THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning

The new THOR version 8.44 comes with some interesting new features.

TLS/SSL Syslog Transmission

THOR version 8.44.0 supports the Syslog log transmission in an SSL/TLS encrypted form. Just set the value “TCPTLS” as protocol in the 4th position of the target definition.

thor.exe -s mysyslogserver:6514:SYSLOG:TCPTLS

The documentation has been updated accordingly.

TLS Syslog Log Transmission

ZIP YARA Scanning

Until today the ZIP file checks were limited to file name IOC or anomaly checks. The new version 8.44.2 supports the scanning of ZIP file contents with the YARA rule base. However, for the time being the ZIP YARA scanning has some limitations:

  1. The feature is limited to files which decompressed size does not exceed the defined maximum file size (default 4.5 Megabytes)
  2. The feature is limited to certain scan modes: –intense, –fsonly, –dropzone

If the feature proves to be stable, we will activate it in the default scan mode in a future minor release.

ZIP YARA Scanning