In designing systems, engineers often must navigate between two extremes. Resources are finite and compromises must be made between making something operate slowly and thoroughly or fast and recklessly. But what if a system could be both fast and accurate? Because of VMRay’s entirely hypervisor-based technology, it has the ability to be both. While traditional sandboxing technology needs to choose one or the other, VMRay has the unique ability to monitor all the API calls made by a code sample (unlike API hooking sandboxes), and do it at high performance (unlike emulators).
With this approach, VMRay has the ability to monitor API calls of secondary importance such as string manipulation functions like strlen (which just returns the length of a string). Traditional sandboxes cannot because they must conserve resources. This ability is useful as parameters of these calls can show information that represent the internal workings of malware – exactly the type of information that is helpful for good family classification, configuration extraction, and getting a deeper understanding of how the malware works.
