A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to perform a reduced scan that tried to finish within that runtime limit.
This lead to two major issues:
- Only a reduced set of modules could be activate and a limited set of elements could be scanned
- Some script runs were terminated before completion
THOR Seed version 0.18 is now able to handle this situation and provides guidance on how to proceed.
While resolving this issue we noticed that only the script run gets terminated but not the sub process, which is the actual THOR scan. So, the execution of “thor-seed.ps” gets interrupted but the sub process “thor64.exe” keeps on running in the background.
After a terminated script run, you can now simply “run thor-seed.ps1” a second time and get the info that the THOR process in the background is still running.
It includes the location of the log file and shows the last 3 lines of that file so that you can review the scan progress.
After the scan has been completed, THOR Seed shows a message that it cannot start a new scan until the log files and HTML reports have been reviewed and removed from the system.
It includes all necessary commands for you to just copy, paste and execute them.
A new guide explains all the steps and describes the integration in more detail.
The release version can be found here.
Please contact us for a current version of that document in case you encounter any issues due to outdated information.