cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4
‎11-09-2022 08:08 AM

What is the purpose of 32-bit and Android VMs on ATD?

Jump to solution

ATD/TIS supports a wide range of Windows OSes. Why is a distinction between 64-bit and 32-bit? I'm able to run a 32-bit app in a 64-bit-VM (see attached screenshot).

Regarding Android: the latest ATD/TIS supports ancient Android 2.3, 4.3 and 5.2 - does it make any sense? New apps are built to use modern Android API and I believe (I haven't tested) cannot even be executed on old Android versions.

Also how many different VMs images do you have? It makes perfect sense to have several different VMs for manual malware analysis, where the user can choose different analyser profiles, but for NSP/MWG integration only one 64-bit VM can be active, right?

What are the current best practices?

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤
0 Kudos
Reply
1 Solution

Accepted Solutions
hsadi
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎11-10-2022 12:24 AM

Re: What is the purpose of 32-bit and Android VMs on ATD?

Jump to solution

Hi fw_mon,

OneDrive cannot be disabled by the provisional tool, so you need to do it manually.

For NSP/MWG integration, you can select as many VMs as you want (64 bit or 32 bit) . - yes, I know, I meant that I can choose only one 64-bit VM Profile for automatic submission. I cannot say the samples from src network 10.0.0.0/8 get one particular VM Profile  and everybody else get another VM Profile. Is that correct?

No, you cannot select a VM based on a network portion or a subnet, but you can select one VM to server only NSP submissions and another VM for MWG, and so on...

You need to be careful when selecting many VMs, if a profile has 4 VMs and a sample come from NSP or MWG then that sample will be analysed by 4 VMs which can cause performance issue on ATD, especially if you have thousands of samples flowing to ATD. - I understood that 4 VM licenses mean max 4 VMs can be run simultaneously for 4 different samples ("In Maximum Licenses, enter the number of licenses you have for the operating system that you are using for this VM profile."). It doesn't mean each sample will be executed simultaneously on 4 equals VMs. What would be a benefit of running the same sample in many VMs? Please correct me if I'm wrong.

Yes, you're correct, you don't need to run 1 sample in 4 VMs, or more than 1 VM, that would be a waste of resources and a reduction in performance.

Hope this helps,

 

View solution in original post

Reply
3 Replies
hsadi
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎11-09-2022 08:35 AM

Re: What is the purpose of 32-bit and Android VMs on ATD?

Jump to solution

Hi fw_mon,

The 32 bit system are only for Windows 7 and Windows XP which are end of life, but you can always use win 7 in ATD to salvage the 32bit architecture.

The reason we have both systems is if a sample comes to ATD from endpoints (win 7 or win xp with 32 bit) ATD has the capability to select a 32bit VM to scan the sample that comes from a 32 bit system.

OneDrive must be disactivated in the VM as it causes performance issue in ATD.

Regarding Android, unfortunately, we don't have an updated version, but if you have a use case then please open an SR with ATD support so we can address this.

Regarding Windows VMs, unfortunately, we do not distribute the VMs to customer as we are restricted by Microsoft licenses, customers have to acquire the images from Microsoft.

For NSP/MWG integration, you can select as many VMs as you want (64 bit or 32 bit) .

You create an Analyser profile and select a number of VMs in VM Profiles drop down selector, then you go to ATD users > select NSP or MWG user > Then select the name of the Analyser profile you created, in this way any sample coming from NSP or MWG will use that profile with the number of VMs you selected.

You need to be careful when selecting many VMs, if a profile has 4 VMs and a sample come from NSP or MWG then that sample will be analysed by 4 VMs which can cause performance issue on ATD, especially if you have thousands of samples flowing to ATD. 

Hope this helps

Reply
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4
‎11-09-2022 12:51 PM

Re: What is the purpose of 32-bit and Android VMs on ATD?

Jump to solution

thank you @hsadi 

win 7 or win xp with 32 bitsince most of our customers don't have such old Windows systems anymore, I think we can better focus on 64 bit only

OneDrive must be disactivated in the VM as it causes performance issue in ATD. - good hint, thank you. I need to check why it is active, I thought the VM provisioning tool had disabled it. Next time I'll disable a lot of stuff by hand after VM provisioning tools has ran.

For NSP/MWG integration, you can select as many VMs as you want (64 bit or 32 bit) . - yes, I know, I meant that I can choose only one 64-bit VM Profile for automatic submission. I cannot say the samples from src network 10.0.0.0/8 get one particular VM Profile  and everybody else get another VM Profile. Is that correct?

You need to be careful when selecting many VMs, if a profile has 4 VMs and a sample come from NSP or MWG then that sample will be analysed by 4 VMs which can cause performance issue on ATD, especially if you have thousands of samples flowing to ATD. - I understood that 4 VM licenses mean max 4 VMs can be run simultaneously for 4 different samples ("In Maximum Licenses, enter the number of licenses you have for the operating system that you are using for this VM profile."). It doesn't mean each sample will be executed simultaneously on 4 equals VMs. What would be a benefit of running the same sample in many VMs? Please correct me if I'm wrong.

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤
0 Kudos
Reply
hsadi
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎11-10-2022 12:24 AM

Re: What is the purpose of 32-bit and Android VMs on ATD?

Jump to solution

Hi fw_mon,

OneDrive cannot be disabled by the provisional tool, so you need to do it manually.

For NSP/MWG integration, you can select as many VMs as you want (64 bit or 32 bit) . - yes, I know, I meant that I can choose only one 64-bit VM Profile for automatic submission. I cannot say the samples from src network 10.0.0.0/8 get one particular VM Profile  and everybody else get another VM Profile. Is that correct?

No, you cannot select a VM based on a network portion or a subnet, but you can select one VM to server only NSP submissions and another VM for MWG, and so on...

You need to be careful when selecting many VMs, if a profile has 4 VMs and a sample come from NSP or MWG then that sample will be analysed by 4 VMs which can cause performance issue on ATD, especially if you have thousands of samples flowing to ATD. - I understood that 4 VM licenses mean max 4 VMs can be run simultaneously for 4 different samples ("In Maximum Licenses, enter the number of licenses you have for the operating system that you are using for this VM profile."). It doesn't mean each sample will be executed simultaneously on 4 equals VMs. What would be a benefit of running the same sample in many VMs? Please correct me if I'm wrong.

Yes, you're correct, you don't need to run 1 sample in 4 VMs, or more than 1 VM, that would be a waste of resources and a reduction in performance.

Hope this helps,

 

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC