search

mandiant / flare-vm

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
Apache License 2.0
6.13k stars 883 forks source link

FlareVM Docker version #352

Closed Chris2011 closed 3 years ago

Chris2011 commented 3 years ago

Afaik docker for windows can create windows docker containers. So my question is, does it make sense, whether we can have a full configured docker image for flare-vm or not? I don't know how the docker images for windows will look like, but that could be a nice enhancement, what do you think?

htnhan commented 3 years ago

Hi @Chris2011,

I am not familiar with docker on windows enough to comment on this. My only concerns are regarding the purpose of FLARE-VM docker image. Here are my concerns:

  1. As a malware analysis platform, we intentionally have many weak settings to allow a sample to do as much as it can. Running FLARE-VM as a docker image may affect your host security.
  2. I am not sure if the docker container is enough to isolate malware from affecting your host.
  3. I don't see a huge benefit from using docker image vs. a VM for malware analysis. On the other hands, there may be more you can do with VMI and FLARE-VM to build your own sandbox.

htnhan

Chris2011 commented 3 years ago

Hey @htnhan sure, it was just an idea :).

htnhan commented 3 years ago

Hi @Chris2011, thank you for using and supporting FLARE-VM. We would love to get more ideas from our community. Please, feel free to share with us how you think FLARE-VM can be more useful.

In the meantime, I'll close this ticket out.

PolarBearGod commented 2 years ago

If possible, I would like to resurrect this conversation. I think some of the issues identified are not really "issues" per-say. There is definitely a split between what can be containerized versus what is best done as a virtual machine but it is best to let the users determine their own deployments.

As a malware analysis platform, we intentionally have many weak settings to allow a sample to do as much as it can. Running FLARE-VM as a docker image may affect your host security.

As a malware analysis platform that is hosted I hope this is not the case. Virtual machine escaping is still a thing. If you are fully detonating malware inside of this, I think there is something wrong with that situation if we left things weak on purpose. Malware analysis is the view into malware. Malware execution should be done in a controlled, known, isolated environment, where the risk of escape is minimal. Lastly, people doing malware analysis should know how best to secure their host and virtual machine(s). If we worried about the impact to host with a virtual image, why are we worried about the host if it is in a docker container?

I am not sure if the docker container is enough to isolate malware from affecting your host.

It absolutely is and there are plenty of security products that run purely on docker. Look at KASM as an example (my primary use case).

I don't see a huge benefit from using docker image vs. a VM for malware analysis. On the other hands, there may be more you can do with VMI and FLARE-VM to build your own sandbox.

We should understand all use cases and not dismiss other uses because "you don't see a huge benefit". My use case above with KASM could allow a completely isolated docker image available at the right-click of a mouse, anytime, anywhere. We can deploy this to all our incident responders, intelligence analysts, SOC team, and forensic investigators to kick the tires on something without needing to figure out a way to get it off a given network onto the isolated network with FLARE. We then destroy the image and move on with life without needing to worry about restoring to prior snapshots, or Chocolately, or whatever other updates.

To be clear, I love FLARE but I think the next evolution of it would be a Docker-ized version.