- Retrieve malware sample metadata file
- Verify necessary fields within metadata file (scan info and file extension)
- Validate corresponding malware sample file exists
- Revert each virtual machine to known good snapshot
- Start each virtual machine from snapshot
- Transfer malware sample to each virtual machine
- Verify the malware sample made to the system
- Run malware sample on each virtual machine
- Collect exit code from each run sample on each virtual machine (if possible)
- Collect process logs filtering for the sample name from each virtual machine (if possible)
- Collect application whitelisting logs from each virtual machine filtering for the sample name (if possible)
- Log collected data to mongo
- Stop the virtual machine
- Repeat steps until all valid samples in selection have been tested
vm-runner/runner.py - main app for running orchestrating the VMs and experiment
vm-runner/load_runner.json - main config file
vm-runner/vm_control.py - lib for controlling VirtualBox
vm-runner/vt_builder.py - lib for reading AV info
vm-runner/data_logger.py - data logger library for pushing things into mongo
vm-runner/data_parse.py - parser script for the mongo dump to determine whitelisting effectiveness
vm-runner/imavirus.c - test code - compile to test whitelisting apps
vm-runner/imavirus_fail.c - test code - compile to test whitelisting apps
vm-runner/README.MD - this
vm-runner/loggerdump
vm-runner/tmp
- Install base OS, Ubuntu
- Install virtualbox
- Clone this repo
- Get a copy of the VirusTotal academic database
- Create loggerdump and tmp directories
- Modify the vt_builder.py to reflect file locations
- Modify the load_runner.json file to reflect necessary parameters (creds, sample numbers, etc.)
- Test runner.py with a low number of samples configured in load_runner.json
- Modify scripts to fit your environment
- Run the data_parse.py on the dumped 'data' log
- Evaluate your results!