\n(e.g. we could license a SPARK version that only scans endpoint logs with Sigma rules)<\/li>\n<\/ul>\n
THOR-util Report Generation<\/h2>\n
The new included THOR-util version 1.2 allows to generate HTML reports from scan log files. It can also generate reports for a directory that contains THOR or SPARK scan logs (up to 50 per HTML report). We’ve discussed this feature in detail in a previous blog post<\/a>.<\/p>\n The Scan Resume feature has caused many problems during incident response engagements in the past. The feature activates a journal in THOR DB that tracks the state of the scan and resumes the scan automatically if it was interrupted by a user or terminated due to a system shutdown. This feature seemed to be helpful but actually caused some problems.<\/p>\n THOR logs are created in “write” (w) mode, not in “append” (a) mode. When an administrator started THOR on a system, terminated the scan and then restarted it shortly after, the first part of the local log file was overwritten by the second scan. Sometimes a scan was interrupted on a system due to different reasons. When an administrator received the order to start a new scan on that system, the scan resumed the last scan and the log file and report contained only info of the resumed part of the scan.<\/p>\n We therefore decided to not resume scans by default. If you still want to maintain the old behaviour, please use the new “–resume” parameter. The old “–noresume” parameter is still valid but has no effect and is marked “obsolete” in the help.<\/p>\n![\"\"](\"\/wp-content\/uploads\/2018\/06\/Screen-Shot-2018-06-20-at-16.27.54.png\")
<\/p>\nNoresume Becomes the New Default<\/h2>\n
Analysis Cockpit Web Session<\/h2>\n