6. Scan Modes
You can select between 6 different scan modes in THOR:
- DefaultWe recommend using the default scan mode for all sweeping activity. Scans take from 1 to 6 hours depending on the partition size and number of interesting files.In default mode, THOR automatically choses "Soft" mode if the system has only limited CPU and RAM resources.There's a special "Lab Scanning" (--lab) method described in section 9.1 that disables many limitations and allows to scan mounted images in a Lab scenario, even with multiple THOR instances on a single Workstation.
- Quick (--quick)This mode is the fastest one and oriented on the "Pareto Principle", covering 80% of the modules and check in 20% of the normal scan time. In "quick" mode, THOR skips elements that have not been created or modified within the last 2 days in the "Eventlog", “Registry” and "Filescan" modules. A set of 40+ directories will still be checked completely (e.g. AppData, Recycler, System32). "Quick" mode is known to be the "preventive" scan mode – less intense and very fast.
Themed scan modes:
- Soft (--soft / force disable with --nosoft)This mode disables all modules and checks that could be risky for system stability.It is automatically activated on (more details in chapter Automatic Soft Mode):- Systems with only a single CPU core- Systems with less than 1024 MB of RAM
- Lab Scan (--lab)This mode scans only the file system and disables all other modules. (see Special Scan Modes for more details and flags used in this scan mode)Example: ./thor64 --lab -p /mnt/image_c/
- Intense (--intense)This mode is meant for system scanning in a non-productive or lab environment. It disables several speed optimizations and enables time-consuming extra checks for best detection results.
- Difference (--diff)The Diff Mode looks for a last scan and last finished modules in the local THOR DB and scans only elements on disk that have been changed or created since the last scan start. This mode applies short-cuts to the “Filesystem”, “Eventlog” and “Registry” modules. Diff scans are typically the shortest scans but require a completed previous scan. This scan mode is also susceptible to the so-called “Timestomping”.
These scan modes can also be combined, e.g. for --soft --diff, though not all combinations may make sense (e.g. --soft --intense).
The following tables give an overview on the active modules and features in the different scan modes. The ‘modules’ section lists all available modules, whereas the ‘features’ section lists only features that are handled differently in the different scan modes.
6.1. Modules
6.1.1. OS Module Overview
Module |
Windows |
Linux |
MacOS |
|---|---|---|---|
File System Scan |
Supported |
Supported |
Supported |
Registry Scan |
Supported |
Not Supported |
Not Supported |
SHIM Cache Scan |
Supported |
Not Supported |
Not Supported |
Mutex Check |
Supported |
Not Supported |
Not Supported |
Named Pipes Check |
Supported |
Not Supported |
Not Supported |
DNS Cache Check |
Supported |
Supported |
Supported |
Hotfix Check |
Supported |
Not Supported |
Not Supported |
Hosts File Check |
Supported |
Supported |
Supported |
Firewall Config Check |
Supported |
Supported |
Not Supported |
Network Share Check |
Supported |
Not Supported |
Not Supported |
Logged In Check |
Supported |
Supported |
Supported |
Process Check |
Supported |
Supported 1 |
Supported 1 |
Service Check |
Supported |
Supported |
Not Supported |
Autoruns Check |
Supported |
Supported |
Supported |
Rootkit Check |
Supported |
Supported |
Not Supported |
LSA Sessions Analysis |
Supported |
Not Supported |
Not Supported |
User Account Check |
Supported |
Supported |
Supported |
User Profile Check |
Supported |
Supported |
Supported |
Network Sessions Check |
Supported |
Not Supported |
Not Supported |
Scheduled Tasks Analysis |
Supported |
Not Supported |
Not Supported |
WMI Startup Check |
Supported |
Not Supported |
Not Supported |
At Entries Check |
Supported |
Not Supported |
Not Supported |
MFT Analysis |
Supported |
Not Supported |
Not Supported |
Eventlog Analysis |
Supported |
Not Supported |
Not Supported |
KnowledgeDB Check |
Not Supported |
Not Supported |
Supported |
Environment Variables Check |
Supported |
Supported |
Supported |
