Creating analyzer VMs Advanced Threat Defense uses secure virtual machines, or analyzer VMs, for dynamic analysis. During dynamic analysis, Advanced Threat Defense executes suspicious files in the analyzer VM, then monitors the file behavior for malicious activities. Note: The number of analyzer VMs you can create is limited by the following conditions: the available Advanced Threat Defense Appliance disk space. the disk space occupied by the operating system. Advanced Threat Defense limits the maximum number of analyzer VMs you can use for analysis. ATD-3000 — 29 analyzer VMs ATD-6000 — 59 analyzer VMs ATD-3100 — 29 analyzer VMs ATD-6100 — 59 analyzer VMs The number of concurrent licenses that you specify affects the number of concurrent active analyzer VMs. Any security software or low-level utility tool on an analyzer VM can interfere with the dynamic analysis of the sample file. The sample-file execution can be terminated during dynamic analysis. As a result, the reports might not capture the full behavior of the sample file. If you need to find out the complete behavior of the sample file, do not patch the operating system of the analyzer VM or install any security software on it. Important: Ensure that you upload the VMDK to your Advanced Threat Defense before activating your Microsoft Windows and Office. Use the Activation feature available in the Advanced Threat Defense Web interface. For more information, see Create VM profiles. If you activate your Microsoft Windows and Office on VMWare Workstation, VMWare ESXI server, or Microsoft Hyper-V, your licenses will be lost due to change in hardware. Create a VM using the VM Builder The VM Builder makes it easier for you to create VMs for VMware ESXi. The tool allows you to include all needed installers and OS ISO, then seamlessly create VMs for you. Create a virtual machine on VMware Workstation To create the virtual machine, you must complete the New Virtual Machine Wizard. Create a virtual machine on VMWare ESXi To create the virtual machine, you must complete the New Virtual Machine Wizard. Create a virtual machine on Hyper-V Manager This topic explains how to create a virtual machine in Microsoft Hyper-V Manager. Create a virtual disk file Create a virtual disk file of the ISO image on VMWare or Hyper-V. Install Microsoft Office on the virtual machine To install Microsoft Office on the virtual machine, you must download the compatibility pack from Microsoft. Enable PDF file analysis To analyze PDF files, download Adobe Reader to the native host and copy it to the VM. Enable JAR file analysis To analyze JAR files, download and install Java Runtime Environment (JRE). Enable Flash file analysisTo dynamically analyze Flash files, install Adobe Flash Player or the Flash plug-in. Complete the VMDK and VHDX file creation processPrepare the virtual disk image for analysis Prepare your VMDK or VHDX images to capture malware behaviors in the sandbox environment. Import the virtual disk file To create an analyzer VM, you must import the corresponding virtual disk file into Advanced Threat Defense. Convert the VMDK and VHDX file to an image fileTo create an analyzer VM, you must convert the VMDK and VHDX file to an image file. Managing VM profiles
Creating analyzer VMs Advanced Threat Defense uses secure virtual machines, or analyzer VMs, for dynamic analysis. During dynamic analysis, Advanced Threat Defense executes suspicious files in the analyzer VM, then monitors the file behavior for malicious activities. Note: The number of analyzer VMs you can create is limited by the following conditions: the available Advanced Threat Defense Appliance disk space. the disk space occupied by the operating system. Advanced Threat Defense limits the maximum number of analyzer VMs you can use for analysis. ATD-3000 — 29 analyzer VMs ATD-6000 — 59 analyzer VMs ATD-3100 — 29 analyzer VMs ATD-6100 — 59 analyzer VMs The number of concurrent licenses that you specify affects the number of concurrent active analyzer VMs. Any security software or low-level utility tool on an analyzer VM can interfere with the dynamic analysis of the sample file. The sample-file execution can be terminated during dynamic analysis. As a result, the reports might not capture the full behavior of the sample file. If you need to find out the complete behavior of the sample file, do not patch the operating system of the analyzer VM or install any security software on it. Important: Ensure that you upload the VMDK to your Advanced Threat Defense before activating your Microsoft Windows and Office. Use the Activation feature available in the Advanced Threat Defense Web interface. For more information, see Create VM profiles. If you activate your Microsoft Windows and Office on VMWare Workstation, VMWare ESXI server, or Microsoft Hyper-V, your licenses will be lost due to change in hardware. Create a VM using the VM Builder The VM Builder makes it easier for you to create VMs for VMware ESXi. The tool allows you to include all needed installers and OS ISO, then seamlessly create VMs for you. Create a virtual machine on VMware Workstation To create the virtual machine, you must complete the New Virtual Machine Wizard. Create a virtual machine on VMWare ESXi To create the virtual machine, you must complete the New Virtual Machine Wizard. Create a virtual machine on Hyper-V Manager This topic explains how to create a virtual machine in Microsoft Hyper-V Manager. Create a virtual disk file Create a virtual disk file of the ISO image on VMWare or Hyper-V. Install Microsoft Office on the virtual machine To install Microsoft Office on the virtual machine, you must download the compatibility pack from Microsoft. Enable PDF file analysis To analyze PDF files, download Adobe Reader to the native host and copy it to the VM. Enable JAR file analysis To analyze JAR files, download and install Java Runtime Environment (JRE). Enable Flash file analysisTo dynamically analyze Flash files, install Adobe Flash Player or the Flash plug-in. Complete the VMDK and VHDX file creation processPrepare the virtual disk image for analysis Prepare your VMDK or VHDX images to capture malware behaviors in the sandbox environment. Import the virtual disk file To create an analyzer VM, you must import the corresponding virtual disk file into Advanced Threat Defense. Convert the VMDK and VHDX file to an image fileTo create an analyzer VM, you must convert the VMDK and VHDX file to an image file. Managing VM profiles