Setting Up FlareVM on VMware

VMware is an excellent platform to host FlareVM because of its robust virtualization features, making it ideal for creating isolated environments for malware analysis. Below is a step-by-step guide to set up FlareVM on VMware.

What Is FlareVM?

FlareVM, developed by FireEye, transforms a standard Windows-based virtual machine into a comprehensive malware analysis environment. It includes essential tools like IDA Free, OllyDbg, Ghidra, and more.

FlareVM is useful for:

Malware Reverse Engineering: Analyzing the behavior of malicious code.
Incident Response: Investigating cyber incidents effectively.
Digital Forensics: Examining compromised systems.

Create a New Virtual Machine.

Open VMware Workstation
Click Create a New Virtual Machine.
Select Installer disc image file (ISO), and browse for your Windows ISO file. If you don’t have one: Download a fresh copy of Windows 10 or 11 ISO from Microsoft’s official site.
Follow the prompts to configure your virtual machine:
Name: Call it “FlareVM.”
Processor: Assign at least 2 cores (4 preferred).
Memory (RAM): Allocate 8GB (minimum 4GB if system resources are limited).
Disk Size: Allocate at least 60GB (ensure this is dynamic to save space).
Network Settings: Use NAT or Bridged for internet access during FlareVM installation.

Install Windows on the VM

Start the newly created virtual machine.
The ISO will boot, and the Windows installation process will begin.
Complete the installation with default settings (unless specific requirements apply).
Once done, log in to your Windows desktop.

Detailed Setup: Setting Up Windows for Monitoring

Set PowerShell Execution Policy

Open PowerShell as Administrator and run:

Set-ExecutionPolicy Unrestricted -Force

Install Git

Download Git for Windows from https://git-scm.com/.

Many tools included in FlareVM use Git to download and update files.
If you’re analyzing malware or running scripts, Git helps you keep everything organized and safe.

Follow the installation steps and ensure it’s accessible via the command line.

GNU General Public License

Click Next to proceed.

Select Destination Location

Leave the default location and click Next unless you have a specific reason to install it somewhere else.

Select Components

Leave the default settings checked and click Next.

Select Start Menu Folder: This lets you choose where Git shortcuts will appear in your Start Menu.

Leave the default and click Next.

Choosing the Default Editor: If you’re comfortable with Vim, leave it selected. Otherwise:

Click the dropdown and choose a simpler editor like Notepad++, VS Code, or something else you prefer.

Click Next to continue.

Choose “main”

The open-source community is moving away from using “master” as the default branch name.

Many modern tools and projects now use “main” as the standard branch name.

Choose “Git from the command line and also from 3rd-party software” (Second option)

• It allows Git to work in Git Bash, Command Prompt (cmd), and PowerShell.
• It makes Git accessible for other security and malware analysis tools that might need it.
• It avoids unnecessary Unix tools that could interfere with Windows commands.

Choose “Use bundled OpenSSH” (First option)

• The bundled OpenSSH comes with Git and is tested to work smoothly.
• It does not depend on system-wide OpenSSH settings, avoiding potential conflicts.
• It is easier to manage, especially in a controlled environment like FLARE VM.

Choose “Use the OpenSSL library” (First option)

• OpenSSL is the standard for Git on Linux and security-focused environments.
• It uses Git’s own CA certificates, ensuring consistency across different systems.
• It is more predictable for security-related tools and does not rely on Windows settings.

For FLARE VM and malware analysis, OpenSSL is the safer and more common choice.

Click “Next” to proceed!

Choose “Checkout as-is, commit Unix-style line endings” (Second option)

• FLARE VM is often used for security research and malware analysis, where Linux-based scripts and tools are common.
• This setting keeps files unchanged when checking out, but ensures they use LF (Unix-style) endings when committing.
• It avoids issues when working with Linux-based security tools and cross-platform scripts.

Click “Next” to continue with the recommended settings!

Choose “Use MinTTY (the default terminal of MSYS2)” (First option)

• MinTTY is more powerful than the default Windows console.
• It supports resizable windows, better text rendering, and Unicode fonts.
• It allows copy-pasting and better selection of text in the terminal.
• It is the default for Git Bash and works well with Linux-like tools in FLARE VM.

For FLARE VM and security research, MinTTY is highly recommended because it behaves more like a Linux terminal.

Click “Next” to continue!

Choose “Fast-forward or merge” (First option — default)

• This is the most common and safest option for most users.
• If no changes conflict, Git will fast-forward the branch (move it forward without extra commits).
• If there are conflicting changes, Git will create a merge commit, keeping both versions.

For FLARE VM and general use, “Fast-forward or merge” is the most practical option.

Click “Next” to continue!

Choose “Git Credential Manager” (First option — default)

• Git Credential Manager (GCM) securely stores your GitHub, GitLab, or Bitbucket credentials.
• It allows automatic authentication, so you don’t need to enter your username/password every time.
• It supports OAuth authentication, which is more secure than storing passwords.
• Recommended for repositories that require authentication.

For FLARE VM and security-related work, Git Credential Manager is the best option unless you have strict security policies.

Click “Next” to continue!

Choose “Enable file system caching” (Checked by default)

• Improves performance by caching file data in memory.
• Speeds up Git operations on large repositories.
• Recommended for all users.

For FLARE VM, it’s best to keep file system caching enabled and leave symbolic links disabled unless you specifically need them.

