Free IOC and YARA Scanner

Meet our new fast and flexible multi-platform IOC and YARA scanner THOR in a reduced free version named THOR Lite.

THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms.

While our enterprise scanner THOR uses VALHALLA‘s big YARA rule base, the free THOR Lite version ships with the Open Source signature base, which is also part of our free Python scanner LOKI.

Free scanner for Windows, Linux and macOS
Precompiled and encrypted open source signature set
Update utility to download tested versions with signature updates
Documentation
Option add your custom IOCs and signatures
Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
Scan throttling to limit the CPU usage



Fast

Meet our new Go based scanner with improved performance

Multi-Platform

We offer pre-compiled program and signature packs for Windows (32/64 bit), Linux (32/64 bit) and macOS (64 bit)



Free

THOR Lite is a limited version of our scanner THOR and offered for free. All we ask for is a Newsletter subscription.

What are the main differences to LOKI?

THOR Lite isn’t open source but precompiled for all major platforms
It is faster
It supports more output types: SYSLOG via udp/tcp, JSON via udp/tcp, SYSLOG format to file, JSON to file
It includes LOKIs signature-base in an encrypted form (no AV matches on clear-text signatures)
It allows custom encrypted signatures
It allows throttling by settings a maximum CPU usage
Its written in Go (not Python)

It does not include all checks performed by LOKI yet, but integrates other features and open source projects, like the “go-autoruns” module, written by Claudio Guarnieri.

THOR Lite

Free Community Edition

Windows, Linux, macOS
No central management via ASGARD
No technical support
No legacy version for Windows XP, 2003, 2008
5 modules, e.g. no Sigma, no eventlog, no archive, no registry scanning (see full comparison)
No special scan modes: dropzone, remote scanning
No multi-threaded scanning
Open source YARA rule set (4,000+ rules)
Without THOR’s rule set (17,000+ rules)
Without THOR’s IOC and pattern set (~10,000 file patterns, mutexes, named pipes etc.)
Without Nextron’s private Sigma rule set

Download THOR Lite

THOR

Full-Featured Scanner

Windows, Linux, macOS, AIX
Central management via ASGARD
5×8 technical support
Legacy version for Windows XP, 2003, 2008
all 27 detection modules (see full comparison)
Special scan modes: dropzone, remote scanning, lab scan mode, web service mode (Thunderstorm)
Multi-threaded scanning
Open source YARA rule set (4,000+ rules)
With THOR’s rule set (17,000+ rules)
With THOR’s IOC and pattern set (~10,000 file patterns, mutexes, named pipes etc.)
With Nextron’s private Sigma rule set

Request a Trial

Not Included in the Free Version

Without THOR's Signature Set

THOR ships with VALHALLA’s big encrypted signature database of more than 17,000 YARA signatures and undisclosed IOC sets. These signatures includes web shell rules, anomaly rules, malware rules, hack tool and tool output rules, malicious script and macro rules, exploit code rules and rules for registry and log file matching.

No Sigma Scanning

The full THOR versions applies 1000+ Sigma rules on log data of the scanned end systems using the –sigma flag.

No Registry Module

The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives.

No Eventlog Module

(coming soon) The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. filename IOCs) in the entries and applies Sigma rules to each log entry.

No SHIM Cache Module

The SHIM Cache module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago.

Other Missing Modules and Features

THOR Lite has many other modules and features that the full THOR version provides. You can find a full comparison here.

Newsletter and Download Subscription

Thank you for your interest in THOR Lite.
Subscribe with the form below. We will send you a license and download link via email.

Email Address *

First Name *

Last Name *

Company

City

Country

Your email address is only used for this newsletter and download subscription. You can always use the unsubscribe link included in the newsletter. One-time email addresses will be blocked from updates.

Accept our Privacy Policy. *