Thursday, October 18, 2018

Clone Wars - Zero Effort Scaling

Joe Sandbox v24 Fire Opal release is knocking at the door and will bring a lot of interesting new features. One of the most interesting ones is the support for VMware ESXi 6.7. VMware ESXi is the perfect virtualization solution for building an infrastructure which is able to analyze large volumes of samples very quickly. Large means 5'000, 10'000 or 20'000 samples per day. In this blog post, we will show you how easy it is to scale Fire Opal with ESXi 6.7.

First of all, why is VMware ESXi the best solution for large-scale malware analysis? Well, there are a couple of reasons. First ESXi is a type 1 hypervisor:

For type 1 hypervisor there is no real host OS, the hypervisor itself is the OS. Examples of type 1 hypervisors are VMware ESXi, Xen or Hyper-V. Examples for type 2 hypervisors are VMWare Workstation, VirtualBox or KVM.

Generally, type 2 hypervisors are more often used for virtualization on desktops, while type 1 hypervisors mainly run server applications. As result, type 1 hypervisors tend to be much more stable, easy to maintain and better to scale. For instance, VMWare ESXi can be connected to vCenter which allows you to easily maintain several ESXi servers, template VMs, cloning etc. Often such features are not available for type 2 hypervisors.

Linked Clones

With Fire Opal, Joe Sandbox now fully supports ESXi 6.7. In addition, we implemented linked cloning for Windows analyzers. Linked cloning is already available for VMware Workstation and VirtualBox. What are linked clones? Linked clones make your job as a Joe Sandbox administrator much easier. Let us assume you have set up and configured Joe Sandbox with one analysis machine named "Analyzer 1":

With a simple shell command, you can create up to n clones of your analyzer. The new clones "link" to the parent Analyzer 1 and thus only require a very minimal amount of storage (normally the size of RAM of analyzer 1). 

Let us have a look at an ESXi instance running Joe Sandbox Fire Opal. We have one Windows 10 analyzer configured:

After login, use the --clonemachine command. The first argument is the number of clones you would like to create and the second the name of your parent/template VM.

Once cloning is finished refresh the vSphere Web Client:

Don't be afraid of the "used size", it is not correct. All the clones taken together use only 82GB of storage space:

After cloning, the analyzers are ready to analyze samples. To see the number of analyzers in action simply go to the Admin Tab - Monitoring:

Zero Effort Scaling

Thanks to the new support for VMware ESXi, scaling has become incredibly easy. A Joe Sandbox administrator has to set up an analyzer and then can multiply the analysis performance by using a simple shell command.

In contrast to VMware Workstation and VirtualBox, ESXi is much better suited for large-scale analysis. It is more stable than type 2 hypervisors, has better features for maintenance and enables zero effort scaling. 

