{"id":3862,"date":"2018-12-06T09:53:32","date_gmt":"2018-12-06T08:53:32","guid":{"rendered":"http:\/\/nextron.bsk-consulting.de\/?p=3862"},"modified":"2022-03-25T14:15:02","modified_gmt":"2022-03-25T13:15:02","slug":"thor-8-53-feature-diff-mode","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/","title":{"rendered":"THOR 8.53 Feature: Diff Mode"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;3.22&#8243;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.4.4&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243;]With the upcoming version 8.53 of THOR, we&#8217;re testing a new feature called &#8220;Difference&#8221; or &#8220;Diff&#8221; mode (&#8211;diff).<\/p>\n<p>The idea behind &#8220;Diff&#8221; mode is that a scan could be much faster, if it would only consider elements that have been created or changed since the last scan on that system. We can apply this principle to various modules and increase scan speed massively.<\/p>\n<p>Diff mode is currently supported in the long running modules<\/p>\n<ul>\n<li>Filesystem &#8211; files with MAC timestamps older than the last scan (start) will be skipped<\/li>\n<li>Registry &#8211; registry keys with last modification dates older than the last scan (start) will be skipped<\/li>\n<li>Eventlog &#8211; runs until it reaches eventlog entries with timestamps\u00a0older than the last scan (start)<\/li>\n<\/ul>\n<p>Diff mode requires the use of THOR DB, which is the default but could have been disabled with &#8220;&#8211;nothordb&#8221;. This is necessary to determine information from the last scan, e.g. &#8220;when did it start&#8221; but also &#8220;which modules were used in the last scan&#8221;.<\/p>\n<p>The main advantage is an incredible fast scan. Our tests showed that scans in &#8220;Diff&#8221; mode complete within 5 and 15 minutes. In &#8220;Diff&#8221; mode, the longest running module is &#8220;ProcessCheck&#8221; with run times between 3 and 6 minutes.<\/p>\n<p>The main disadvantage of &#8220;Diff&#8221; mode is the inability to detect <a href=\"https:\/\/attack.mitre.org\/techniques\/T1099\/\">Timestomping<\/a> attacks, in which attackers or malware changes the timestamps of files and other elements.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the upcoming version 8.53 of THOR, we&#8217;re testing a new feature called &#8220;Difference&#8221; or &#8220;Diff&#8221; mode (&#8211;diff). The idea behind &#8220;Diff&#8221; mode is that a scan could be much faster, if it would only consider elements that have been created or changed since the last scan on that system. We can apply this principle to various modules and increase scan speed massively. Diff mode is currently supported in the long running modules Filesystem &#8211; files with MAC timestamps older than the last scan (start) will be skipped Registry &#8211; registry keys with last modification dates older than the last scan (start) will be skipped Eventlog &#8211; runs until it reaches eventlog entries with timestamps\u00a0older than the last scan (start) Diff mode requires the use of THOR DB, which is the default but could have been disabled with &#8220;&#8211;nothordb&#8221;. This is necessary to determine information from the last scan, e.g. &#8220;when did it start&#8221; but also &#8220;which modules were used in the last scan&#8221;. The main advantage is an incredible fast scan. Our tests showed that scans in &#8220;Diff&#8221; mode complete within 5 and 15 minutes. In &#8220;Diff&#8221; mode, the longest running module is &#8220;ProcessCheck&#8221; with run times between 3 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"With the upcoming version 8.53 of THOR, we're testing a new feature called \"Difference\" or \"Diff\" mode (--diff).\r\n\r\nThe idea behind \"Diff\" mode is that a scan could be much faster, if it would only consider elements that have been created or changed since the last scan on that system. We can apply this principle to various modules and increase scan speed massively.\r\n\r\nDiff mode is currently supported in the long running modules\r\n<ul>\r\n \t<li>Filesystem - files with MAC timestamps older than the last scan (start) will be skipped<\/li>\r\n \t<li>Registry - registry keys with last modification dates older than the last scan (start) will be skipped<\/li>\r\n \t<li>Eventlog - runs until it reaches eventlog entries with timestamps\u00a0older than the last scan (start)<\/li>\r\n<\/ul>\r\nDiff mode requires the use of THOR DB, which is the default but could have been disabled with \"--nothordb\". This is necessary to determine information from the last scan, e.g. \"when did it start\" but also \"which modules were used in the last scan\".\r\n\r\nThe main advantage is an incredible fast scan. Our tests showed that scans in \"Diff\" mode complete within 5 and 15 minutes. In \"Diff\" mode, the longest running module is \"ProcessCheck\" with run times between 3 and 6 minutes.\r\n\r\nThe main disadvantage of \"Diff\" mode is the inability to detect <a href=\"https:\/\/attack.mitre.org\/techniques\/T1099\/\">Timestomping<\/a> attacks, in which attackers or malware changes the timestamps of files and other elements.","_et_gb_content_width":"","footnotes":""},"categories":[46,32],"tags":[157,151,153,124,152,117,154,5,156,155],"class_list":["post-3862","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","tag-attackers","tag-diff","tag-fast","tag-malware","tag-mode","tag-scan","tag-speed","tag-thor","tag-timestamp","tag-timestomping"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>THOR 8.53 Feature: Diff Mode - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"THOR 8.53 Feature: Diff Mode\",\"datePublished\":\"2018-12-06T08:53:32+00:00\",\"dateModified\":\"2022-03-25T13:15:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/\"},\"wordCount\":302,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"attackers\",\"diff\",\"fast\",\"malware\",\"mode\",\"scan\",\"speed\",\"thor\",\"timestamp\",\"timestomping\"],\"articleSection\":[\"Newsletter\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/\",\"name\":\"THOR 8.53 Feature: Diff Mode - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2018-12-06T08:53:32+00:00\",\"dateModified\":\"2022-03-25T13:15:02+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"THOR 8.53 Feature: Diff Mode - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"THOR 8.53 Feature: Diff Mode","datePublished":"2018-12-06T08:53:32+00:00","dateModified":"2022-03-25T13:15:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/"},"wordCount":302,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["attackers","diff","fast","malware","mode","scan","speed","thor","timestamp","timestomping"],"articleSection":["Newsletter","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/","url":"https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/","name":"THOR 8.53 Feature: Diff Mode - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2018-12-06T08:53:32+00:00","dateModified":"2022-03-25T13:15:02+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2018\/12\/06\/thor-8-53-feature-diff-mode\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=3862"}],"version-history":[{"count":3,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3862\/revisions"}],"predecessor-version":[{"id":7663,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3862\/revisions\/7663"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=3862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=3862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=3862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}