THOR TechPreview version 10.6.8 will introduce a completely new module named ETW Watcher, which runs in a separate thread and monitors the systems during a scan run. As its name indicates, the ETW Watcher module makes use of Event Tracing for Windows (ETW). So,...
Last week, we've released a blog post on how to detect HAFNIUM activity with the use of THOR Lite. Since our first set of rules, we've added several important new rules from fellow researchers and moved even more rules from our commercial set into the open source rule...
Since we've decided to migrate many of the HAFNIUM / Exchange vulnerability related signatures into the open source signature database of our free scanner THOR Lite, both users of the free and the commercial version started asking questions of coverage and if a scan...
A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to...
Following THOR's approach of showing suspicious elements, it is not feasible to completely avoid false positives. Therefore we always try to provide as much information as possible for an analyst to assess such a suspicious element as quickly as possible. Users liked...
We would like to inform you about three new comfort features that will be available in the upcoming THOR versions including THOR Lite. Improved HTML ReportsThe new HTML reports allow analysts to filter elements that turn out to be false positives and remove them from...
We are glad to announce significant performance improvements in the latest versions of THOR. We've refactored several processing units to bulk scan elements that have previously been checked each at a time. These changes affect the modules "Eventlog", "Registry",...
We've been working on a legacy version of our scanner THOR 10 for a while and started our closed BETA, which is available to all current customers on special request. The THOR legacy version does not include the following modules/features: Module: Eventlog scanning...
THOR version 10.6, which is currently available as TechPreview, introduces several new features that facilitates the use of THOR in a digital forensics lab. Since not all of the features provided with the "Forensic Lab" license type are well-known, we would like to...
We are proud to announce a groundbreaking new scan mode named "Thunderstorm" that we've integrated into preview builds of the upcoming THOR version 10.6. This mode of operation turns THOR into a RESTful web service that is able to process thousands of samples per...
We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We've discussed the split-up into THOR and THOR TechPreview in a previous post. The following post describes the most important new feature of the THOR...
Since its early days, THOR has always been focused on stability and detection rate. With the early module and feature set, we never had to make a compromise. However, during the last 1-2 years, we had to make some decisions on the integration of new features and...