20.1. THOR 10.7 (Techpreview)
20.1.1. THOR 10.7.9
Type |
Description |
|---|---|
Change |
CPU limit now applies only to full system CPU usage, not only THOR (reverts a change made in 10.7.4) |
Change |
If THOR is cancelled by the Rescontrol feature, the information is now displayed as an Error instead of a Warning |
Change |
Standardized logging of matches on processes |
Change |
Update to Golang v1.20.6 |
Change |
Update to YARA v4.3.2 |
Bugfix |
Fixed an issue where simultaneous write access from another process to a file that THOR scanned could cause the THOR scan to fail |
Bugfix |
Fixed an issue where old Windows systems could incorrectly be displayed as unpatched |
Bugfix |
Fixed an issue where 'thor-util update' could remove the file type signatures |
20.1.2. THOR 10.7.8
Type |
Description |
|---|---|
Feature |
(via THOR Util) log conversion to CSV is now possible |
Feature |
New Artifact Collector module, which allows collection of forensic artifacts from the current system into a ZIP file |
Feature |
New '--print-signatures-json' flag for JSON output of current signatures |
Feature |
New '--init-selector' and '--init-filter' flags which allow the user to load only a subset of the normal signatures |
Change |
When using '--encrypt', log files are now encrypted as they are written during the THOR scan. This prevents temporary log files, but also makes generation of HTML reports afterwards impossible. Use THOR Util instead to generate HTML reports after decrypting the logs. |
Change |
Display matches on reverse lookup IP addresses in a better way |
Change |
Update to Golang v1.20.5 |
Change |
Update to OpenSSL 3.0.9 |
Bugfix |
Display error messages correctly in JSON logs |
Bugfix |
On Linux, don't skip directories with children where lstat() fails |
20.1.3. THOR 10.7.7
Type |
Description |
|---|---|
Change |
THOR Lite licenses with Sigma now also have the Eventlog and EVTX modules enabled |
20.1.4. THOR 10.7.6
Type |
Description |
|---|---|
Feature |
Add '--minimum-sigma-level' to specify which Sigma rules should trigger a finding. This defaults to high and is reduced to medium in intense mode, which is the current behaviour. |
Feature |
Add '--audit-trail' for detailed log output of THOR scan trails. This feature is experimental so far, and the output and output format may yet change. |
Feature |
Add '--background' to adjust THOR log level colors to specific backgrounds. Currently, optimizeds for dark and light backgrounds are available. |
Feature |
Add '--jsonv2' which changes the JSON output to better reflect the structure of the log entry, with substructures now properly representing parts of the log entry. This also affects Thunderstorm responses when set. |
Change |
Increased default value for '--yara-stack-size' to 32768 |
Change |
Standardized logging of filename IOC related reasons |
Change |
Update to Golang v1.20.2 |
Bugfix |
Fix an issue where THOR scans failed due to a perceived symlink loop in the scan path |
20.1.5. THOR 10.7.5
Type |
Description |
|---|---|
Feature |
Add new ETL feature for parsing ETL files |
Feature |
Add '--vtkey', '--vtmode', and '--vtaccepteula' flag for integration of VirusTotal in THOR |
Feature |
Improve progress reports when scanning complex files |
Feature |
Support Sigma scans with THOR Lite for specific licenses |
Change |
Unify logging fields for many filename IOC, keyword IOC and YARA matches |
Change |
Unify logging fields for many messages in the NetworkShares module |
Change |
Update to Golang v1.19.5 |
Change |
Upgrade PE-Sieve to v0.3.5 |
Change |
'--print-signatures' now silences the normal initialization output |
Change |
Use mimalloc for YARA allocations on Linux and MacOS |
Change |
Scanning network paths now requires a Lab license |
Bugfix |
Reduce log level for corrupt /etc/passwd entries from Notice to Info |
Bugfix |
Identify packed samples correctly with --customonly set |
20.1.6. THOR 10.7.4
Type |
Description |
