TL;DR, Installing flare on Windows 10 with a PowerShell script.
Their directions can be found here.
FLARE stands for FireEye Labs Advanced Reverse Engineering. They are a team of people primarily focused on malware analysis but do other stuff as well. The FLARE-VM is a Windows-based virtual machine that holds tools for Incident response, malware analysis, pen-testing, and some other stuff. You can read more about it here. The setup is easy. You run a PowerShell script on a Windows VM, The script installs a ton of tools and turns it into a FLARE-VM. A lot like Magikarp evolving into Gyarados. I’m going to cover how to set up the Windows VM so all the FLARE tools are properly installed. If you don’t do this the built-in Antivirus and other security tools will stop you from installing the tools.
To start you are going to need a Windows VM. You can get a VM for the popular hypervisors here:
- Windows with Microsoft Edge: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
- Windows 11 development environment: https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
At the time of writing this, I have not yet tested Windows 11 but a couple of twitter posts say it works fine.
You could also grab the installation tool and build your own using the ISO, but that’s gonna take a bit longer. This VM after unzip is 35.8 GB on my system, with a maximum size of 127. The VM shouldn’t ask you to log in, but if something happens the password is “Passw0rd!”(no quotes). I suggest changing it to something you will remember, but that’s up to you. The requirements for the VM after Flare is installed are. 60 GB Hard Drive(more might be needed) and 2 GB of ram. If you took my advice on the Windows 10 development environment you should be fine. If you want stuff to go a bit faster, bump up the resources for the processor and memory.
Once you’re logged into the VM you’re going to need to turn off the security tools. This is so Windows doesn’t stop you from doing anything, and so you are able to transfer malware to the VM without the security tools removing it. In the search bar type “windows security” and then click on windows security. Click on “Virus & threat protection”, Then “Manage settings” under “Virus & threat protection settings”. Turn off the following settings.
- Real-time Protection
- Cloud-Delivered Protection
- Automatic Sample Submission
- Tamper Protection.
Scroll down and click “Add or remove exclusions”. You will want to add the entire C drive to the exclusions list by clicking + Add an exclusion > Folder > click local Disk (C:) > Select folder. After this, you should be good to go for the installation.
Now download the PowerShell script install.ps1 (right-click, save link as) and follow the copy-pasted steps from the flare GitHub below. Just so it’s known. It is gonna take a long time, you may have to press enter a couple of times. You can also pass your password as an argument: .\install.ps1 -password <password>
- Installations Steps
- Download and copy install.ps1 onto your new VM
- Open PowerShell as an Administrator
- Unblock the install file by running:
- Unblock-File .\install.ps1
- Enable script execution by running:
- Set-ExecutionPolicy Unrestricted
- Finally, execute the installer script as follow:
- .\install.ps1
I have had some problems with the script hanging at certain parts. Pressing Enter seemed to fix that. Once everything is done two things can happen. Ethier the VM restarts and your desktop will change to the flare logo, or you have to restart the VM manually and the desktop will change from the restart. Hopefully, everything worked and now you got a flare VM working. One thing to remember is that this is an eval version of windows. After it being alive for 90 days. you will have to run “slmgr -rearm” in PowerShell to rearm the VM or it will shut down after an hour of use.
https://github.com/fireeye/flare-vm