Breadcrumbs

Handling Unsupported Operating Systems

For unsupported operating systems, Nextron offers flexible solutions to maintain effective compromise assessment and artifact analysis. This article presents three options.

1. THOR Thunderstorm Service with Thunderstorm Collectors

  • Applicability:

    • All unsupported operating systems, regardless of platform (Linux, macOS, or older Windows versions).

    • Examples: RHEL 5, legacy Linux distributions, unsupported macOS versions.

  • How It Works:

    • Deploy the THOR Thunderstorm service on a supported system.

    • Use Thunderstorm Collectors on the unsupported systems to collect relevant data (logs, memory dumps, etc.).

    • The collectors send the data directly to the Thunderstorm service for scanning and analysis.

  • Advantages:

    • Enables centralized artifact analysis without running THOR directly on unsupported systems.

    • Scalable for environments with multiple unsupported endpoints.

2. Forensic Evidence Collection with THOR Forensic Lab License

  • Applicability:

    • All unsupported operating systems capable of creating forensic artifacts.

    • Examples: Collecting disk images, memory dumps, and logs from RHEL 5, legacy Linux systems, unsupported macOS, and older Windows versions.

  • Workflow:

    • Collect forensic artifacts such as disk images, memory dumps, or log files.

    • Analyze these artifacts in a controlled forensic lab using THOR Forensic Lab License.

    • This license allows scanning mounted images or using dropzone mode for artifact-based analysis.

  • Advantages:

    • Provides comprehensive analysis in a lab setting.

    • Adheres to licensing requirements for forensic investigations

3. Direct Scanning of Older Systems with THOR Legacy

  • Applicability:

    • Older, but still partially supported Windows systems, such as Windows XP and Windows Server 2003.

    • THOR Legacy is designed to provide detection capabilities for these environments.

  • How It Works:

    • Run THOR Legacy directly on these systems to scan for indicators of compromise, anomalies, and threats.

    • THOR Legacy is tailored to work within the constraints of older platforms while leveraging Nextron’s advanced detection capabilities.

  • Advantages:

    • Direct scanning capability for older Windows systems.

    • Simplifies workflow by avoiding the need for artifact collection and external analysis.

Recommendations by Use Case

  1. For Unsupported Systems (General):

    • Use THOR Thunderstorm with Collectors or artifact collection with Forensic Lab License.

  2. For Legacy Windows Systems:

    • Deploy THOR Legacy for direct scanning, where supported.

  3. For Large Environments or Centralized Analysis:

    • Consider THOR Thunderstorm for streamlined artifact collection and processing.

By combining these approaches, Nextron ensures effective detection capabilities for all environments while maintaining compliance with licensing and support constraints.