Free IOC and YARA Scanner

Meet our fast and flexible multi-platform IOC and YARA scanner THOR in a community version named THOR Lite.

Meet our fast and flexible multi-platform IOC and YARA scanner THOR in a community version named THOR Lite.

THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms.

While our enterprise scanner THOR uses VALHALLA‘s big YARA rule base, the free THOR Lite version ships with the Open Source signature base.

It’s a free scanner for Windows, Linux and macOS, with an encrypted open source signature set, update utility to download new versions with signature updates, documentation and option to add your custom IOCs and signatures.


THOR Lite is a Go based scanner with improved performance.


We offer pre-compiled program and signature packs for Windows (32/64 bit), Linux (32/64 bit) and macOS (64 bit).


It is a limited version of our scanner THOR and offered for free.

What are the main differences to LOKI?

THOR Lite isn’t open source but precompiled for all major platforms.

It is faster.

It supports more output types: SYSLOG via udp/tcp, JSON via udp/tcp, SYSLOG format to file, JSON to file.

It includes LOKIs signature-base in an encrypted form (no AV matches on clear-text signatures).

It allows custom encrypted signatures.

It allows throttling by settings a maximum CPU usage.

It is written in Go (not Python).

It integrates other features and open source projects, like the “go-autoruns” module.

It gets tested in our internal CI pipelines.

Looking for a convinient way of using THOR Lite on multiple systems? Try our newest product THOR Cloud Lite! – Learn More

Not Included in the Free Version

Without THOR's Signature Set

THOR ships with VALHALLA’s big encrypted signature database of more than 30,000 YARA signatures and undisclosed IOC sets. These signatures includes web shell rules, anomaly rules, malware rules, hack tool and tool output rules, malicious script and macro rules, exploit code rules and rules for registry and log file matching.

No Sigma Scanning

The full THOR versions applies 3,000+ Sigma rules on log data of the scanned end systems using the --sigma flag.

No Registry Module

The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives.

No Eventlog Module

(coming soon) The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. filename IOCs) in the entries and applies Sigma rules to each log entry.

No SHIM Cache Module

The SHIM Cache  module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago.

Other Missing Modules and Features

THOR Lite has many other modules and features that the full THOR version provides. You can find a full comparison here.

Licensing Differences

You can use THOR Lite for:

  • Scans on any local, state, federal or international government agency.
  • Educational and research purposes.
  • Internal company use.

You need THOR Enterprise for:

  • Use on third-party networks.
  • Use as part of a paid engagement.
GDPR Cookie Consent with Real Cookie Banner