IRMA (http://irma.quarkslab.com) is an open-source asynchronous system aiming at helping analyze suspicious files.
We all know that anti-virus (AV) are a failure: if someone is basing his security on this one product, failure is sure. Despite that, everyone also considers AV are also needed to detect the generic attack vectors. A not new idea is to use several AV engines. Due to costs and performance constraints, one host cannot run tons of AV. So, several solutions have appeared lately to provide a central place where suspicious files can be tested towards major AV engines.
However, testing suspicious files is only a first step. When one will detect such a file, he might want to apply different analysis, like running it in a sandbox for instance, or statically analyzing the file which requires first to unpack it most of the time. In this lab, we will:
– Recall our major motivations to build such a system,
– Present the overall architecture of IRMA which has been designed as a 3 part system,
– Guide you to setup our own system, running in virtual machines, in less than 30 minutes,
– Develop together a new analyser and include it to your own IRMA setup,
– Discuss the mechanics under the hood for people willing to contribute to or to reuse this project.
Alexandre Quint
Fernand Lone-Sang