THOR 10 Fusion has arrived.
It replaces our successful scanners THOR 8 and SPARK and combines the best of both worlds. It is a completely new code base that features all modules of our 4 year old compromise assessment flagship THOR 8 and the speed and extra features of our triage scanner SPARK.
You can find an overview of the major changes in this article.
Please note that signatures updates will be much more frequent due to the decoupling of program and signature files. Make sure to use thor-util version 1.8 or higher.
We plan to release new signature packs every 1-3 days and new program binaries about once a month.
The old scanners will receive updates until mid-2019. However, these updates will be less frequent.
After upgrading to ASGARD version 1.10 you’ll immediately see the new scanner in all menus.
THOR 10 will be the new default for newly scheduled scan jobs. Old scan jobs will not be touched.
Updates of program binaries and signatures can now be managed separately from the “Updates” section.
Changes to Consider
All the old command line options stayed the same as in THOR 8. However, we’d like to bring some addition features and changes to your attention.
- The THOR 10 program package now also contains a 64-bit executable (thor-x64.exe), which should produce much better process memory detection results. (ASGARD automatically selects the right binary)
- Custom settings are now configured via ./conf/thor.yml and not ./conf/thor.cfg.
- The active modules per scan mode and the log contents have been reworked. You can’t make a comparison with previous THOR 8 scan data. The log format (default) stayed the same, so that old field extractions should still work.
- The log contents are more detailed and more consistent (e.g. timestamp format).
- THOR has more output options (SYSLOG formats and JSON log file output, see manual).
- Scan durations will change. The scanner is faster but has more active features like “archive YARA scanning” (better detection for Office document macro droppers).
- Sigma scanning is available, but has to be activated with “–sigma”. It uses all rules from the public rule repository.
See the already mentioned article for more changes.
If you have any questions, please contact via the support link in the customer portal.