6. Scan Modes
You can select between six different scan modes in THOR:
Default
We recommend using the default scan mode for all sweeping activities. Scans take from one to six hours, depending on the partition size and number of interesting files.
In default mode, THOR automatically chooses the "Soft" mode if the system has only limited CPU and RAM resources.
There's a special "Lab Scanning" (
--lab
) method described in section Lab Scanning, which disables many limitations and allows to scan mounted images in a Lab scenario, even with multiple THOR instances on a single Workstation.Note
"Lab Scanning" requires a special forensic license.
Quick
--quick
This mode is the fastest one and oriented on the "Pareto Principle", covering 80% of the modules and checks in 20% of the normal scan time. In "quick" mode, THOR skips elements that have not been created or modified within the last 2 days in the "Eventlog", "Registry" and "Filescan" modules. A set of 40+ predefined directories will still be checked completely (e.g. AppData, Recycler, System32). "Quick" mode is known to be the "preventive" scan mode – less intense and very fast.
Themed scan modes:
Soft
--soft
- force disable with--nosoft
This mode disables all modules and checks that could be risky for system stability. It is automatically activated on (more details in chapter Automatic Soft Mode):
Systems with only a single CPU core
Systems with less than 1024 MB of RAM
Lab Scan
--lab
This mode scans only the file system and disables all other modules. (see Lab Scanning for more details and flags used in this scan mode)
Example:
user@unix:~/thor$ ./thor64 --lab -p /mnt/image_c/
Intense
--intense
This mode is meant for system scanning in a non-productive or lab environment. It disables several speed optimizations and enables time-consuming extra checks for best detection results. Be careful with this mode on database servers, as this could corrupt your database due to the high load of the server. Snapshots/backups are advised before using this mode.
Difference
--diff
The Diff Mode looks for a last scan and last finished modules in the local THOR DB and scans only elements on disk that have been changed or created since the last scan start. This mode applies shortcuts to the "Filesystem", "Eventlog" and "Registry" modules. Diff scans are typically the shortest scans but require a completed previous scan. This scan mode is also susceptible to the so-called "Timestomping".
These scan modes can also be combined, e.g. for --soft --diff
, though not
all combinations may make sense, e.g. --soft --intense
.
The following tables give an overview on the active modules and features in the different scan modes. The Modules section lists all available modules, whereas the Features section lists only features that are handled differently in the different scan modes.
6.1. Modules
Modules are standalone jobs, which are being executed one after the other by THOR.
Those modules are invoking one job, for example the File System Scan
module will
scan your file system, or the User Account Check
will scan your system for user
accounts. Modules can invoke one or multiple Features,
which we will explain further down in this section.
6.1.1. OS Module Overview
Module |
Windows |
Linux |
MacOS |
---|---|---|---|
File System Scan |
Supported |
Supported |
Supported |
Registry Scan |
Supported |
Not Supported |
Not Supported |
SHIM Cache Scan |
Supported |
Not Supported |
Not Supported |
Mutex Check |
Supported |
Not Supported |
Not Supported |
Named Pipes Check |
Supported |
Not Supported |
Not Supported |
DNS Cache Check |
Supported |
Supported |
Supported |
Hotfix Check |
Supported |
Not Supported |
Not Supported |
Hosts File Check |
Supported |
Supported |
Supported |
Firewall Config Check |
Supported |
Supported |
Not Supported |
Network Share Check |
Supported |
Not Supported |
Not Supported |
Logged In Check |
Supported |
Supported |
Supported |
Process Check |
Supported |
Supported [1] |
Supported [1] |
Service Check |
Supported |
Supported |
Not Supported |
Autoruns Check |
Supported |
Supported |
Supported |
Rootkit Check |
Supported |
Supported |
Not Supported |
LSA Sessions Analysis |
Supported |
Not Supported |
Not Supported |
User Account Check |
Supported |
Supported |
Supported |
User Profile Check |
Supported |
Supported |
Supported |
Network Sessions Check |
Supported |
Not Supported |
Not Supported |
Scheduled Tasks Analysis |
Supported |
Not Supported |
Not Supported |
WMI Startup Check |
Supported |
Not Supported |
Not Supported |
At Entries Check |
Supported |
Not Supported |
Not Supported |
MFT Analysis |
Supported |
Not Supported |
Not Supported |
Eventlog Analysis |
Supported |
Not Supported |
Not Supported |
KnowledgeDB Check |
Not Supported |
Not Supported |
Supported |
Environment Variables Check |
Supported |
Supported |
Supported |
Crontab Check |
Not Supported |
Supported |
Not Supported |
Integrity Check |
Not Supported |
Supported |
Not Supported |
Event Check |
Supported |
Not Supported |
Not Supported |
ETW Watcher |
Supported |
Not Supported |
Not Supported |
Antivirus |
Supported |
Not Supported |
Not Supported |
Hint
For a list of module names and how to turn them off, please see Scan Module Names
6.1.2. Scan Mode Overview
The table below shows you which modules will be active with the different scan modes. For OS compatibility, see OS Module Overview.
