Introduction THOR TechPreview

by Aug 31, 2020

Since its early days, THOR has always been focused on stability and detection rate. With the early module and feature set, we never had to make a compromise. 

However, during the last 1-2 years, we had to make some decisions on the integration of new features and their default state in favor of stability. These decisions include e.g. the process dump feature, the PE-Sieve integration and Sigma scanning. 

Detection and stability have become two competing goals. We do not want to make these hard decisions anymore and leave them to you. You decide, based on your use case, if you want to use the version with newest features and detection capabilities or the one with a maximum of stability. 

With THOR version 10.6 we introduce a version named THOR TechPreview, which includes the newest features, refactored modules and new modes of operation. 

THOR TechPreview is a special THOR version that contains the newest modules and great detection features, which have not yet been tested on thousands of systems.

Florian Roth

Head of Research

The first release of THOR TechPreview will be version 10.6.
The standard version of THOR remains version 10.5 until the refactored and new features of the TechPreview have been proved to be stable. The expected release cycles of new version of THOR Tech Preview will be once a month, while new minor versions of THOR will be released only twice a year. Both versions receive bugfix updates and use the same signature set. 

ASGARD and THOR TechPreview

The current ASGARD Management Centers continue to use the standard THOR versions. The next minor release ASGARD 2.6, which is planned for October 2020, includes the option to use the TechPreview variant.  

Recommended Use Cases

The TechPreview version is recommended for all use cases in which detection capabilities have higher priority than stability. We would e.g. always recommend the TechPreview for image scans in a forensics labs.

Internal Testing

THOR TechPreview is not an untested version. It still goes through our internal testing on almost a hundred different test systems in 4 different test configurations.

Getting Started

Customers can download the new THOR TechPreview version from the download section in the customer portal once it gets released. Thor-Util version 1.11+ also supports the TechPreview download. We’ve planned the release for September 8.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner