legal contact rss
 

IRMA install and use

IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files.

However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ...

An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network.

Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).

Installing

pip uninstall ansible
pip install -I ansible==2.0.2
git clone https://github.com/quarkslab/irma

Get the free version of Sophos AntiVirus for Linux (free)
and install it using the free update service into /opt/sophos-av/

Updating directly from Sophos.
Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s]
> f

And disable the onaccess scan to avoid loosing your samples. (You can exclude certain directorys later and re-enable the on-access)

Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]
> N

But lets go on installing the actual tool

cd irma/ansible
VM_ENV=dev vagrant up

Using

http://172.16.1.30

Drop your suspect file(s) into the marked area and press the scan for malware butten.