Normal: THOR without any flags regarding modules or features
Quick: THOR scan with
--quick
flagSoft: THOR scan with
--soft
flagIntense: THOR scan with
--intense
flag
Module |
Normal |
Quick |
Soft |
Intense |
---|---|---|---|---|
At Entries Check |
Enabled |
Enabled |
Enabled |
Enabled |
Autoruns Check |
Enabled |
Enabled |
Enabled |
Enabled |
Crontab Check |
Enabled |
Enabled |
Enabled |
Enabled |
DNS Cache Check |
Enabled |
Enabled |
Enabled |
Enabled |
Environment Variables Check |
Enabled |
Enabled |
Enabled |
Enabled |
ETW Watcher |
Enabled |
Enabled |
Enabled |
Enabled |
Event Check |
Enabled |
Enabled |
Enabled |
Enabled |
Eventlog Analysis |
Enabled |
Disabled |
Enabled |
Enabled |
File System Scan |
Enabled |
Reduced |
Enabled |
Enabled |
Firewall Config Check |
Enabled |
Disabled |
Disabled |
Enabled |
Hosts File Check |
Enabled |
Enabled |
Disabled |
Enabled |
Hotfix Check |
Enabled |
Disabled |
Enabled |
Enabled |
KnowledgeDB Check |
Enabled |
Enabled |
Enabled |
Enabled |
Logged In Check [2] |
Enabled |
Enabled |
Disabled |
Enabled |
LSA Sessions Analysis |
Enabled |
Enabled |
Disabled |
Enabled |
MFT Analysis |
Disabled |
Disabled |
Disabled |
Enabled |
Mutex Check |
Enabled |
Enabled |
Disabled |
Enabled |
Named Pipes Check |
Enabled |
Enabled |
Enabled |
Enabled |
Network Sessions Check [2] |
Enabled |
Enabled |
Disabled |
Enabled |
Network Share Check |
Enabled |
Enabled |
Disabled |
Enabled |
Process Check |
Enabled |
Enabled |
Reduced [3] |
Enabled |
Registry Scan [2] |
Enabled |
Enabled |
Enabled |
Enabled |
Rootkit Check |
Enabled |
Enabled |
Enabled |
Enabled |
Scheduled Tasks Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Service Check |
Enabled |
Enabled |
Enabled |
Enabled |
SHIM Cache Scan |
Enabled |
Enabled |
Enabled |
Enabled |
User Account Check [2] |
Enabled |
Enabled |
Enabled |
Enabled |
User Profile Check [2] |
Enabled |
Disabled |
Enabled |
Enabled |
WMI Startup Check |
Enabled |
Enabled |
Enabled |
Enabled |
Disabled on Domain Controllers
No process memory scan with YARA rules
6.1.3. Scan Module Names
Scan Mode |
Module Name |
Disable Module |
---|---|---|
File System Scan |
Filescan |
--nofilesystem |
Registry Scan |
RegistryChecks |
--noreg |
SHIM Cache Scan |
SHIMCache |
--noshimcache |
Mutex Check |
Mutex |
--nomutex |
Named Pipes Check |
Pipes |
--nopipes |
DNS Cache Check |
DNSCache |
--nodnscache |
Hotfix Check |
HotfixCheck |
--nohotfixes |
Hosts File Check |
Hosts |
--nohosts |
Firewall Config Check |
Firewall |
--nofirewall |
Network Share Check |
NetworkShares |
--nonetworkshares |
Logged In Check |
LoggedIn |
--nologons |
Process Check |
ProcessCheck |
--noprocs |
Service Check |
ServiceCheck |
--noservices |
Autoruns Check |
Autoruns |
--noautorons |
Rootkit Check |
Rootkit |
--norootkits |
LSA Sessions Analysis |
LSASessions |
--nolsasessions |
User Account Check |
Users |
--nousers |
User Profile Check |
UserDir |
--noprofiles |
Network Sessions Check |
NetworkSessions |
--nonetworksessions |
Scheduled Tasks Analysis |
ScheduledTasks |
--notasks |
WMI Startup Check |
WMIStartup |
--nowmi |
At Entries Check |
AtJobs |
--noatjobs |
MFT Analysis |
MFT |
--nomft |
Eventlog Analysis |
Eventlog |
--noeventlog |
KnowledgeDB Check |
KnowledgeDB |
--noknowledgedb |
Environment Variables Check |
EnvCheck |
--noenv |
Crontab Check |
Cron |
|
Integrity Check |
Integritycheck |
--nointegritycheck |
Event Check |
Events |
--noevents |
ETW Watcher |
EtwWatcher |
--noetwwatcher |
Timestomp Check |
Timestomp |
--notimestomp |
Antivirus Installation Check |
Antivirus |
6.1.4. Scan Module Explanation
Module |
Explanation |
---|---|
Filescan |
Events reported by the FileScan module typically originate from the file system scan. But due to the "Message Enrichment" feature, other modules that include events with full "file path" strings may also produce events of this type (e.g. module |
SHIMcache |
The SHIM Cache or AppCompatCache (Application Compatibility Cache) is a special Registry cache containing valuable information, because the cache tracks metadata for binary files that were executed. |
Autoruns |
