18. Known Issues

18.1. THOR#003: No rules with DEEPSCAN tag found

Introduced Version

Fixed Version

N/A

N/A

This error is caused by a missing signature set. Usually the user just copied the THOR executable and forgot to copy the whole program folder including the ./signatures folder. The error message means that none of THOR's own signatures could be found. These signatures also include the so-called DEEPSCAN signatures. THOR reports that not a single one of these signatures could be found, which results in very limited scan capabilities.

You can see that this is the case by inspecting your scan results:

THOR: Warning: MODULE: Init MESSAGE: No rules with DEEPSCAN tag found.
    THOR won't scan any files with YARA rules. Please ensure that you use
    up-to-date signatures. SCANID: S-Qpw5dDmEBaw
THOR: Info: MODULE: Init MESSAGE: Successfully compiled 0 custom default
    YARA rules SCANID: S-Qpw5dDmEBaw TYPE: YARA

You can also see during the initialization process of THOR, that no YARA rules are compiled:

C:\nextron\thor>thor64.exe
[...]

> Reading YARA signatures and IOC files ...
Info Successfully compiled 0 default YARA rules TYPE: YARA
Info Successfully compiled 0 log YARA rules TYPE: YARA
Info Successfully compiled 0 registry YARA rules TYPE: YARA
Info Successfully compiled 0 keyword YARA rules TYPE: YARA
Info Successfully compiled 0 process YARA rules TYPE: YARA
Info Successfully compiled 0 meta YARA rules TYPE: YARA
Warning No rules with DEEPSCAN tag found. THOR won't scan any files with YARA rules.
    Please ensure that you use up-to-date signatures.
Info Successfully compiled 0 custom default YARA rules TYPE: YARA
Info Skip sigma initialization, use '--sigma' flag to scan with sigma
Info Successfully compiled 0 STIXv2 indicators (skipped 0 indicators) TYPE: STIX
Info Successfully compiled 0 keyword ioc strings TYPE: IOC
Info Successfully compiled 0 filename ioc strings and 0 filename ioc regexs TYPE: IOC
Info Successfully compiled 0 malware and 0 false positive hashes TYPE: IOC
Info Successfully compiled 0 file type signatures TYPE: IOC
Info Successfully compiled 0 malware domains TYPE: IOC
Info Successfully compiled 0 malicious handles and 0 regex malicious handles TYPE: IOC
Info Successfully compiled 0 named pipe ioc strings and 0 named pipe ioc regexs TYPE: IOC
Warning No file type signatures compiled, file type detection can't be done.
    Because of this, many files won't be scanned.

[...]

18.1.1. THOR#003: Solution

Make sure that you have the ./signatures folder in your THOR program folder and that it contains at least the following files:

  • ./signatures/yara/thor-all.yas

  • ./signatures/yara/thor-deepscan-selectors.yasx

  • ./signatures/yara/thor-expensive.yase

  • ./signatures/yara/thor-keywords.yas

  • ./signatures/yara/thor-log-sigs.yas

  • ./signatures/yara/thor-meta.yas

  • ./signatures/yara/thor-process-memory-sigs.yas

  • ./signatures/yara/thor-registry.yas

18.2. THOR#002: THOR in Lab-Mode does not scan network or external drives

Introduced Version

Fixed Version

N/A

>=10.6.16

>=10.7.3

If running a command like thor64.exe --lab -p Z:\myshare THOR will not currently scan the path. Normally the --alldrives flag should be implicitly activated in Lab-mode.

Note

The --alldrives flag is only available with a lab license

18.2.1. THOR#002: Workaround

You have to add the --alldrives flag on your own. E.g.

C:\thor>thor64.exe --lab -p Z:\myshare --alldrives

18.3. THOR#001: Could not parse sigma logsources

Introduced Version

Fixed Version

N/A

N/A

Error could not parse sigma log sources
FILE: config\sigma.yml ERROR: no logsources element found

The issue occurs only for very old THOR installations that at one time had the template file config\tmpl-sigma.yml named config\sigma.yml.

18.3.1. THOR#001: Workaround

The error can be ignored and the THOR scan will run as expected. To prevent the error message from showing, remove config\sigma.yml or use a newly downloaded THOR package.