|---|---|
Feature |
New OLE feature for extraction of Office macros |
Feature |
ExeDecompress feature is now also supported on Linux |
Feature |
Added '--lowioprio' flag for lowered IO priority |
Change |
Update to Golang v1.19.2 |
Change |
CPU limit now applies only to THOR's CPU usage, not the the complete system |
Change |
Windows Access Groups (e.g. in file permissions) are now always displayed in English |
Change |
Modified the scoring formula to further reduce the impact of multiple subscores on the full score. As compensation, the default threshold for alerts has been reduced. |
Bugfix |
.lnk file processing with '--virtual-map' no longer causes link targets to be scanned without applying the virtual mapping |
Bugfix |
Access faults while reading memory mapped files no longer cause THOR to crash |
Bugfix |
Panics on opening an archive are now handled properly |
20.1.7. THOR 10.7.3
Type |
Description |
|---|---|
Feature |
Meta rule matches with 'FORCE' tag will now cause THOR to ignore the maximum file size for that file |
Feature |
Improved matching behaviour of YARA rules on bulks. Scans on bulks (but not scans on single bulk elements) will now use a different YARA ruleset where common false positive constructs (e.g. filesize) are removed. |
Feature |
Improved performance in cases where a rule or IOC matched on a bulk |
Feature |
Improved memory usage and performance of HTML report generation |
Feature |
THOR now issues a Notice or Warning for Office connection cache entries |
Feature |
THOR now scans archives (e.g. ZIP files) recursively. This changes how matches in subfiles of archives are reported. |
Feature |
Added '.cab' support in the 'Archive' feature |
Feature |
Added '.gz' support in the 'Archive' feature |
Feature |
Added '.7z' support in the 'Archive' feature |
Feature |
Added new 'EML' feature for scanning .eml files |
Change |
Increase amount of bytes scanned by meta rules to 2048 |
Change |
THOR now prefers reading files via memory maps over using the file read API |
Bugfix |
Improved performance of Sigma rule loading |
Bugfix |
Fixed a bug where THOR scanned some files multiple times, possibly resulting in a loop |
20.1.8. THOR 10.7.2
Type |
Description |
|---|---|
Feature |
Process memory checks are now enabled on Linux and MacOS |
Feature |
Added a check on Linux for deleted executables |
Feature |
UTF-16 Log files are now parsed correctly |
Change |
Upgrade YARA to v4.2.1 |
20.1.9. THOR 10.7.1
Type |
Description |
|---|---|
Feature |
Sigma rules are now applied to running processes on the system |
Feature |
New command line option '-follow-symlinks' that causes the FileScan module to follow symlinks. |
Feature |
Checking e.g. log lines from a file with YARA will now set the THOR external variables like 'filepath' appropriately |
Feature |
THOR now shows modules names where string matches were found if a YARA rule matches on process memory |
Feature |
THOR now shows a warning if low rlimits are detected |
Change |
THOR will now scan processes even in soft mode, with a maximum process size of 250MB. |
Change |
'--max_file_size_intense' is now deprecated. Instead, '--max_file_size' should be used. |
Change |
'--virtual-map' now supports mounts in subpaths on Windows, e.g. as '--virtual-map G:mount:C' |
Change |
Upgrade PE-Sieve to v0.3.3 |
Change |
Filescan progress report for folders without subfolders was improved |
20.1.10. THOR 10.7.0
Type |
Description |
|---|---|
Feature |
Mark files with names close to common Windows executables as suspicious |
Feature |
Change how score is added to avoid cases where scores added up to absurd values |
Feature |
Support scanning alternate data streams with '--ads' |
Feature |
Check environment variables of processes |
Change |
THOR now terminates if a positional argument was specified since none are expected |
Fix |
Scan files written to the Dropzone only once the write is complete (or does not continue for at least 1 second) |