The Autoruns module makes use of the command line version of SysInternals Autoruns. It parses the tools output and integrates the output in each log message. |
LogScan |
The LogScan module processes |
GroupsXML |
The GroupsXML module is a module that reports on critical security issues related to decryptable passwords in group policy files, that are readable for anyone within a Windows Domain. |
Registry |
Registry matches can be caused by different signature types: File name IOCs, keywords or YARA signatures matches. |
WMIPersistence |
It is difficult to detect malicious WMIPersistence objects. The detection methods are based on whitelists and a blacklist with keywords from APT reports. The whitelists are extended every time our analysts detect false positives in a customer's environment. The black lists are extended every time an APT report states a certain WMI persistence method with specific event filer or event file name. |
VulnerabilityCheck |
The VulnerabilityCheck module is limited to a few vulnerabilities that are known to be exploited by various threat groups. The vulnerability checks focus on vulnerabilities that are used for lateral movement or weaknesses which allow an attacker to easily achieve persistence without using any kind of software as backdoor. Note: There are vulnerabilities covered by YARA rules and reported in other modules. The YARA rules that detect vulnerabilities start with |
LoggedIn |
The LoggedIn module analyses all currently logged in users and analyses their names. |
ProcessCheck |
Different checks are performed in the ProcessCheck module. Some of them check the process characteristics such as parent/child relations, process priorities and executable file locations for anomalies. Other checks evaluate the processes network connections and YARA checks match on the process memory. |
HotfixCheck |
The HotFixCheck module analyses the installed hotfixes on the end system. |
RunKeyCheck |
The RunKeyCheck module processes entries in the RUN Key. |
AmCache |
The AmCache module processes entries in the AmCache of the system. In contrast to the SHIMCache entries, AmCache entries contain a SHA1 hash value that can be used to determine the exact program that was executed on the end system. |
Firewall |
The Firewall module evaluates all local Windows firewall rules and tries to detect suspicious entries by using white- and blacklists. |
ServiceCheck |
The ServiceCheck module evaluates all registered local Windows services. It detects suspicious service entries by different anomaly checks, blacklisted keywords and reports file path anomalies. |
DNSCache |
The DNSCache module evaluates the entries of the local DNS cache. It compares the entries with known C2 servers and reports suspicious entries based on some regular expression checks. |
Hosts |
The Hosts module evaluates the entries in the local hosts file. |
WMIStartup |
The WMIStartup module uses different WMI queries to retrieve information on elements that could be used for persistence. It is very likely that findings by this module also appear in other modules (e.g. |
CommandCheck |
The CommandCheck module is a meta module that analyses full command lines (path, executable, parameters) in different modules. |
ProcessHandles |
The ProcessHandles module is a sub module of the |
ProcessConnection |
The ProcessConnections module checks the network connections of a process and generates alerts and warnings based on C2 signature matches and suspicious GEO IP lookups. |
WER |
The WER (Windows Error Reporting) module analyses program crash files and checks for special crashes caused by exploits and filename IOC signature matches in the application path. Software can break, so applications tend to crash, hack tools and exploits crash as well. Even if the attackers completely removed their tools from a system, a crashed exploit code, scanner, password dumper or backdoor will still be visible in the Windows Error Reports. |
UserAccounts |
The UserAccounts module analyses the local user database. It checks for suspicious user names, suspicious members in the |
AtJobs |
