FlareVM hides the fact its a VM?

[GuyMight44]

Some malware have an antiVM protection scheme built in to check to see if its running in a virtual machine (like Virtualbox). Does FlareVM cover that up too in the setup?

[htnhan]

Hi @GuyMight44,

FLARE VM does not try to hide the fact that it is a VM. Reasonings behind this decision:

1. VM detection depends heavily on the hypervisor (Workstation, Fusion, VirtualBox, etc). FLARE VM aims to support all hypervisors, so we do not try to hide any specific ones.
2. Part of hiding the hypervisor means disabling certain quality of life services (like video drivers, copy/paste, etc). That is a preference that each person has to make to balance between convenience and hiding the hypervisor. We don't want to enforce that with FLARE VM.
3. Many of the mitigations to Anti-VM techniques involve things we have to do out side of the VM like VM settings or even modifying the VM config file manually. We can not support that within FLARE VM.

[vm-packages]

Thank you for your feedback! We've been working on major updates to FLARE VM over the last year. The now revamped FLARE VM has just been released and will make the project more open and maintainable. Please check out our blog post at https://www.mandiant.com/resources/blog/flarevm-open-to-public and give the new installation a try.

If this problem still persists with the new installation, please report:

• new tools or tool-related issues at https://github.com/mandiant/VM-Packages/issues
• ideas and issues related to the installer script and configuration at https://github.com/mandiant/flare-vm/issues

Please note that we use this message to close all legacy issues in this repository. We look forward to your feedback and support for the next generation of FLARE VM.