Meet our new fast and flexible multi-platform IOC and YARA scanner SPARK in a reduced free version named SPARK Core.

SPARK Core includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms.

While our enterprise scanner SPARK includes THOR‘s big YARA rule base, the free SPARK Core version ships with the Open Source signature base, which is part of our free Python scanner LOKI.

  • Free scanner for Windows, Linux and macOS
  • Precompiled and encrypted open source signature set
  • Update utility to download tested versions with signature updates
  • Documentation
  • Custom IOCs and signatures
  • Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
  • Scan throttling to limit the CPU usage

 

Fast

Meet our new Golang based scanner with improved performance

Multi-Platform

We offer pre-compiled program and signature packs for Windows (32/64 bit), Linux (32/64 bit) and macOS (64 bit)

Free

SPARK Core is a limited version of our scanner SPARK and offered for free. All we ask for is a Newsletter subscription.

What are the main differences to LOKI?

  • SPARK Core isn’t open source but precompiled for all major platforms
  • It is faster
  • It supports more output types: SYSLOG via udp/tcp, JSON via udp/tcp, SYSLOG format to file, JSON to file
  • It includes LOKIs signature-base in an encrypted form (no AV matches on clear-text signatures)
  • It allows custom encrypted signatures
  • It allows throttling by settings a maximum CPU usage
  • Its written in Golang (not Python 2; no more Unicode encoding errors)

It does not include all checks performed by LOKI yet, but integrates other features and open source projects, like the “go-autoruns” module, written by Claudio Guarnieri.

Why do we share our scanner for free? What’s in for us?

  • We want to provide the community with a flexible YARA and IOC scanner, which is a worthy successor to LOKI
  • You start using our free scanner, see how it works and may be able to afford one of our enterprise-grade scanners
  • All that we ask for is your email address in order to inform you about new developments

That’s it. No strings attached.

Not Included in the Free Version

THOR's Signature Set

SPARK ships with THOR’s big encrypted signature database of more than 9000 YARA signatures and undisclosed IOC sets. These signatures includes more than 2000+ web shell rules, 500+ anomaly rules, 3000+ malware rules, 1500+ hack tool and tool output rules, 300+ malicious script and macro rules, 100+ exploit code rules and more than 100 rules for registry and log file matching.

SHIM Cache Module

The SHIM Cache  module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago. 

Registry Module

The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives.  

CEF Output

SPARK supports the Common Event Format (CEF) as output format for optimal ArcSight integration

DeepDive

The DeepDive feature allows you to scan image files in overlapping chunks, e.g. a memory image or pagefile.sys. You can apply your custom YARA rules and even scan whole partitions to detect deleted content in the disk’s free space.

Eventlog Module

(coming soon) The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. filename IOCs) in the entries and applies Sigma rules to each log entry.