Does THOR require an installation?

No. THOR is a portable scanner that is provided as compressed archive or folder. This archive or folder contains the THOR binaries, signature files and auxiliary tools. THOR just has to be copied to the target system, provided on a network share or executed via ASGARD Scan Control.

Does THOR require administrative rights?

It is highly recommended to start THOR „as Administrator“. This is important to provide THOR with access to all relevant elements (‘Security‘ Eventlog, system files etc.). The detection rate is limited when THOR is started without administrative rights.

Where are the output files written to?

The output files (TXT, HTML, CSV) are generated in the working directory from which THOR is executed. This means that if you start THOR from a network share while your current directory is “C:\”, all output files will be written to “C:\”. Note that if THOR is executed by a service or script in the LOCAL_SYSTEM context, all output files are written to the folder “C:\Windows\System32\Config\systemprofile” by default.

How long does a scan typically take?

THOR scans typically take 1 to 12 hours. 90% of the scans finish after 4 hours. In rare cases scans take longer than 12 hours. Possible reasons could be big file systems with a lot of relevant files (avoid with “–quick”), big local eventlog files (> 512MB; avoid with “–noeventlog”) or a permanent high CPU load caused by other processes on that system (avoid with “–nolowprio” but consider the risk).

Which parameters do you recommend?

THOR already has very good default settings and applies some of them during initialization automatically. It deactivates and activates certain modules depending on the system type (DC/server/workstation) and hardware configuration (<1024MB RAM, <2 CPU cores leads to “soft” mode scans). These automatic adjustments are reported during scan start as “Notice” level messages (light blue color). All automatic adjustments can be overwritten. An often used parameter is the “-e output-dir” to set a different output directory, e.g. on a network share with write access or a special place in the file system from which the reports are collected after the scan. We recommend the “THOR Cheat Sheet”, which can be found in the “./docs” sub folder.

How should we run THOR on many remote systems?

There is no preferred way to execute THOR on many remote systems. The most common way is to define a scheduled task via GPO that runs THOR from a network share and sends the log data to a central SIEM / Syslog receiver. THOR can also be packaged and deployed via software distribution (e.g. SCCM; note the long run times). Others use special script sets (Batch/PowerShell) that they use for administration. We provide the ASGARD Scan Control platform to schedule and execute THOR scan runs. See the chapter 5.1 of the THOR manual in the “./docs” folder for details.

What should be done after the scan?

The output files should be removed after the scan to avoid that they fall into the hands of possible attackers or cause noisy false positives in future scan runs. It is important to note that a simple deletion just moves the reports to the recycler, where THOR and attackers still find them. Please empty the recycler afterwards or delete the files by pressing “Shift+Del”, which removes them completely and doesn’t move them to the Recycler in the first place.