9. Configuration

9.1. Scan Templates

THOR 10 accepts config files (called “templates”) in YAML format. They reflect all command options to make them flexible and their use as comfortable as possible.

This means that every parameter set via command line can be provided in the form of a config file. You can even combine several of these config files in a single scan run.

9.1.1. Default Template

By default, THOR only applies the file named thor.yml in the ./config sub folder. Other config files can be applied using the -t command line parameter.

9.1.2. Apply Custom Scan Templates

The following command line provides a custom scan template named mythor.yml.

thor.exe -t mythor.yml

9.1.3. Example Templates

The default config thor.yml in the ./config folder has the following content.

Content of THOR's Default Config 'thor.yml':

# This is the default config for THOR
# Terminate THOR if he runs longer than 72 hours
max_runtime: 72
# Minimum score to report is 40
min: 40
# Skip files bigger than 12000000 bytes
max_file_size: 12000000
# Skip files bigger than 30000000 bytes in intense mode (--fsonly, --intense)
max_file_size_intense: 30000000
# Limit THOR's CPU usage to 95%
cpulimit: 95
# The minimum amount of free physical memory to proceed (in MB)
minmem: 50
# Truncate THOR's field values after 2048 characters
truncate: 2048

Content of Config File ‘mythor.yml':

resume: true
cpulimit: 40
intense: true
max_file_size: 7500000
syslog:
   - foo.nextron
   - bar.nextron:514:TCP

The default scan template is always applied first. Custom templates can then overwrite settings in the default template. In the example above, the cpulimit and max_file_size parameters are overwritten by the custom template.

As you can see in the example file, you have to use the long form of the command line parameter (e.g. syslog) and not the short form (e.g. s) in the template files. The long forms can be looked up in the command line help using --help.

Lookup command line parameter long forms using -help

Lookup command line parameter long forms using –help

9.2. Maximum File Size

The default maximum file size for deeper investigations (hash calculation and YARA scanning) is 20 MB. The maximum file size for the "intense" scan mode is 100 MB.

You can adjust the values in "./config/thor.yml". This file does not get overwritten by an update or upgrade.

Special scan features like the EVTX or Memory Dump scan ignore these limits.

9.2.1. Chunk Size in DeepDive

The chunk size in DeepDive module is set to the value defined as maximum file size. DeepDive uses overlapping chunks of this size for YARA rule scanning.

Example: If the maximum file size is set to a default of 12 MB, DeepDive use the following chunks in its scan to apply the YARA rule set:

Chunk 1: Offset 0 – 12
Chunk 2: Offset 6 – 18
Chunk 3: Offset 12 – 24
Chunk 4: Offset 18 – 30

9.3. Exclude Elements

9.3.1. Files and Directories

You may use the file "directory-excludes.cfg" to exclude directories and files(! The name of the config file is misleading) from the scan.

THOR will not scan the contents of these directories but it will still perform some basic checks on file names in these directories. This "directory-excludes.cfg" config is meant to avoid scanning sensitive files like databases or directories with a lot of content. If you want to suppress false positives that are generated in these directories, please see the following chapter and how to suppress them by using "false_positive_filters.cfg".

The exclusion file contains regular expressions that are applied to each scanned element. Each element consists of the file path and file name (e.g. C:\IBM\temp_tools\custom.exe). If one of the defined expressions matches, the element is excluded. Exclusions can be defined for a full element name, at the beginning at the end or somewhere in the element name.

As the configured exclusions are treated as regular expressions, special characters must be masqueraded by backslash. This applies at least for: []\^$.|?*+()-

Element to exclude

Possible solution

C:\IBM\temp_tools\custom.exe

C:\\IBM\\temp_tools\\

Log folder of the tool "hpsm" regardless on the partition

\\HPSM\\log\\

Every file with the extension .nsf

\.nsf$

THOR custom signatures

\\THOR\\custom\-signatures\\

9.3.2. Eventlogs

Eventlog sources can be excluded as whole in "eventlog-excludes.cfg". The file holds one expression per line and applies them as regular expression on the name of the Eventlog. (e.g. “Microsoft-Windows-Windows Defender/Operational“)

Element to exclude

Possible solution

Windows PowerShell

Windows PowerShell

Microsoft-Windows-Windows Defender/Operational

Windows Defender

9.3.3. Registry

Registry paths/keys can be excluded in “registry-excludes.cfg”. The file holds one expression per line and applies them as regular expression on each registry key. (e.g. “Software\WOW6432Node“). Don’t include the root of the key, e.g. HKLM.

Element to Exclude

Exclude Definition

HKEY_LOCAL_MACHINE\Software\ ⏎
Wow6432Node\Symantec\Symantec ⏎
Endpoint Protection\AV\Exclusions

Symantec Endpoint Protection\AV\Exclusions

9.3.4. False Positives

The false positive filters work like the directory/file excludes. A regular expression is applied to the full content of the "MESSAGE:" value.

E.g. if you want to Exclude all messages that contain the string "Trojan_Buzus_dev" you just add this string to the "false_positive_filters.cfg" file. The file works with regular expressions so you could also define something like "chinese_(charcode|keyboard)".

9.3.5. Filter Verification

If you are unsure about the filters you just set, we recommend a test run on a certain directory that matches the criteria.

You can start a short test run on a certain directory with:

thor.exe -a FileScan --intense -p C:\\TestDir

9.3.6. Personal Information

THOR features an option named --brd that allows to filter the output messages and replace all known locations and fields that can contain user names or user ids with the value "ANONYMIZED_BY_THOR".

What it does is:

  • Replace all "USER" and "OWNER" field values of all modules with the anonymized string value

  • Replaced the subfolder names of "C:\Users" and "C:\Documents and Settings" with the anonymized string value

There is no guarantee that all user IDs will be removed by the filter, as they may appear in the most unexpected locations, but in most cases this approach is sufficient to comply with data protection requirements.