The AtJobs module analyses the local user jobs and just lists them in "Info" level messages and applies the global string check on the command line. |
ScheduledTasks |
The ScheduledTasks module analyses the local user at jobs and just lists them in "Info" level messages and applies the global string check on the command line. |
Rescontrol |
The Rescontrol (Resource Control) module generates "Warning" level messages in cases a resource limit has been reached. In most of the cases, this is caused by very low free main memory levels or false positives that generated many SYSLOG messages. Resource control is active by default and can be deactivated with ( |
DeepDive |
A DeepDive on memory images or disk space cannot be analyzed by THOR events alone. You typically need the memory dumps or restored chunks to evaluate the findings. This typically takes a lot more time, know-how and effort to complete.We recommend the analysis of DeepDive module events only in case other indicators give a sufficient initial suspicion. |
Rootkit |
The Rootkit module checks for various (OS dependent) rootkit indicators, e.g. DoublePulsar on Windows, or Drovorub on Linux. |
Antivirus |
The Antivirus module lists the installed Antivirus products and (for Windows Defender) the existing exclusions. |
6.2. Features
Features are being invoked by Modules and provide
further Details
about an item. For example, the File System Scan
might find a .zip
file during a scan and invoke the Archive Scan
feature. The Archive Scan
feature in return will extract the zip file
and scan all the items in it.
Another example would be the Eventlog Analysis
Module, which might invoke
the Sigma Scan
feature on certain eventlog entries.
Hint
Please see chapter Archive Scan for a list of supported archive formats.
6.2.1. Feature Scan Mode Overview
Feature |
Normal |
Quick |
Soft |
Intense |
---|---|---|---|---|
Sigma Scan |
Disabled |
Disabled |
Disabled |
Enabled |
EXE Decompression [5] |
Enabled |
Enabled |
Disabled |
Enabled |
Archive Scan |
Enabled |
Enabled |
Enabled |
Enabled |
Double Pulsar Check [5] |
Enabled |
Enabled |
Disabled |
Enabled |
Groups XML Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Vulnerability Check |
Enabled |
Enabled |
Enabled |
Enabled |
Web Server Dir Scan |
Enabled |
Disabled |
Enabled |
Enabled |
WMI Persistence |
Enabled |
Enabled |
Enabled |
Enabled |
Registry Hive Scan |
Enabled [4] |
Enabled |
Enabled |
Enabled |
AmCache Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Process Handle Check |
Enabled |
Enabled |
Enabled |
Enabled |
Process Connections Check |
Enabled |
Enabled |
Enabled |
Enabled |
Windows Error Report (WER) |
Enabled |
Enabled |
Enabled |
Enabled |
Windows At Job File Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
EVTX File Scanning |
Enabled |
Disabled |
Enabled |
Enabled |
Prefetch Library Scanning |
Enabled |
Enabled |
Enabled |
Enabled |
Memory Dump DeepDive |
Disabled |
Disabled |
Disabled |
Enabled |
Text Log File Scanning |
Enabled |
Disabled |
Enabled |
Enabled |
Shellbag Entry Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Authorized Key File Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Bifrost File Upload |
Enabled |
Enabled |
Enabled |
Enabled |
Malicious Domain Check |
Enabled |
Enabled |
Enabled |
Enabled |
File Scan |
Enabled |
Enabled |
Enabled |
Enabled |
Cobalt Strike Beacon Parsing |
Enabled |
Enabled |
Enabled |
Enabled |
Process Integrity Check [5] |
Disabled |
Disabled |
Disabled |
Enabled |
SHIM Cache Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
ETL File Scanning [5] |
Enabled |
Enabled |
Enabled |
Enabled |
VBE Decoding |
Enabled |
Enabled |
Enabled |
Enabled |
ICS File Parsing |
Enabled |
Enabled |
Enabled |
Enabled |
ShimDB parsing |
Enabled |
Enabled |
Enabled |
Enabled |
Tesseract |
Enabled |
Enabled |
Enabled |
Enabled |
Jumplist parsing |
Enabled |
Enabled |
Enabled |
Enabled |
PS module analysis cache parsing |
Enabled |
Enabled |
Enabled |
Enabled |
Disabled on Domain Controllers
Only supported on Windows
6.2.2. Feature caller list
The following table gives an overview of THOR's features and how they are called by the different modules and other features.
