Meet our new fast and flexible multi-platform IOC and YARA scanner THOR in a reduced free version named THOR Lite.
THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms.
- Free scanner for Windows, Linux and macOS
- Precompiled and encrypted open source signature set
- Update utility to download tested versions with signature updates
- Option add your custom IOCs and signatures
- Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
- Scan throttling to limit the CPU usage
Meet our new Go based scanner with improved performance
What are the main differences to LOKI?
- THOR Lite isn’t open source but precompiled for all major platforms
- It is faster
- It supports more output types: SYSLOG via udp/tcp, JSON via udp/tcp, SYSLOG format to file, JSON to file
- It includes LOKIs signature-base in an encrypted form (no AV matches on clear-text signatures)
- It allows custom encrypted signatures
- It allows throttling by settings a maximum CPU usage
- Its written in Go (not Python)
Why do we share our scanner for free? What’s in for us?
- We want to provide the community with a flexible YARA and IOC scanner, which is a worthy successor to LOKI
- You start using our free scanner, see how it works and may be able to afford one of our enterprise-grade scanners
- All that we ask for is your email address in order to inform you about new developments
That’s it. No strings attached.
Not Included in the Free Version
THOR's Signature Set
The full THOR versions applies 1000+ Sigma rules on log data of the scanned end systems using the –sigma flag.
The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives.
SHIM Cache Module
The SHIM Cache module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago.