FLARE-VM is a scripted Windows environment setup tool that automates the installation and maintenance of a comprehensive reverse engineering and malware analysis toolkit on a virtual machine.
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
FLARE-VM is designed for malware analysts and reverse engineers who need a ready-to-use, curated Windows VM environment with essential forensic and analysis tools pre-installed. It simplifies the setup process by automating software installations, enabling users to focus on analysis rather than environment configuration.
FLARE-VM must only be installed on a virtual machine with Windows 10 or higher. It requires disabling Windows Defender, Tamper Protection, and Windows Updates to avoid interference during installation and analysis. Users should take a VM snapshot before installation to enable easy rollback. The tool relies heavily on Chocolatey and Boxstarter for package management and automation.
Prepare a Windows 10 or higher virtual machine with at least 60 GB disk and 2 GB memory
Ensure PowerShell version 5 or higher is installed
Disable Windows Updates until installation is complete
Disable Tamper Protection and any Anti-Malware solutions like Windows Defender, preferably via Group Policy
Take a VM snapshot before installation to allow rollback
Open PowerShell as Administrator
Download the installer script to Desktop using: (New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1', "$([Environment]::GetFolderPath('Desktop'))\install.ps1")
Unblock the installation script with: Unblock-File .\install.ps1
Set execution policy to unrestricted: Set-ExecutionPolicy Unrestricted -Force (or with -Scope CurrentUser if needed)
Run the installer script: .\install.ps1(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1', "$([Environment]::GetFolderPath('Desktop'))\install.ps1")
Downloads the FLARE-VM installation script to the Desktop
Unblock-File .\install.ps1
Removes the PowerShell script execution block from the installer
Set-ExecutionPolicy Unrestricted -Force
Allows PowerShell to run unsigned scripts necessary for installation
.\install.ps1
Executes the FLARE-VM installer script to setup the environment
.\install.ps1 -password <password> -noWait -noGui
Runs the installer in CLI-only mode with minimal user interaction and password authentication