Feature |
Callers |
---|---|
Sigma Scan |
Eventlog, Log file scanning |
EXE Decompression |
File Scan |
Archive Scan |
File Scan |
Double Pulsar Check |
Rootkit Check |
Groups XML Analysis |
File Scan |
Vulnerability Check |
File Scan |
Web Server Dir Scan |
Process Check |
WMI Persistence |
File Scan |
Registry Hive Scan |
File Scan |
AmCache Analysis |
File Scan |
Process Handle Check |
Process Check |
Process Memory Check |
Process Check |
Process Connections Check |
Process Check |
Windows Error Report (WER) |
File Scan |
Windows At Job File Analysis |
File Scan |
EVTX File Scanning |
File Scan |
Prefetch Library Scanning |
File Scan |
Memory Dump DeepDive |
File Scan |
Text Log File Scanning |
File Scan |
Shellbag Entry Analysis |
Registry Hive Scan |
Authorized Key File Analysis |
File Scan |
Bifrost File Upload |
File Scan |
Malicious Domain Check |
File Scan |
File Scan |
Most modules and features |
Cobalt Strike Beacon Parsing |
File Scan, Process Check |
Process Integrity Check |
Process Check |
SHIM Cache Analysis |
SHIM Cache Scan, Registry Hive |
ETL File Scanning |
File Scan |
VBE Decoding |
File Scan |
ICS File Parsing |
File Scan |
ShimDB parsing |
File Scan |
Tesseract |
File Scan |
Jumplist parsing |
File Scan |
PS module analysis cache parsing |
File Scan |
6.2.3. Feature selectors
Since THOR 10.7, some features in THOR are triggered by YARA rules.
When a (meta or generic) YARA rule with a specific tag matches on a file, the corresponding feature is started and parses the file.
The standard signatures contain a number of rules with these tags, but if required, you can add additional rules with these tags as custom signatures.
Tag |
Feature |
Applied regardless of Filesize limit |
---|---|---|
AMCACHE |
Amcache |
no |
ZIPARCHIVE |
Archive |
no |
RARARCHIVE |
Archive |
no |
TARARCHIVE |
Archive |
no |
TARGZARCHIVE |
Archive |
no |
TARBZ2ARCHIVE |
Archive |
no |
CABARCHIVE |
Archive |
no |
GZIPCOMPRESSEDFILE |
Archive |
no |
SEVENZIPARCHIVE |
Archive |
no |
ATJOBS |
AtJobs |
yes |
AUDITLOG |
Auditlog |
yes |
AUTHORIZEDKEYS |
AuthorizedKeys |
yes |
EMAILFILE |
EmailParser |
no |
ETL |
ETL |
yes |
EVTX |
EVTX |
yes |
UPX |
ExeDecompress |
no |
WINRAR |
ExeDecompress |
no |
LNK |
LinkScan |
yes |
LOGSCAN |
LogScan |
yes |
MFT |
MftFile |
yes |
OLE |
OleScan |
no |
PREFETCH |
Prefetch |
yes |
REGISTRYHIVE |
RegistryHive |
yes |
UNESCAPE |
Unescaper |
no |
WER |
WER |
yes |
WMIPERSISTENCE |
WMIPersistence |
yes |
VBEDECODER |
VBE |
no |
ICS |
ICS |
no |
SDB |
ShimDB |
no |
JUMPLIST |
JumpList |
no |
PSMODULECACHE |
ModuleAnalysisCache |
no |
6.2.4. Feature names
Feature |
Feature Name |
Disable Feature |
---|---|---|
Use a persistent database for holding information across scans |
ThorDB |
--nothordb |
Scan with Sigma signatures |
Sigma |
THOR 10.6 per default disabled, use |
THOR 10.7 |
||
Scan log file (identified by .log extension or location) entries one by one |
LogScan |
--nologscan |
Check files, processes or blobs with YARA |
Yara |
|
Check files with STIX |
Stix |
--nostix |
Extract files contained in archives |
Archive |
--noarchive |
Scan files contained in archives |
ArchiveScan |
--noarchive |
Run checks for known C2 Domains |
C2 |
--noc2 |
Analyze process handles |
ProcessHandles |
--noprochandles |
Analyze process connections |
ProcessConnections |
--noprocconnections |
Analyze entries in Amcache files |
Amcache |
--noamcache |
Parse and analyze registry hives |
RegistryHive |
--noregistryhive |
Decompress and scan UPX or SFX packed portable executables |
ExeDecompress |
--noexedecompress |
