{"id":8661,"date":"2020-10-01T15:47:44","date_gmt":"2020-10-01T13:47:44","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=8661"},"modified":"2022-03-25T14:15:43","modified_gmt":"2022-03-25T13:15:43","slug":"thor-v10-6-techpreview","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/","title":{"rendered":"THOR v10.6 TechPreview"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_row _builder_version=”4.6.1″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_text _builder_version=”4.6.1″ _module_preset=”default”]<\/p>\n

We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We’ve discussed the split-up into THOR and THOR TechPreview in a previous post<\/a>.\u00a0\u00a0<\/p>\n

The following post describes the most important new feature of the THOR v10.6 TechPreview version.<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_text _builder_version=”4.6.1″ _module_preset=”default”]<\/p>\n

THOR Thunderstorm<\/h3>\n

THOR 10.6 is the first version that support a new mode of operation – a RESTful web API service named THOR Thunderstorm.\u00a0THOR Thunderstorm is able to receive thousands of samples per minute via web requests, scans them and returns a scan result.\u00a0<\/span><\/p>\n

We’ve outlined many use cases and features of THOR Thunderstorm in a separate\u00a0blog post<\/a>.\u00a0<\/p>\n

THOR Thunderstorm requires a separate license named “service license” to run.\u00a0<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/Screenshot-2020-09-08-at-09.47.20.png” title_text=”Screenshot 2020-09-08 at 09.47.20″ _builder_version=”4.6.1″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_text _builder_version=”4.6.1″ _module_preset=”default”]<\/p>\n

Multi-Threaded Scanning<\/h3>\n

Especially the customers with a lab license should be happy to hear that we’ve implemented multi-threaded scanning.\u00a0<\/p>\n

From now on, THOR can use multiple threads to process elements (files, registry keys, events in eventlog etc.).\u00a0<\/p>\n

This can boost the scan speed on mounted images significantly. Our tests on a 16 Core system showed a scan speed improvement of 1400%.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/Screenshot-2020-09-08-at-13.17.45.png” title_text=”Screenshot 2020-09-08 at 13.17.45″ _builder_version=”4.6.1″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_column type=”3_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_text _builder_version=”4.6.1″ _module_preset=”default”]<\/p>\n

Reworked Quick Scan<\/h3>\n

Quick scan (–quick) is used when fast scan results are crucial. It usually takes less than 25 minutes to complete. This is achieved by skipping elements in the scan. Quick in versions previous to 10.6 do the following: they skip the Eventlog scan and scan only a set of 40+ highly relevant folders on disk.\u00a0<\/p>\n

The new quick scan doesn’t skip whole modules or directories anymore. For all previously skipped elements the new quick scan evaluates if they have been modified or created within the last 72 hours and scans only these elements.\u00a0<\/p>\n

This way the new quick scan is much more intense but should\u00a0 be only slightly slower.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Speed_256.png” title_text=”Speed_256″ _builder_version=”4.6.1″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.6.1″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.6.1″ _module_preset=”default”][et_pb_text _builder_version=”4.6.1″ _module_preset=”default”]<\/p>\n

Other Changes<\/h3>\n
    \n
  • We’ve changed the ambigious “–fsonly” flag to “–lab” to indicate the best settings for scanning in a forensic lab (the old flag is still usable but hidden in the usage description)<\/li>\n
  • Virtual drive name mapping (used in lab scans to map the actual mount point to the original one)<\/li>\n
  • Minor changes to some log lines (extended field values)\u00a0<\/li>\n<\/ul>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.6.5″ _module_preset=”default” column_structure=”2_5,3_5″][et_pb_column _builder_version=”4.6.5″ _module_preset=”default” type=”2_5″][et_pb_text _builder_version=”4.6.5″ _module_preset=”default”]<\/p>\n

    Getting Started<\/h3>\n

    Customers can download the THOR TechPreview version 10.6 in the Downloads section of the customer portal or use thor-util in it’s newest version to download that version with the flag “–techpreview”. ASGARD version 2.5.3 also supports scan runs with THOR TechPreview.\u00a0<\/p>\n

    [\/et_pb_text][\/et_pb_column][et_pb_column _builder_version=”4.6.5″ _module_preset=”default” type=”3_5″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/10\/Screenshot-2020-10-02-at-09.03.25.png” _builder_version=”4.6.5″ _module_preset=”default” title_text=”Screenshot 2020-10-02 at 09.03.25″ hover_enabled=”0″ sticky_enabled=”0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We’ve discussed the split-up into THOR and THOR TechPreview in a previous post.\u00a0\u00a0 The following post describes the most important new feature of the THOR v10.6 TechPreview version.THOR Thunderstorm THOR 10.6 is the first version that support a new mode of operation – a RESTful web API service named THOR Thunderstorm.\u00a0THOR Thunderstorm is able to receive thousands of samples per minute via web requests, scans them and returns a scan result.\u00a0 We’ve outlined many use cases and features of THOR Thunderstorm in a separate\u00a0blog post.\u00a0 THOR Thunderstorm requires a separate license named “service license” to run.\u00a0  Multi-Threaded Scanning Especially the customers with a lab license should be happy to hear that we’ve implemented multi-threaded scanning.\u00a0 From now on, THOR can use multiple threads to process elements (files, registry keys, events in eventlog etc.).\u00a0 This can boost the scan speed on mounted images significantly. Our tests on a 16 Core system showed a scan speed improvement of 1400%.\u00a0Reworked Quick Scan Quick scan (–quick) is used when fast scan results are crucial. It usually takes less than 25 minutes to complete. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32,574],"tags":[],"class_list":["post-8661","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","category-thunderstorm"],"yoast_head":"\nTHOR v10.6 TechPreview - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"THOR v10.6 TechPreview\",\"datePublished\":\"2020-10-01T13:47:44+00:00\",\"dateModified\":\"2022-03-25T13:15:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/\"},\"wordCount\":783,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"articleSection\":[\"Newsletter\",\"THOR\",\"Thunderstorm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/\",\"name\":\"THOR v10.6 TechPreview - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2020-10-01T13:47:44+00:00\",\"dateModified\":\"2022-03-25T13:15:43+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"THOR v10.6 TechPreview - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"THOR v10.6 TechPreview","datePublished":"2020-10-01T13:47:44+00:00","dateModified":"2022-03-25T13:15:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/"},"wordCount":783,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"articleSection":["Newsletter","THOR","Thunderstorm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/","url":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/","name":"THOR v10.6 TechPreview - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2020-10-01T13:47:44+00:00","dateModified":"2022-03-25T13:15:43+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2020\/10\/01\/thor-v10-6-techpreview\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=8661"}],"version-history":[{"count":10,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8661\/revisions"}],"predecessor-version":[{"id":8798,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8661\/revisions\/8798"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=8661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=8661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=8661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}