Skip to content

Flare-VM

FLARE-VM is a Windows-based security distribution specifically designed for malware analysis, incident response, and digital forensics. Developed by the FireEye Labs Advanced Reverse Engineering (FLARE) team, this customizable environment provides a comprehensive collection of open-source and freeware tools pre-configured for security professionals. Unlike traditional Linux security distributions, FLARE-VM runs directly on Windows, offering native analysis capabilities for Windows malware and artifacts while integrating seamlessly with the Windows operating system through a package management system built on Chocolatey.

Requirements

FLARE-VM should ONLY be installed on a virtual machine. The VM should satisfy the following requirements:

  • Windows ≥ 10
  • PowerShell ≥ 5
  • Disk capacity of at least 60 GB and memory of at least 2GB
  • Usernames without spaces or other special characters
  • Internet connection
  • Tamper Protection and any Anti-Malware solution (e.g., Windows Defender) disabled, preferably via Group Policy
  • Windows Updates Disabled

Installation

Pre-installation

Disable automatic updates

Settings

If you want to prevent the system from downloading a specific update for a short period of time, you do not need to disable Windows Update permanently. Instead, you could pause updates for up to seven days.

To disable automatic updates temporarily, use these steps:

  1. Open Settings.
  2. Click on Windows Update.

  3. Click the "Pause updates for 5 Weeks" option.

    image image

Once you complete the steps, the system won't download for one week.

Note

When it reaches the pause limit, you will need to install the latest patch to make the option available again.

Group Policy

On Windows 11, the Local Group Policy Editor includes policies to permanently disable automatic updates or change the update settings to choose when patches should be installed on the device.

To disable automatic updates on Windows 10 permanently, use these steps:

  1. Open Start.
  2. Search for gpedit.msc and click the top result to launch the Local Group Policy Editor.
  3. Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience

  4. Double-click the "Configure Automatic Updates" policy on the right side.

    image

  5. Check the Disabled option to turn off automatic Windows 11 updates permanently.

  6. Click the Apply button.

  7. Click the OK button.

    image

After you complete the steps, Windows 11 will stop downloading updates automatically.

Tip

However, the ability to check for updates manually will continue on Settings > Windows Update, and clicking the "Check for updates" button to download the most recent patches as needed.

Note

If you want to enable automatic updates on the computer again, you can use the same instructions outlined above, but in step 5, make sure to select the "Not Configured" option.

Registry

You can also use the Registry in two different ways to disable automatic updates on Windows 10.

Danger

This is a friendly reminder that editing the Registry is risky and can cause irreversible damage to your installation if you don't do it correctly. Before proceeding, it's recommended to make a backup of your PC.

To disable Windows 11 updates permanently by changing the Registry settings, use these steps:

  1. Open Start.
  2. Search for regedit and click the top result to launch the Registry Editor.
  3. Navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
  4. Right-click the Windows (folder) key, select the New submenu, and choose the Key option.
  5. Name the new key WindowsUpdate and press Enter.
  6. Right-click the newly created key, select the New submenu, and choose the Key option.
  7. Name the new key AU and press Enter.
  8. Right-click the AU key, select the New submenu, and choose the DWORD (32-bit) Value option.
  9. Name the new key NoAutoUpdate and press Enter.

  10. Double-click the newly created key and change its value from 0 to 1.

    image

  11. Click the OK button.

  12. Restart the computer.

After you complete the steps, automatic updates will be permanently disabled on the device. However, you can still download updates by clicking the "Check for updates" button on the Windows Update settings page.

If you want to undo the changes, you can use the same instructions outlined above, but on step 4, right-click the WindowsUpdate key, select the "Delete" option, then reboot the computer to apply the settings.

Resources

Disable Tamper Protection and any Anti-Malware solution

Settings

Windows gives you an option to turn Microsoft Defender off. But, it’s only temporary. Once it’s been off for a while, or you restart your PC, it’ll come back on. If you just need a temporary solution, this is it.

  1. Access it by going to Start -> Settings -> Privacy & security.
  2. Select Windows Security and scroll until you see Virus & threat protection settings. Click the Manage Settings link. image image image

  3. Toggle the various options to Off.

    image image

Note

Turning everything off is just temporary. This is great if you just need to disable Microsoft Defender for a short while, but doesn’t solve the ultimate goal of turning off Windows Defender permanently.

Tip

Note: if you’re already using another antivirus instead of Microsoft Defender, you may not see these settings at all – which is a fix in itself and will be detailed below.

