Performance Refactoring in THOR v10.5.9 and THOR TechPreview v10.6.2

by Dec 19, 2020

We are glad to announce significant performance improvements in the latest versions of THOR.

We’ve refactored several processing units to bulk scan elements that have previously been checked each at a time. These changes affect the modules “Eventlog”, “Registry”, “RegistryHive” and “Logscan”. 

The performance improvements are impressive, especially on systems with big Windows event logs or log files on disk, but also on systems that contain a lot of registry hives like domain controllers or multi-user systems. 

As these changes result in significant speed benefits, we’ve decided to exclude some elements from the “max-file-size” limit.

In the past, log files or registry hives bigger than “max-file-size” (default 12MB) have been skipped in normal scan modes. Only in intense (–intense) and lab scanning mode (–fsonly / –lab in TechPreview) these files have been included and analyzed with the respective modules.

THOR v10.5.9 and THOR v10.6.2 TechPreview now include these elements in their deeper analysis during file system scans. This could lead to longer scan times in some cases. We believe that overall scans turn out to be suprisingly faster and would be interested in feedback on the scan durations in your environments. 

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Subscribe to our Newsletter

Monthly news, tips and insights.

Follow Us

Upgrade Your Cyber Defense with THOR

Detect hacker activity with the advanced APT scanner THOR. Utilize signature-based detection, YARA rules, anomaly detection, and fileless attack analysis to identify and respond to sophisticated intrusions.