The new THOR version 8.44 comes with some interesting new features.
TLS/SSL Syslog Transmission
THOR version 8.44.0 supports the Syslog log transmission in an SSL/TLS encrypted form. Just set the value “TCPTLS” as protocol in the 4th position of the target definition.
thor.exe -s mysyslogserver:6514:SYSLOG:TCPTLS
The documentation has been updated accordingly.
TLS Syslog Log Transmission
ZIP YARA Scanning
Until today the ZIP file checks were limited to file name IOC or anomaly checks. The new version 8.44.2 supports the scanning of ZIP file contents with the YARA rule base. However, for the time being the ZIP YARA scanning has some limitations:
- The feature is limited to files which decompressed size does not exceed the defined maximum file size (default 4.5 Megabytes)
- The feature is limited to certain scan modes: –intense, –fsonly, –dropzone
If the feature proves to be stable, we will activate it in the default scan mode in a future minor release.
ZIP YARA Scanning
We have just recently released new, flexible and practice-oriented license packs for our scanners THOR and SPARK. These license packs will help you to get started as quickly as possible in case of an incident response, digital forensics engagement or compromise assessment.
Most packs include a short-term but unrestricted enterprise license that allows you to run THOR or SPARK on any end system within an organisation. (the default licensing includes only host-based licenses; unrestricted enterprise licenses are more expensive)
Each license pack is offered at an attractively low price.
We welcome you to our new website and encourage you to review our ‘products’ and ‘services’ sections.
From now on we will publish news about our products, articles about incident response, YARA rules, detection methods, IOCs and other interesting topics on this blog page.