Creating analyzer VMs

Advanced Threat Defense uses secure virtual machines, or analyzer VMs, for dynamic analysis. During dynamic analysis, Advanced Threat Defense executes suspicious files in the analyzer VM, then monitors the file behavior for malicious activities.

Note: The number of analyzer VMs you can create is limited by the following conditions:
  • the available Advanced Threat Defense Appliance disk space.
  • the disk space occupied by the operating system.

Advanced Threat Defense limits the maximum number of analyzer VMs you can use for analysis.

  • ATD-3000 — 29 analyzer VMs
  • ATD-6000 — 59 analyzer VMs
  • ATD-3100 — 29 analyzer VMs
  • ATD-6100 — 59 analyzer VMs
The number of concurrent licenses that you specify affects the number of concurrent active analyzer VMs.

Any security software or low-level utility tool on an analyzer VM can interfere with the dynamic analysis of the sample file. The sample-file execution can be terminated during dynamic analysis. As a result, the reports might not capture the full behavior of the sample file. If you need to find out the complete behavior of the sample file, do not patch the operating system of the analyzer VM or install any security software on it.

  • Ensure that you upload the VMDK to your Advanced Threat Defense before activating your Microsoft Windows and Office. Use the Activation feature available in the Advanced Threat Defense Web interface. For more information, see Create VM profiles.
  • If you activate your Microsoft Windows and Office on VMWare Workstation, VMWare ESXI server, or Microsoft Hyper-V, your licenses will be lost due to change in hardware.