Getting Started FAQ

As of July 6, 2020, Project Freta is available to the public at no cost and with no usage limit, subject to the Preview Terms.

You may access the Freta portal here: https://freta.microsoft.com/

Note that you'll need to authenticate with a Microsoft Account (MSA) or Azure Active Directory (AAD) account to get started. Upon browsing to the portal the first time, you'll be presented with the following dialog:

MSA

Microsoft Accounts (MSAs) use an email address as the username, and can be from any domain that's not specifically reserved for use with Azure Active Directory. Any hotmail.com, live.com, or outlook.com email account is already configured as an MSA, and you can use your existing email account as an MSA by signing up at https://signup.live.com/. For added security, we recommend that you enable two-factor authentication.

AAD

Azure Active Directory (AAD) accounts can also be used if your organization has signed up for OrgID. In this case, the user account name would typically be the user's organization-provided domain account or email address, such as user@microsoft.com or user@contoso.com.

You can either obtain an AVML or LiME file from a running Linux machine, convert another format like VMWare into RAW, or extract a VMRS file from Hyper-V or other compatible hypervisor running a Linux guest.

Please see How To Capture an Image for more details.

Two ways: manually via the user portal or programmatically via the API.

Two ways: manually via the user portal (specifically the option to export the report as JSON) or programmatically via the API.

The process by which Project Freta parses and extracts metadata from arbitrary memory images is complex, and can fail due to a number of conditions: corrupted file, invalid image, unknown kernel, and so on, as detailed in our troubleshooting guide.

Improving the debugging experience, enabling users and automated agents to dig into these failures, bucket and triage them, is at the top of our roadmap.

Memory images are stored in the Azure region East US. You have the ability to delete them, via the portal or API, at any time.

The memory images you submit to Project Freta are analyzed to identify the image's kernel, enumerate associated system objects such as processes and open files, and infer the existence of malware such as rootkits. All of this metadata is made available to you via the portal or API.

You certainly may. However, since our analysis engine improves over time, we may in the future be able to identify previously-undetected malware strains in memory images you keep in your account. This could provide a historical view of when these now-detectable strains first appeared in your images.

The only data that we keep after an image is deleted is the malware we find, which is used to improve the quality of our service (discovering and publicizing hostile techniques for sabotaging operating systems and security sensors) over time.

Please visit the Your data section of our EULA for more detail.

The Project Freta team recognizes that memory image snapshots are likely to contain all types of information that the computer system was processing at the time. Even though Project Freta is a research technology demonstration, we have worked diligently to ensure that the implementation and operation of this service meets the same high security and privacy standards as other Microsoft cloud services.

Project Freta's functionality can be automated via its command-line interface or its API. We have included a number of examples in our public GitHub repo at https://github.com/microsoft/project-freta.

This example runs against an Azure subscription to install and launch AVML on each Linux VM, and submit the resulting memory images for analysis.

Project Freta is not an analyst framework; it is a cloud framework, consisting of three components:

• Azure
• A very large continuous-update data asset containing operating system metainformation
• The Project Freta binaries

All three are required for the project to function; in this way, it can be thought of as a search engine and has the same portability constraints as a search engine: it cannot function without a copy of Azure, and it cannot function without a very large data asset that is continuously refreshed. Customers wishing to obtain a copy of Project Freta should meet the following minimum installation requirements:

• A physical instance of the Azure cloud (sovereign cloud partners, government cloud partners, etc.)
• Ability to continuously sync a massive data asset in partnership with Microsoft Research (sync can happen via a data-diode style approach)

If you meet these minimum requirements and wish to operate an instance of Project Freta, please contact us at project-freta@microsoft.com.

Project Freta, pronounced Fret-Uh, is named for ul. Freta 16 in Warsaw Poland, the birthplace of Marie Skłodowska-Curie. Among her many other accomplishments, Skłodowska-Curie famously brought medical imaging to the battlefield; we seek to bring advanced imaging to the cloud.