Crontab Check |
Not Supported |
Supported |
Not Supported |
Integrity Check |
Not Supported |
Supported |
Not Supported |
Event Check |
Supported |
Not Supported |
Not Supported |
ETW Watcher |
Supported |
Not Supported |
Not Supported |
6.1.2. Scan Mode Overview
Module |
Normal |
Quick |
Soft |
Intense |
|---|---|---|---|---|
File System Scan |
Reduced |
|||
Registry Scan |
||||
SHIM Cache Scan |
||||
Mutex Check |
Disabled |
|||
Named Pipes Check |
||||
DNS Cache Check |
||||
Hotfix Check |
Disabled |
|||
Hosts File Check |
Disabled |
|||
Firewall Config Check |
Disabled |
Disabled |
||
Network Share Check |
Disabled |
|||
Logged In Check |
Enabled 2 |
Disabled |
||
Process Check |
Reduced 3 |
|||
Service Check |
||||
Autoruns Check |
||||
Rootkit Check |
||||
LSA Sessions Analysis |
Disabled |
|||
User Account Check |
Enabled 2 |
|||
User Profile Check |
Enabled 2 |
Disabled |
||
Network Sessions Check |
Enabled 2 |
Disabled |
||
Scheduled Tasks Analysis |
||||
WMI Startup Check |
||||
At Entries Check |
||||
MFT Analysis |
Disabled |
Disabled |
Disabled |
Enabled |
Eventlog Analysis |
Disabled |
|||
KnowledgeDB Check |
||||
Environment Variables Check |
||||
Crontab Check |
||||
Integrity Check |
||||
Event Check |
||||
ETW Watcher |
6.2. Features
6.2.1. Feature Scan Mode Overview
Feature |
Normal |
Quick |
Soft |
Intense |
|---|---|---|---|---|
Sigma Scan |
Disabled |
Disabled |
Disabled |
Enabled |
EXE Decompression |
Enabled 5 |
Enabled |
Disabled |
Enabled |
Archive Scan |
Enabled |
Enabled |
Enabled |
Enabled |
Double Pulsar Check |
Enabled 5 |
Enabled |
Disabled |
Enabled |
Groups XML Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Vulnerability Check |
Enabled |
Enabled |
Enabled |
Enabled |
Web Server Dir Scan |
Enabled |
Disabled |
Enabled |
Enabled |
WMI Persistence |
Enabled |
Enabled |
Enabled |
Enabled |
Registry Hive Scan |
Enabled 4 |
Enabled |
Enabled |
Enabled |
AmCache Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Process Handle Check |
Enabled |
Enabled |
Enabled |
Enabled |
Process Connections Check |
Enabled |
Enabled |
Enabled |
Enabled |
Windows Error Report (WER) |
Enabled |
Enabled |
Enabled |
Enabled |
Windows At Job File Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
EVTX File Scanning |
Enabled |
Disabled |
Enabled |
Enabled |
Prefetch Library Scanning |
Enabled |
Enabled |
Enabled |
Enabled |
Memory Dump DeepDive |
Disabled |
Disabled |
Disabled |
Enabled |
Text Log File Scanning |
Enabled |
Disabled |
Enabled |
Enabled |
Shellbag Entry Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Authorized Key File Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Bifrost File Upload |
Enabled |
Enabled |
Enabled |
Enabled |
Malicious Domain Check |
Enabled |
Enabled |
Enabled |
Enabled |
File Scan |
Enabled |
Enabled |
Enabled |
Enabled |
Cobalt Strike Beacon Parsing |
Enabled |
Enabled |
Enabled |
Enabled |
Process Integrity Check |
Disabled |
Disabled |
Disabled |
Enabled 5 |
SHIM Cache Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
6.2.2. Feature caller list
The following table gives an overview of THOR's features and how they are called by the different modules and other features.
Feature |
Callers |
|---|---|
Sigma Scan |
Eventlog, Log file scanning |
EXE Decompression |
File Scan |
Archive Scan |
File Scan |
Double Pulsar Check |
Rootkit Check |
Groups XML Analysis |
File Scan |
Vulnerability Check |
File Scan |
Web Server Dir Scan |
Process Check |
WMI Persistence |
File Scan |
Registry Hive Scan |
File Scan |
AmCache Analysis |
File Scan |
Process Handle Check |
Process Check |
Process Memory Check |
Process Check |
Process Connections Check |
Process Check |
Windows Error Report (WER) |
File Scan |
Windows At Job File Analysis |
File Scan |
EVTX File Scanning |
File Scan |
Prefetch Library Scanning |
File Scan |
Memory Dump DeepDive |
File Scan |
Text Log File Scanning |
File Scan |
Shellbag Entry Analysis |
Registry Hive Scan |
Authorized Key File Analysis |
File Scan |
Bifrost File Upload |
File Scan |
Malicious Domain Check |
File Scan |
File Scan |
Most modules and features |
Cobalt Strike Beacon Parsing |
File Scan, Process Check |
Process Integrity Check |
Process Check |
SHIM Cache Analysis |
SHIM Cache Scan, Registry Hive |