flare-vm

FLARE-VM is a collection of PowerShell scripts that automatically install and configure a complete set of reverse engineering and malware analysis tools on a Windows virtual machine. It was created by Mandiant's FLARE team to solve the problem of manually tracking down, installing, and maintaining dozens of specialized security tools.

The setup is intentionally only run inside a virtual machine, not on a regular working computer. Before installing, you need a Windows 10 or later VM with at least 60 gigabytes of disk space and 2 gigabytes of memory, Windows Defender and Windows Updates both disabled, and an internet connection. Disabling antivirus is required because the tools being installed are the same ones researchers use to study malware, and antivirus software would flag or block them during installation.

Running a single PowerShell script handles everything automatically. Under the hood, the installer uses Chocolatey, a package manager for Windows, and Boxstarter, which handles reboots during installation so the process can resume automatically. Before any packages are installed, a graphical interface lets you choose which tools to include. You can also run the whole thing from the command line with no prompts if you prefer.

You can customize which tools get installed by providing your own XML configuration file. This lets teams maintain a consistent, repeatable environment across multiple machines, or tailor the setup to a specific type of analysis work. The Windows taskbar layout can be configured separately through another XML file.

After installation, taking a VM snapshot is recommended. That snapshot becomes your clean baseline: if a piece of malware damages the environment while you are analyzing it, you restore the snapshot and continue. This snapshot workflow is the primary reason the project requires a virtual machine rather than a regular Windows install.