THOR Evolution: THOR 10.7 Stable Release and the Approach of 11 TechPreview

by Nov 23, 2024

We are excited to announce that THOR 10.7 will become the new default scanner version for ASGARD users starting Thursday, November 28th, 2024.

This update introduces significant performance enhancements, including faster scan times, improved archive handling, and refined resource management. ASGARD-managed scans initiated after this date will default to THOR 10.7 unless configured otherwise, ensuring that all customers benefit from the latest detection capabilities and optimizations. Existing scheduled group scans will continue using their previously configured scanner versions (typically THOR 10.6), with clear warnings and options to update to the new version.

Key Features in THOR 10.7

  • Memory-Mapped File Scanning: Enhanced speed and reduced I/O bottlenecks.
  • Improved JSON Reporting: More detailed and structured output. (details)
  • Selective Initialization: Advanced selectors and filters to streamline scans. (details)
  • Email Parsing: Scans email formats like .eml and .msg for embedded threats.
  • Enhanced Archive Scanning: Support for .cab, .7z, .gzip, and recursive nested archive scanning.
  • Bulk Scanning Optimization: Improved throughput for large-scale scanning.
  • Refined HTML Report Generation: Lower memory usage and reduced CPU load during processing.
  • Unified YARA Rule Sets: A single rule set with namespaces for higher performance.
  • Configurable Color Schemes and Output Encryption: Enhanced customization and security. (details)
  • Output Encryption at Runtime (details)

New Features in THOR 10.7: Enhancements and Flexibility

Enhancing Detection and Efficiency with Memory-Mapped Scanning

One of the most impactful improvements in THOR 10.7 is the introduction of memory-mapped file scanning, which significantly accelerates scans and reduces disk I/O. This new approach improves overall performance by leveraging memory for file access, allowing scans to complete faster while decreasing wear on disks. For most environments, these improvements will result in more efficient scanning with minimal configuration changes.

To ensure that THOR 10.7 operates reliably across diverse environments, users have options to tailor memory usage:

  • Disable memory mapping with the --nommap flag, which may be useful for systems with strict memory limitations, though this comes at the cost of slower scans.
  • Fine-tune resource control: ASGARD adjusts THOR’s resource settings dynamically, optimizing scan reliability for both high-performance and resource-constrained systems.

Initialization Filters and Selectors

With THOR 10.7, the Init Selector and Init Filter functionalities offer unparalleled flexibility in customizing scans. These options enable users to focus on specific threat campaigns or exclude less relevant rules for tailored scanning workflows.

For example:

  • Use --init-selector to target specific threats or campaigns:
    --init-selector MOVEit
    --init-selector RANSOM,Lockbit
    
  • Use --init-filter to exclude rules you don’t need:
    --init-filter PUA_TeamViewer

These filters apply to rule names, tags, and descriptions, offering granular control over signature selection. Combined with the --print-signatures or --print-signatures-json flags, users can verify selected or excluded rules, ensuring precision in their scans. This feature is particularly useful for targeted threat investigations, optimizing performance while maintaining detection accuracy.

JSON Enhancements and the Road Ahead

THOR 10.7 introduces the JSON format version 2, offering significant improvements to the structure and usability of scan outputs. This new format enhances compatibility with modern forensic tools and workflows, making it easier to extract and analyze critical information. Users can activate JSON version 2 with the following flags:

--jsonfile --jsonv2

While JSON version 2 represents a major step forward, it is also a transitional format. The upcoming release of THOR 11 will feature an even more comprehensive JSON format version 3 (or version 2.1). This future iteration will incorporate fully nested structures and lists, ensuring seamless integration with advanced tools like SIEM systems and Cribl configurations. These enhancements will provide greater detail and flexibility for in-depth investigations and automated workflows.

Organizations adopting JSON version 2 in THOR 10.7 will benefit immediately from its improvements and find the transition to the next version in THOR 11 straightforward, ensuring continuous compatibility and advanced functionality.

Email Parsing and Enhanced Archive Scanning

THOR 10.7 expands its capabilities with improved support for email and archive scanning:

  • Email Parsing: THOR can now scan .eml and .msg email formats, detecting malicious attachments and embedded threats. This feature ensures more thorough coverage of phishing-related attacks and email-borne threats.
  • Enhanced Archive Handling: Support for .cab, .7z, and .gzip files, as well as recursive scanning of nested archives, allows users to detect threats hidden in complex compressed file structures. These improvements streamline the process of analyzing large datasets or artifact collections, ensuring no malicious content is overlooked.

Together, these features strengthen THOR’s ability to detect threats hidden in commonly abused file formats, making it a powerful tool in comprehensive compromise assessments and incident investigations.

Effects of Changes for ASGARD Customers

THOR 10.7 introduces a more adaptive resource management approach in ASGARD to reduce scan failures caused by memory constraints. Previously, ASGARD enforced a strict 2GB memory cap, which occasionally caused scan interruptions even on systems with ample available memory.

With the updated mechanism:

  • ASGARD evaluates memory usage dynamically, terminating THOR scans only if the process exceeds 2GB and uses more than 50% of the system’s total memory. This ensures scans proceed smoothly on high-memory systems while protecting systems with limited resources.
  • The “Ignore Memory Limit” option allows customers to completely bypass these checks, enabling scans to continue regardless of memory usage.

Existing group scans will retain their current THOR versions (e.g., 10.6) but can be updated to 10.7. Starting November 28th, all new scans—including single and group scans—will default to THOR 10.7, ensuring customers benefit from the latest features and optimizations.

Configuring THOR 10.7 for Limited Hardware Resources

For systems operating under tight hardware constraints, users can disable memory mapping with the --nommap flag. While this option reduces memory usage, it may lead to slower scan speeds and increased disk activity. For most ASGARD-managed environments, we recommend keeping memory mapping enabled to fully leverage THOR 10.7’s performance improvements. This flexibility allows users to adapt the scanner to diverse operational requirements without compromising its core functionality.

End-of-Support Announcements

  • THOR 10.6: The current stable version will reach its end-of-life (EOL) on April 30, 2025. Users are encouraged to upgrade to THOR 10.7 to ensure continued support and access to the latest features.
  • Legacy Systems Support: The upcoming THOR 11 TechPreview will discontinue support for older operating systems, including Windows 7, Windows 8, Windows 2008 R2, and Windows 2012. Customers relying on these platforms can continue using THOR Legacy with a legacy license to maintain scanning capabilities.

Conclusion

The release of THOR 10.7 as the default version for ASGARD represents a significant step forward in detection capabilities, efficiency, and reliability. With faster scans, reduced disk I/O, and customizable resource controls, THOR 10.7 is designed to perform optimally across diverse environments. While existing group scans will continue using their configured scanner versions, we recommend upgrading to THOR 10.7 to take full advantage of its advanced detection capabilities and optimizations.

Starting November 28th, all new scans will default to THOR 10.7, ensuring your organization is equipped with the latest and most robust scanner available. Embrace this opportunity to enhance your detection workflows and strengthen your security posture with THOR 10.7.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Subscribe to our Newsletter

Monthly news, tips and insights.

Follow Us

Upgrade Your Cyber Defense with THOR

Detect hacker activity with the advanced APT scanner THOR. Utilize signature-based detection, YARA rules, anomaly detection, and fileless attack analysis to identify and respond to sophisticated intrusions.