ASGARD: Check your Signature Versions

by Christian BurkardDec 17, 2021

It came to our attention that under certain circumstances, after the upgrade to ASGARD 2.11, some ASGARD instances lost their scheduled task to automatically assign the newest signatures to scan jobs . We advice customers to review their update configuration if they are affected. Go to Updates > Scanners and Signatures. If you are affected the column ‘Automatically use newest version’ shows ‘not configured’.

In order to resolve this issue, you need to schedule a time for signature updates. Use the action button with the clock icon. We recommend an interval of 1 day (see the screenshot).

After you have entered the new schedule, you should see the configured date and interval in the “Automatically use newest revision” column.

The same mechanism is used to configure when new THOR versions should be used for scans. We recommend to use the default, which is also a daily update interval.

New Lab License Feature: Audit Trail

We’re pleased to introduce a new feature for our lab license holders, with more exciting updates on the horizon. The feature, called “Audit Trail,” can be activated during a scan using the --audit-trail flag. This generates a comprehensive log file in JSON format, capturing detailed output for each module and documenting every element that THOR interacts with during a scan.

The Audit Trail feature is currently available in TechPreview version 10.7. The output format isn’t finalized yet, as it will be refined for THOR v11, but this early version allows you to explore the kinds of elements it includes. The audit trail is ideal for forensic analysts conducting manual investigations, providing a detailed record of the scan process.

We’re also developing tools to further enhance the audit trail’s utility. These tools will help transform the data for use with your preferred timeline tools and enable correlations within its contents. For example, you can analyze whether a file was created within a relevant time frame, executed shortly after, and is still running as a process.