box integrations.
An Indicator of Compromise (IOC) is a piece of forensics data derived from manual or automatic analysis, which is useful in characterizing the behavior of a given threat and can be used to identify that threat in other contexts.
IOCs are a subset of a larger universe: artifacts that encompass all forensics information related to the threat. This includes files, URLs, IPs, processes, registries and other data that’s observed during runtime in the sandbox or statically extracted from the analyzed file, such as links in an email sample.
VMRay Analyzers uses the VMRay Threat Identifier (VTI) system to flag and score artifacts and determines which qualify as IOCs.
Yes. All elements which are available in the VMRay Analyzer Report are also available to be downloaded via the API and therefore can be used for integrations with 3rd party systems.
Yes, both password-protected archives and documents are supported. A standard password can be configured in order to simplify and streamline the upload of samples for analysis without endangering the source system and the user is able to provide passwords on-the-fly if a different one is used.
VMRay Analyzer Cloud or On-Premises are annual subscriptions. Licensing is based on the number of dynamic analyses performed per day. A perpetual license option is available for on-premises customers.
The On-Premise and Cloud versions of the VMRay Email Threat Defender offer a very similar set of base features. However, each version has one distinguishing feature that is not available in the other:
VMRay Email Threat Defender On-Premise: Supports handing data to SIEM systems via the Syslog facility.
VMRay Email Threat Defender Cloud: Supports a direct connection to your Office 365 tenant via the API, (i.e. scanning the messages without them being copied.) This deployment is the only one that supports a feature called Inbox Protection, which actively moves detected threats out of the user’s inbox.
Both VMRay Email Threat Defender On-Premise and Cloud use an underlying VMRay Analyzer instance for dynamic analysis, (i.e. all differences between the On-Premise and Cloud version of that product also apply here.)
Yes. Each VMRay Email Thread Defender instance is connected to a VMRay Analyzer instance in the background and therefore taps into its powerful and proven analysis engine. All emails and the child samples included within then are triaged using our proven Now – Near – Deep approach first, and if a sample reaches the Deep stage, it is detonated within the connected VMRay Analyzer instance. The verdict will be presented and imported right after the analysis and the full report can be unlocked using Analyzer quota (availability depends on the chosen license model).
Yes. VMRay Email Threat Defender extracts links from both the email body as well as from attached documents.
VMRay Email Threat Defender uses custom-built heuristics and a whitelist-based approach to determine which links and attachments should be detonated. This ensures that no inadvertent detonations (in this case equivalent to clicks) are issued against links that would for example activate accounts or unsubscribe users from newsletters.
The detonation is executed at the time of delivery, (i.e. right after the email reaches the VMRay Email Threat Defender.) Both elements mitigate the drawbacks of common time-of-click-based approaches that replace links (for example, the inability to be used on links within documents or signed emails).
Yes, apart from supporting a set of default passwords.
VMRay Email Threat Defender will scan the body of the email for passwords that can be used to decrypt the contents of attachments, ensuring that encrypted archives cannot be leveraged to evade detection.
The integration of VMRay Email Threat Defender into your infrastructure is as simple as blind-copying (bcc) inbound messages.
Additionally, the Cloud version of VMRay Email Threat Defender supports an API based Office 365 integration which is capable of scanning the inboxes of your users once a connection to your tenant has been established.
VMRay Email Threat Defender Cloud or On-Premises are annual subscriptions. Licensing is based on the number of mailboxes in your organization.
Although a VMRay Analyzer instance is required for operating the ETD, a corresponding license is not a requirement. The lack of a VMRay Analyzer license will only provide access to verdicts.