VMRay – F.A.Q.

Malware Analysis & Detection Platform FAQ VMRay Product Portfolio

VMRay offers two product options,

VMRay Analyzer: VMRay Analyzer is an automated malware analysis solution that enables analysts to monitor, analyze and identify threats and extract indicators of compromise (IOCs). VMRay Analyzer is our flagship product and can be deployed on-premises or in the Cloud.

VMRay Analyzer utilizes our underlying Now, Near, Deep architecture.

VMRay offers a unique mix of stealthiness and efficacy that allows it to stand out from the pack. Traditional sandbox solutions either do not produce results at all due to being detected by malware (which then ceases operation) or produce too much data due to poor result filtering or slow performance.

VMRay delivers reliable results without adding the burden of filtering irrelevant data for your analysts. With years of experience and continuous efforts, VMRay is well-equipped both for current malware, as well as for staying ahead of the game when encountering new threats.

VMRay is capable of detonating each sample in multiple analysis environments (i.e. virtual machines with different configurations). This ensures that customers will be able to see as much behavior as possible from a submitted sample, no matter what system it is targeting.

The selection depends on the file type at hand, i.e. both the VMs themselves and their amount will depend on what has been submitted. A single file can lead to multiple analyses which will be deducted from the quota. The selection of the analysis environments can be controlled by the user, (e.g. by removing detonation environments from a submission or adding additional, non-standard ones).


“Now, Near, Deep” combines dynamic analysis with our static analysis engine and built-in reputation checking. Our groundbreaking dynamic analysis engine is at the heart of this approach. It utilizes hypervisor-based monitoring, which embodies four differentiating traits:

  • Evasion resistance
  • Full visibility
  • Precise, noise-free output
  • Scalability to support short-term spikes and long-term growth.

The Now, Near, Deep approach enables security teams to handle larger analysis volumes, speed up detection, and improve the productivity and efficacy of security personnel and infrastructure.

For more information on our Now, Near, Deep approach, read our blog post

Unlike traditional malware sandboxing solutions, VMRay monitors malware behavior solely from the hypervisor layer and does not need to modify a single bit in the analysis environment. This allows VMRay’s products to monitor the interaction between the malware and the system while remaining completely invisible to malware.

Today, malware is designed to recognize when it runs inside an analysis environment and can stall or exit inside a sandbox. Yet even the most evasive malware will reveal its behavior in VMRay’s products.

For more information on our hypervisor-based monitoring technology, read our Technology Whitepaper.

Privacy & Compliance

All samples uploaded to VMRay Cloud products are only accessible by users in your organization.

VMRay does not share any files or identifiable customer data with external parties. See our license agreement and DPA for our data protection policy under GDPR.

If you enable VirusTotal integration with your API key, then VirusTotal will receive a hash query during analysis.

Yes, VMRay is GDPR compliant.

VMRay On-Premises customers can ensure that their data never leaves their network. For organizations choosing a cloud solution, personal data and other sensitive information is protected in accordance with some of the strictest data privacy laws in the world.

VMRay allows customers to create a completely isolated environment for analyzing advanced malware threats, without the risks posed by open-source tools and services. Our Data Processing Agreement (DPA) for GDPR compliance is available here.

Yes. VMRay features SAML 2.0 support for single sign-on (SSO), making it easy to integrate our platform with your company’s chosen identity provider.

Yes. Users can enable 2FA and use a Time-based One-Time Password (TOTP) token generated from another device to access their VMRay account. Popular 2FA apps such as Google Authenticator or Duo can be used to scan and generate codes required for authentication. In addition, VMRay’s SSO support can be leveraged to use the identity provider’s MFA support.

Yes. VMRay offers two data center locations, one in the EU and the other in the US, to our customers. While located in different regions, both are ISO27001 compliant, meet GDPR standards for data protection and privacy, and meet the Singapore Monetary Authority guidelines for cloud services for the financial sector. Read more here.


Support is available during European and US office hours. Support tickets can be opened via email or our Zendesk portal or by calling our toll-free number +1(888)958-5801 (in North America).

More details are available in our license agreement at www.vmray-legal.com or see our Contact page.

VMRay Analyzer


VMRay Analyzer Cloud and On-Premises both have the same core functionality and ability to analyze and detect malware. The main difference between Cloud and On-Premises is the level of customization offered.

