Since we’ve decided to migrate many of the HAFNIUM / Exchange vulnerability related signatures into the open source signature database of our free scanner THOR Lite, both users of the free and the commercial version started asking questions of coverage and if a scan of the respective other version is still recommended.
This blog post tries to shed some light on the issue by pointing out the differences between both scanners regarding coverage, scan intensity and availability of signatures.
The obvious advantage of THOR Lite – which is usually one of the disadvantages – is the immediate availability of untested new YARA signatures. While users usually prefer tested signatures that won’t cause hundreds or thousands of false positives, in case of the ProxyLogon vulnerability, new releases of rules cannot be fast enough.
So the obvious and only advantage of THOR Lite is that it receives rule updates multiple times a day, while THOR currently gets new signatures every 1-2 days.
The signature release schedule is as follows:
- THOR Lite (untested): on every commit in the repository
- VALHALLA (goodware tested): once per day
- THOR (goodware tested, full CI tests on 20+ operating systems): currently every 1-2 days, normally 1 per week