Meet our fast and flexible multi-platform IOC and YARA scanner THOR in a community version named THOR Lite.
THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms.
While our enterprise scanner THOR uses VALHALLA‘s big YARA rule base, the free THOR Lite version ships with the Open Source signature base.
It’s a free scanner for Windows, Linux and macOS, with an encrypted open source signature set, update utility to download new versions with signature updates, documentation and option to add your custom IOCs and signatures.
Fast
THOR Lite is a Go based scanner with improved performance.
Multi-Platform
Free
What are the main differences to LOKI?
THOR Lite isn’t open source but precompiled for all major platforms.
It is faster.
It supports more output types: SYSLOG via udp/tcp, JSON via udp/tcp, SYSLOG format to file, JSON to file.
It includes LOKIs signature-base in an encrypted form (no AV matches on clear-text signatures).
It allows custom encrypted signatures.
It allows throttling by settings a maximum CPU usage.
It is written in Go (not Python).
It integrates other features and open source projects, like the “go-autoruns” module.
It gets tested in our internal CI pipelines.
THOR Lite
Free Community Edition- Windows, Linux, macOS
- No central management via ASGARD
- No technical support
- No legacy version for Windows XP, 2003, 2008
- 5 modules, e.g. no Sigma, no eventlog, no archive, no registry scanning (see full comparison)
- No special scan modes: dropzone, remote scanning
- Open source YARA rule set (4,000+ rules)
- Without Nextron’s private rule set (30,000+ rules)
- Without Nextron’s private IOC and pattern set (~10,000 file patterns, mutexes, named pipes etc.)
- Without Nextron’s private Sigma rule set
THOR
Full-Featured Scanner- Windows, Linux, macOS
- Central management via ASGARD
- 5×8 technical support
- Legacy version for Windows XP, 2003, 2008
- all 31 detection modules (see full comparison)
- Special scan modes: dropzone, remote scanning, lab scan mode, web service mode (Thunderstorm)
- Open source YARA rule set (4,000+ rules)
- With Nextron’s private rule set (30,000+ rules)
- With Nextron’s private IOC and pattern set (~10,000 file patterns, mutexes, named pipes etc.)
- With Nextron’s private Sigma rule set
Not Included in the Free Version
Without THOR's Signature Set
No Sigma Scanning
The full THOR versions applies 3,000+ Sigma rules on log data of the scanned end systems using the --sigma
flag.
No Registry Module
No Eventlog Module
No SHIM Cache Module
Other Missing Modules and Features
Licensing Differences
You can use THOR Lite for:
- Use on any local, state, federal or international government agency.
- Educational and research purposes.
- Internal company use.
You need THOR Enterprise for:
- Use on third-party networks.
- Use as part of a paid engagement.