service_manifest.yml

# Name of the service
name: VMRay
# Version of the service
version: $SERVICE_TAG
# Description of the service
description: VMRay service

# Regex defining the types of files the service accepts and rejects
accepts: executable/windows/(pe32|pe64)
rejects: empty|metadata/.*

# At which stage the service should run (one of: FILTER, EXTRACT, CORE, SECONDARY, POST)
# NOTE: Stages are executed in the order defined in the list
stage: CORE
# Which category the service is part of (one of: Antivirus, Dynamic Analysis, External, Extraction, Filtering, Networking, Static Analysis)
category: Dynamic Analysis

# Does the service require access to the file to perform its task
# If set to false, the service will only have access to the file metadata (e.g. Hashes, size, type, ...)
file_required: true
# Maximum execution time the service has before it's considered to be timed out
timeout: 10
# Does the service force the caching of results to be disabled
# (only use for service that will always provided different results each run)
disable_cache: false

# is the service enabled by default
enabled: true
# does the service make APIs call to other product not part of the assemblyline infrastructure (e.g. VirusTotal, ...)
is_external: false
# Number of concurrent services allowed to run at the same time
licence_count: 0

# Service configuration block (dictionary of config variables)
#     NOTE: The key names can be anything and the value can be of any types
config:
  vmray_service_url: ""
  vmray_service_api_key: ""
  verify_certificate: true
# Submission params block:
#     A list of submission param object that define parameters
#     that the user can change about the service for each of its scans
#     SUPPORTED TYPES: bool, int, str, list
# submission_params:
#   - default: ""
#     name: password
#     type: str
#     value: ""
#   - default: false
#     name: extra_work
#     type: bool
#     value: false

# Service heuristic blocks: List of heuristics object that define the different heuristics used in the service
# heuristics:
#   - description: This suspicious heuristic fakes making as a PDF
#     filetype: "*"
#     heur_id: 1
#     name: Masks has PDF
#     score: 10
#     # Even if a signature fires multiple time, this is the max score for a section
#     max_score: 1000
#   - description: This malicious heuristic fakes dropping and side-loading a DLL and has an Att&ck ID associated with it
#     filetype: "*"
#     heur_id: 2
#     name: Drops an exe
#     score: 1000
#     attack_id: T1073
#   - description: This informational heuristic fakes extracting a configuration block
#     filetype: "*"
#     heur_id: 3
#     name: Extraction config information
#     score: 10
#     # if a signature is associated to this heuristic and is present in that map it gets a different score
#     signature_score_map:
#       sig_three: 30
#       sig_four: 40
#   - description: This suspicious heuristic fakes decoding a configuration block and has an Att&ck ID associated with it
#     filetype: "*"
#     heur_id: 4
#     name: Config decoding
#     score: 100
#     attack_id: [T1027, T1127]
#   - description: This suspicious heuristic fakes an high entropy pe section
#     filetype: "*"
#     heur_id: 5
#     name: High entropy PE section
#     score: 100
#   - description: Suspicious string found during OCR analysis
#     filetype: "*"
#     heur_id: 6
#     name: Suspicious OCR Strings
#     score: 100
#   - description: Safe file detected
#     filetype: "*"
#     heur_id: 7
#     name: Safe file detected
#     score: -1000

# Docker configuration block which defines:
#  - the name of the docker container that will be created
#  - cpu and ram allocation by the container
docker_config:
  allow_internet_access: true
  image: ${REGISTRY}fbicyber/assemblyline-service-vmray:$SERVICE_TAG
  cpu_cores: 1.0
  ram_mb_min: 128
  ram_mb: 256