Customized FLARE VM 2025 setup repository for building a fresh malware analysis lab from scratch. Includes installation commands, required dependencies, and reference data to ensure a smooth deployment of the latest FLARE VM environment on any Windows system.
-
Windows ≥ 10
-
PowerShell ≥ 5
-
Disk capacity of at least 60 GB and memory of at least 2GB
-
Usernames without spaces or other special characters
-
Internet connection
-
Tamper Protection and any Anti-Malware solution (e.g., Windows Defender) disabled, preferably via Group Policy
-
Windows Updates Disabled
-
Prepare a Windows 10+ virtual machine
-
Install Windows in the virtual machine, for example using the raw Windows 10 ISO from https://www.microsoft.com/en-us/software-download/windows10ISO
-
Ensure the requirements above are satisfied, including:
-
Disable Windows Updates (at least until installation is finished)
-
Disable Tamper Protection and any Anti-Malware solution (e.g., Windows Defender), preferably via Group Policy.
In newer versions of Windows, Group Policy settings for Microsoft Defender are reverted back. To prevent this, before changing them:
-
Disable updates from Group Policy
-
To disable automatic updates on Windows 10 permanently, use these steps:
- Open Start.
- Search for gpedit.msc and click the top result to launch the Local Group Policy Editor.
- Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows Update
- Double-click the "Configure Automatic Updates" policy on the right side.
-
Open Resource Monitor (type resmon.exe in the search box)
-
Overview
- Find MsMpEng.exe in the list
- Right-click > Suspend Process
- In Windows 10 1903, Tamper Protection was added.
-
Tamper Protection must be disabled before changing Group Policy settings, otherwise these are ignored.
- Open Windows Security (type Windows Security in the search box)
- Virus & threat protection > Virus & threat protection settings > Manage settings
- Switch Tamper Protection to Off
-
To permanently disable real-time protection:
- Open Local Group Policy Editor (type gpedit.msc in the search box)
- Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection
- Enable Turn off real-time protection
- Restart the computer
-
To permanently disable Microsoft Defender:
- Open Local Group Policy Editor (type gpedit.msc in the search box)
- Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus
- Enable Turn off Microsoft Defender Antivirus
- Restart the computer
Take a VM snapshot so you can always revert to a state before the FLARE-VM installation
-
Open a PowerShell prompt as
administrator -
Download the installation script installer.ps1 to your Desktop:
- (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath("Desktop"))\install.ps1")
-
Unblock the installation script:
- Unblock-File .\install.ps1
-
Enable script execution: Set-ExecutionPolicy Unrestricted -Force
- If you receive an error saying the execution policy is overridden by a policy defined at a more specific scope, you may need to pass a scope in via Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force. To view execution policies for all scopes, execute Get-ExecutionPolicy -List
-
Finally, execute the installer script as follow: .\install.ps1
- To pass your password as an argument: .\install.ps1 -password
