When users submit a file or URL to VMRay for analysis, they are usually most interested in answering the question “Is this malware? Yes or no.”
Previous to our most recent 4.0 release, this question was answered in the VMRay Platform with a severity score (or VTI Score, explained here). But now with our most recent release, this answer has been simplified. No longer will the VMRay Platform use a numerical score to indicate potential maliciousness. From now on, the system will instead render a “Verdict” to replace the severity score.
In the new verdict system, submitted files and URLs will now be judged either as:
- Malicious
- Suspicious
- Clean
- Not available
These four possible verdicts mark a reduction in number from the eight possibilities in the previous system.
This new system will be applied at all levels: analyses, samples, IOCs and artifacts. To increase clarity and avoid confusion, the numerical VMRay Threat Identifier (VTI) Score from 0 – 100, has been removed from the UI. However, for backward compatibility, these values are still available via API.
The way VMRay calculates the verdict score has not been changed, only the way it presents the result. Each VTI still has a score of 1-5. In the release of VMRay Platform 4.0, we introduced the -1 score (displayed as “-“) to be able to map a known benign. When a VTI with a -1 score is triggered, the sample or the artifact is prevented from having a Malicious verdict. This can happen in special situations, such as when a PE sample has a trusted digital signature, or when a reputation analysis has a Clean verdict. It is also possible to write YARA rules with a -1 score.
| Endpoint |
New verdict keys in response |
| /rest/analysis |
analysis_verdict
analysis_verdict_reason
analysis_verdict_reason_code |
| /rest/sample |
sample_verdict
sample_verdict_reason
sample_verdict_reason_code |
| /rest/submission |
submission_verdict
submission_verdict_reason
submission_verdict_reason_code |
| /rest/sample//iocs |
verdict
verdict_reason
verdict_reason_code |
By reducing the number of available possible verdicts from eight to four, our new system will bring greater clarity to malware analysis results and assist SOC teams in making effective decisions in the incident response process.
