All-Malware-Analysing.md

Install FlareVM on Windows 10 VM Machine

Credit to Flare VM for the script.

This gist is to pick a former version of the install script and have it installed successfully on a Windows 10 x64 1809 VM machine becuase the latest one doesn't work.

Note: FLARE VM should ONLY be installed on a virtual machine!

• Prepare a Windows 10+ virtual machine
  • FLARE VM has been tested on Windows 10 1809 x64 and 20H2
    • See mandiant/flare-vm#434 for options on downloading a Windows VM image
  • We recommend:
    • Avoiding usernames containing a space or other special characters
    • Using a disk capacity of at least 70-80 GB and memory of at least 2 GB
  • Disable Windows Updates (at least until installation is finished)
    • https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10
  • Disable Tamper Protection and any Anti-Malware solution (e.g., Windows Defender), preferably via Group Policy.
    • Disabling Tamper Protection
      • https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87
      • https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-windows-defender-antivirus.html
    • Disabling Windows Defender
      • https://stackoverflow.com/questions/62174426/how-to-permanently-disable-windows-defender-real-time-protection-with-gpo
      • https://www.windowscentral.com/how-permanently-disable-windows-defender-windows-10
      • https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1
• Take a VM snapshot so you can always revert to a state before FLARE VM installation
• Open a PowerShell prompt as administrator
• Install chocolatey manually
  • Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
• Download the installation script installer.ps1 to your desktop
  • (New-Object net.webclient).DownloadFile('[https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1](https://raw.githubusercontent.com/mandiant/flare-vm/89ecef490f16cf38d267ff06a98af402cf8ee84d/install.ps1)',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
  • Choosing this script from 2021 because it worked. The latest script gives bunch of errors and it's frustrating solving them...
• Unblock the installation script by running:
  • Unblock-File .\install.ps1
• Enable script execution by running:
  • Set-ExecutionPolicy Unrestricted
    • If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser to view execution policies for all scopes, type Get-ExecutionPolicy -List
• Finally, execute the installer script as follow:
  • .\install.ps1
    • You can also pass your password as an argument: .\install.ps1 -password <password>
• After installation it is recommended to switch to "host-only" networking mode and take a VM snapshot