Analyze web directories that were found in process handles |
WebdirScan |
--nowebdirscan |
Search for configuration file vulnerabilities (e.g. weak Tomcat passwords) |
VulnerabilityCheck |
--novulnerabilitycheck |
Parse Windows prefetch directories |
Prefetch |
--noprefetch |
Parse groups.xml files (for AD permissions) and search for vulnerabilities |
GroupsXML |
--nogroupsxml |
Parse WMI Persistence directories |
WMIPersistence |
--nowmipersistence |
Parse and analyze LNK files |
Lnk |
--nolnk |
Check Knowledge DB on Mac OS |
KnowledgeDB |
--noknowledgedb |
Parse .wer crash dump files |
WER |
--nower |
Parse EVTX eventlogs and scan the contained log entries |
EVTX |
--noevtx |
Analyze authorized_keys SSH files |
AuthorizedKeys |
--noauthorizedkeys |
Parse and analyze .eml Email files |
Eml |
--noeml |
Parse Windows Event Trace Logging files and scan the contained logs |
ETL |
--noetl |
Parse jobs files scheduled with the 'at' tool |
AtJobs |
--noatjobs |
Upload suspicious files to a server running the Bifrost 2 quarantine service |
Bifrost2 |
per default disabled, use |
Scan multiple entries as a single block |
BulkScan |
can't be disabled |
Disable cpulimit check |
CPULimit |
--nocpulimit |
Run filename IOC, keyword IOC, and YARA rules on a chunk of data |
CheckString |
can't be disabled |
Parse crontab files and analyze their entries |
CronParser |
can't be disabled |
Check for DoublePulsar Backdoor in the rootkit module |
DoublePulsar |
--nodoublepulsar |
Gather additional information (like hashes, owner, timestamps, ...) about file paths |
EnrichFileInfo |
can't be disabled |
Apply filename IOCs |
FilenameIOCs |
can't be disabled |
Scan files and similar objects |
Filescan |
can't be disabled |
Apply keyword IOCs |
KeywordIOCs |
can't be disabled |
Log information during a THOR run |
Logger |
can't be disabled |
Detect a file's type based on its first bytes |
MagicHeader |
can't be disabled |
Parse OLE files (e.g. old MS office documents, or MS Office macros) |
OLE |
can't be disabled |
Parse additional information from a detected CobaltStrike beacon |
ParseCobaltStrike |
can't be disabled |
Keep and display information about THOR's current activity |
ProgressTracker |
can't be disabled |
Parse additional information from files in a Windows recycle bin |
RecycleBin |
can't be disabled |
Check whether the system is running out of RAM, and end THOR, if this is the case |
Rescontrol |
--norescontrol |
Parse SHIM Caches from registry and analyze their entries |
SHIMCache |
--noshimcache |
React to interrupts from outside THOR in a controlled manner |
SignalHandler |
can't be disabled |
Look for unencrypted TeamViewer passwords in registry hives |
TeamViewer |
can't be disabled |
Add additional information from Virustotal to detected files |
VirusTotal |
per default disabled, use |
Run a user defined command for detected files |
Action |
per default disabled, use |
Write a detailed output file with information about all scanned elements |
AuditTrail |
per default disabled, use |
Scan memory dump files in chunks |
DumpScan |
per default disabled, use |
Scan processes with PE-Sieve to check for process integrity (Windows only) |
ProcessIntegrity |
per default disabled, use |
Parse ICS files (calendar entries) |
ICS |
|
Decode VBE files (obfuscated VB scripts) |
VBE |
|
Parse Shim databases |
ShimDB |
|
Check for filesystem anomalies |
Tesseract |
Use |
Parse jumplist files (used by Windows to protocol opened files) |
JumpList |
|
Parse PS module analysis cache (gives information about once loaded PS modules) |
ModuleAnalysisCache |