Click “Install” to begin the installation!

The Git installation process will start and extract the necessary files and will install Git on the computer

If you don’t need to use Git immediately: Uncheck both boxes and click Finish. You can open Git Bash later from the Start Menu.

Prepare Windows for FlareVM

Before fully installing FLARE VM, you should ensure that Visual Studio (or at least the required components) is installed, as some tools in FLARE VM depend on Visual Studio libraries, build tools, or development environments.

Download the Visual Studio Installer

Visit the Visual Studio Downloads page.

Choose the Community Edition (free) unless you need a paid version.

Turn Off Real-Time Protection

Also Before installing FlareVM, We need to Disable Windows Defender because it might block or delete some tools needed for FLARE VM because it thinks they’re dangerous, even though they’re not. To avoid problems, you need to turn it off.

Set-MpPreference -DisableRealtimeMonitoring $true

Disable Windows Defender via Registry

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f

Restart Your System

After making these changes, restart the VM to ensure the settings are applied.

Note: Double-check after restart that the settings are applied.

Note: very important to restore the Windows Defender and Tamper Protection settings after the installation to keep your computer secure.

Restart-Computer

Check Windows Defender Status

Get-MpComputerStatus

Install FlareVM

With the preparation complete, proceed with the FlareVM installation:

Open PowerShell as Administrator and Download and execute the FlareVM installation script

This will install for FLARE VM, a virtual machine toolkit for malware analysis, reverse engineering, and forensic tasks.

iwr -Uri https://raw.githubusercontent.com/mandiant/flare-vm/master/install.ps1 -UseBasicParsing | iex

If you verified Defender is off (AMServiceEnabled: False), proceed with Option 1 and type Y to continue.

A prompt will ask if you’ve taken a VM snapshot before proceeding with the installation. A snapshot is essentially a backup of the current state of your virtual machine, allowing you to revert to this exact point if something goes wrong during the installation process.

Ensure you have taken a VM snapshot to ensure you can revert to pre-installation state

Go to VM> Snapshot > Take Snapshoty

If you’ve already taken a snapshot, you can confidently answer Y to the question. The installation will continue without issues.

A prompt will ask for the password of the user account under which the FLARE VM installation is being performed.

The script needs administrative permissions to complete certain installation tasks and configurations.

A FLARE VM Install Customization window will open, this window allows to customize the installation settings and choose the tools you want to include in your FLARE VM environment.

Keep Default Directories unless you have specific needs for storage locations.

Review the Tool List: If you’re unsure about which tools to include, stick to the default list (on the right). It includes the most popular and commonly used tools.

You can always add or remove tools later.

click OK to begin the installation process.

After the installation process for FLARE VM will be completed . The script will restart your computer to apply all the changes and finalize the setup.

After restarting the installation process will proceed smoothly

Let the process continue: There’s no need to intervene. The installation will proceed automatically.

It may take some time depending on the speed of your internet connection.

Once completed, restart the virtual machine.
Log back in, and your desktop should now have a FlareVM theme and tools installed.

Display a list of installed packages on your system

Using Chocolatey Command

This will show all the packages installed on your machine via Chocolatey.

choco list - local-only

2. Using Windows Registry

This method shows all installed software on your system (not just Chocolatey packages).

Run the following command to query the registry for installed software:

DisplayName, DisplayVersion, Publisher, InstallDate

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object

For software installed for the current user only: DisplayName, DisplayVersion, Publisher, InstallDate

Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object

3. Checking Chocolatey Library Folder

Get-ChildItem "C:\ProgramData\chocolatey\lib" | Select-Object Name

4. Save the List to a File

Create a text file named InstalledPackages.txt in the C:\temp folder containing all installed packages.

choco list - local-only > C:\temp\InstalledPackages.txt

Explore FlareVM Tools

IDA Free: Reverse engineering and disassembly.

Procmon: Monitor system calls.

Wireshark: Network packet analysis.

PE-bear: Examine PE file headers.

Ghidra: Advanced reverse engineering.

Additional Resources

VMware Official Documentation

FlareVM GitHub Repository

FlareVM Setup Overview

Visual Aids

Download or view step-by-step screenshots from VMware, Windows, and FlareVM guides:

Windows Installation Guide

FlareVM Installation Steps on GitHub

Final Note

FlareVM is more than just a toolkit; it’s a gateway to mastering malware analysis and cybersecurity defense. By leveraging FlareVM’s robust environment, you can:

1. Dissect and Understand Malware Behavior: Tools like IDA Free, Procmon, and Ghidra let you explore how malicious software operates, giving you critical insights to counter threats.

2. Enhance Your Incident Response Skills: Quickly investigate and mitigate cyber incidents by analyzing suspicious files and network traffic in a safe, isolated environment.

3. Contribute to Cybersecurity Defense: By understanding malware techniques, you can help develop better preventive measures and fortify systems against future attacks.

Best Practices for Safe Malware Analysis

1. Isolate the VM: Always disconnect the VM from the internet after FlareVM installation to avoid accidental spread of malware.
2. Regular Snapshots: Take frequent snapshots of your VM. This ensures you can revert to a clean state if something goes wrong during analysis.
3. Stay Updated: Regularly update FlareVM tools to stay equipped with the latest features and security patches.
4. Practice Ethical Usage: Use FlareVM responsibly and within the boundaries of the law to strengthen cybersecurity defenses, not to exploit vulnerabilities.