VMRay Analyzer On-Premises supports extensive customization of:

  • Target VMs: Security teams can analyze files and URLs in fully customized VM images, such as the organization’s own Gold Image.
  • Detection Rules and the Analysis Scoring System: Security teams can add their own detection rules and customize the built-in analysis scoring system (VMRay Threat Identifier or VTI Score as well as YARA rules )
  • Backend Global Settings: This includes the ability to create independent user groups, modify advanced network configuration settings, change other advanced settings such as the total size and number of memory dumps per analysis etc.

VMRay Analyzer On-Premises is a “bring your own hardware” deployment. Our team works with customers to determine the appropriate hardware configuration and specifications. Our installer pulls down all required components automatically, starting with the OS, simplifying the install and configuration process.

VMRay Analyzer employs a ‘Now, Near, Deep’ architecture – files can first be triaged by our ultrafast reputation engine (‘Now’), then statically analyzed for active and potentially malicious components (‘Near’) before a full dynamic sandbox analysis (‘Deep’). Our sandbox analysis is the fastest and most scalable on the market, delivering bare-metal performance in a cost-effective virtualized environment.

For more information read our Hyperscaling blog post.

Yes. The VMRay Analyzer updates can be downloaded from our portal then copied on media and subsequently applied.

Users will not be able to update the file reputation service when air-gapped. Users will still need to manually update the AV definitions for the AV engines they are running.

Yes. VMRay can integrate quickly and easily into your email infrastructure.


A VMRay Analyzer Report provides:

  • High-level sample verdict (Malicious, Suspicious or Not Suspicious)
  • Threat Indicators (VTI Rules)
  • Mapping of VTI rules to the MITRE ATT&CK Enterprise Matrix
  • Screenshots
  • Network Behavior
  • IOCs
  • Downloadable Function Log
  • And much more

View our Malware Analysis Reports page to see interactive VMRay Analyzer Reports.

VMRay is focused on delivering malware analysis and detection for the most common desktop operating systems. To that end, we currently support Windows Operating Systems (Windows 7 to Windows 10) and macOS Big Sur 11.6.5 in our Cloud service. Additional Windows targets are supported for On-Premises.

We support all major formats for office documents, scripts, archives, drivers, executables as well as URLs. We are constantly expanding the range of file types supported as malware authors seek new infection vectors.

For more information about our supported file types, contact our Sales Team.

Yes, you can manually interact with malware via VNC. For more information on our interactive mode read our blog post on our interactive analysis capabilities.

VMRay Analyzer provides out-of-the-box support for third-party platforms across the security ecosystem – End Point Protection (EPP), SIEM, SecOps (SOAR) Threat Intelligence (TIP) and more. We also have a documented REST API and sample python libraries for custom integrations.

View a complete list of VMRay Analyzer’s out-of-the-box integrations.

An Indicator of Compromise (IOC) is a piece of forensics data derived from manual or automatic analysis, which is useful in characterizing the behavior of a given threat and can be used to identify that threat in other contexts.

IOCs are a subset of a larger universe: artifacts that encompass all forensics information related to the threat. This includes files, URLs, IPs, processes, registries and other data that’s observed during runtime in the sandbox or statically extracted from the analyzed file, such as links in an email sample.

VMRay Analyzers uses the VMRay Threat Identifier (VTI) system to flag and score artifacts and determines which qualify as IOCs.

The paths for sample submission to VMRay Analyzer include manual submission via WebUI, email submission via IR Mailbox, custom-built integration via REST API, and out-of-the-box connectors for 3rd party integrations.

Yes. All elements which are available in the VMRay Analyzer Report are also available to be downloaded via the API and therefore can be used for integrations with 3rd party systems.

Yes, both password-protected archives and documents are supported. A standard password can be configured in order to simplify and streamline the upload of samples for analysis without endangering the source system and the user is able to provide passwords on-the-fly if a different one is used.


VMRay Analyzer Cloud or On-Premises are annual subscriptions. Licensing is based on the number of dynamic analyses performed per day. A perpetual license option is available for On-Premises customers.

Keys to the Future of SOC Automation
VMRay Webinar Featuring Forrester