Local Group Policy
  1. Press Win+R to load the Run box, type gpedit.msc into the box, and press OK.
  2. When the Local Group Policy window loads, select Computer Configuration -> Administrative Templates on the right.

  3. Go to Windows Components -> Microsoft Defender (Antivirus). If you don’t see Microsoft Defender, look for Windows Defender (Antivirus). Scroll down until you see the Turn off Microsoft Defender file. For older versions of Windows 10, look for Turn off Windows Defender.

    image

  4. Double-click it, and click Enabled on the left to turn on the Turn off Microsoft Defender policy, which disables Microsoft Defender. If you later change your mind, select Disabled instead.

    image

Registry
  1. Open the Run command by pressing Win+R . Type regedit, and click OK.
  2. On the left pane of the Registry Editor, navigate to the following folder: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
  3. Select the Windows Defender folder as shown and right-click on the empty space on the right side of the window, and go to New -> DWORD (32-bit) Value. image Windows will create an untitled DWORD file. Right-click the file, and click Rename, then call it DisableAntiSpyware. Make sure you enter the name perfectly!

  4. Right-click the DisableAntiSpyware file, and click Modify. To enable the policy that disables Microsoft Defender, set the value data to 1, and click OK. This tells the computer that the policy that was just created should be enabled, and Windows will disable Defender for you. If you want to bring Microsoft Defender back, return to this file, and change the value to 0 to disable the policy and allow Defender to work again.

    image image

  5. If anything related to Defender is still running, add the following DWORD values in the following folder locations using the same process as above:

    • DisableRealtimeMonitoring – set the value to 1.
    • DisableRoutinelyTakingAction – set the value to 1.
    • DisableAntiVirus – set the value to 1.
    • DisableSpecialRunningModes – set the value to 1.
    • ServiceKeepAlive – set value to 0.
  6. You may also need to create three new folders under Windows Defender. Right-click the Windows Defender folder, and select New -> Key. Add three new Keys: Signature UpdatesReal-Time Protection, and Spynet.

  7. Add the following DWORD values to the corresponding folders:

    image

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates

    • ForceUpdateFromMU – set value to 0.

      image

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
    • DisableRealtimeMonitoring – set value to 1.
    • DisableOnAccessProtection – set value to 1.
    • DisableBehaviorMonitoring – set value to 1.

    • DisableScanOnRealtimeEnable – set value to 1.

      image

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet

    • DisableBlockAtFirstSeen – set value to 1.

      image

Reference

FLARE-VM installation

Documentation

  1. Open a PowerShell prompt as administrator
  2. Download the installation script installer.ps1 to your Desktop: 
    (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
  3. Unblock the installation script: 
    Unblock-File .\install.ps1

  4. Enable script execution: 

    Set-ExecutionPolicy Unrestricted -Force

    Tip

    If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List

  5. Finally, execute the installer script as follow: 

    # To pass your password as an argument
.\install.ps1 -password <password>

# To use the CLI-only mode with minimal user interaction
.\install.ps1 -password <password> -noWait -noGui

# To use the CLI-only mode with minimal user interaction and a custom config file
.\install.ps1 -customConfig <config.xml> -password <password> -noWait -noGui

Note

After installation it is recommended to switch to host-only networking mode and take a VM snapshot

Installer GUI

The Installer GUI is display after executing the validation checks and installing Boxstarter and Chocolatey (if they are not installed already). Using the installer GUI you may customize:

  • Package selection from FLARE-VM and Chocolatey community
  • Environment variable paths

image image image

In newer versions of Windows, Group Policy settings for Microsoft Defender are reverted back.
To prevent this, before changing them:

  1. Open Resource Monitor (type resmon.exe in the search box)
  2. Overview
  3. Find MsMpEng.exe in the list
  4. Right-click > Suspend Process

In Windows 10 1903, Tamper Protection was added.
Tamper Protection must be disabled before changing Group Policy settings, otherwise these are ignored.

  1. Open Windows Security (type Windows Security in the search box)
  2. Virus & threat protection > Virus & threat protection settings > Manage settings
  3. Switch Tamper Protection to Off

To permanently disable real-time protection:

  1. Open Local Group Policy Editor (type gpedit.msc in the search box)
  2. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
  3. Enable Turn off real-time protection
  4. Restart the computer

To permanently disable Microsoft Defender:

  1. Open Local Group Policy Editor (type gpedit.msc in the search box)
  2. Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
  3. Enable Turn off Microsoft Defender Antivirus
  4. Restart the computer

image

image

Installation Log

Comments