Last update:
Last verified version: THOR 10.7.28
Issue
THOR is showing the following error: No rules with DEEPSCAN tag found
This error occurs due to a missing signature set. Typically, the user copies only the THOR executable and omits the entire program folder, including the ./signatures folder. The error indicates that none of THOR's signatures, including the DEEPSCAN signatures, were found. Consequently, THOR's scan capabilities are severely limited.
You can see that this is the case by inspecting your scan results:
THOR: Warning: MODULE: Init MESSAGE: No rules with DEEPSCAN tag found.
THOR won't scan any files with YARA rules. Please ensure that you use
up-to-date signatures. SCANID: S-Qpw5dDmEBaw
THOR: Info: MODULE: Init MESSAGE: Successfully compiled 0 custom default
YARA rules SCANID: S-Qpw5dDmEBaw TYPE: YARA
You can also see during the initialization process of THOR, that no YARA rules are compiled:
thor64.exe
[...]
Reading YARA signatures and IOC files ...
Info Successfully compiled 0 default YARA rules TYPE: YARA
Info Successfully compiled 0 log YARA rules TYPE: YARA
Info Successfully compiled 0 registry YARA rules TYPE: YARA
Info Successfully compiled 0 keyword YARA rules TYPE: YARA
Info Successfully compiled 0 process YARA rules TYPE: YARA
Info Successfully compiled 0 meta YARA rules TYPE: YARA
Warning No rules with DEEPSCAN tag found. THOR won't scan any files with YARA rules.
Please ensure that you use up-to-date signatures.
Info Successfully compiled 0 custom default YARA rules TYPE: YARA
Info Skip sigma initialization, use '--sigma' flag to scan with sigma
Info Successfully compiled 0 STIXv2 indicators (skipped 0 indicators) TYPE: STIX
Info Successfully compiled 0 keyword ioc strings TYPE: IOC
Info Successfully compiled 0 filename ioc strings and 0 filename ioc regexs TYPE: IOC
Info Successfully compiled 0 malware and 0 false positive hashes TYPE: IOC
Info Successfully compiled 0 file type signatures TYPE: IOC
Info Successfully compiled 0 malware domains TYPE: IOC
Info Successfully compiled 0 malicious handles and 0 regex malicious handles TYPE: IOC
Info Successfully compiled 0 named pipe ioc strings and 0 named pipe ioc regexs TYPE: IOC
Warning No file type signatures compiled, file type detection can't be done.
Because of this, many files won't be scanned.
[...]
Solution
Make sure that you have the ./signatures folder in your THOR program folder and that it contains at least the following files:
-
./signatures/yara/thor-all.yas -
./signatures/yara/thor-deepscan-selectors.yasx -
./signatures/yara/thor-expensive.yase -
./signatures/yara/thor-keywords.yas -
./signatures/yara/thor-log-sigs.yas -
./signatures/yara/thor-meta.yas -
./signatures/yara/thor-process-memory-sigs.yas -
./signatures/yara/thor-registry.yas
Related Content
- THOR in Lab-Mode does not scan network or external drives
- THOR Scan Error: No rules with DEEPSCAN tag found
- Troubleshooting Cockpit Login Error and MySQL Connection Issues
- GRPC Connectivity Issues: Understanding TLS Inspection Errors and Solutions
- Resolving Elasticsearch Data Acceptance Issues Due to Disk Watermark Limit