Standard THOR signatures are typically updated once a week, usually between Monday and Tuesday. These updates undergo a testing procedure involving both automated checks and review by our QA Team. This process ensures stability and minimizes false positives.
However, in critical situations where immediate detection is required, we offer the SigDev (Signature Development) release channel. This article explains how to use it for your scans.
What is the SigDev Release?
The SigDev channel provides access to the latest signatures immediately after automated testing, bypassing manual QA. We do not recommend scanning with this rule set unless instructed or responding to a current threat. SigDev suits searching signatures which are soon to be used productively.
Benefit: Immediate coverage for the absolute latest threats and vulnerabilities.
Risk: Because these signatures have not been manually verified by our QA team, there is a slightly higher risk of operational issues or an increased False Positive rate.
Option 1: Enabling SigDev in ASGARD Management Center
If you manage THOR via the ASGARD Management Center, you can enable SigDev signatures through the global settings.
-
Navigate to Settings > Advanced.
-
Enable the option "Show Signature SigDev Option".
-
Once enabled, navigate to Add Scan.
-
In the "Signatures" dropdown menu, you can now select "THOR Signatures SigDev".
Option 2: Enabling SigDev for Standalone THOR
If you are using THOR as a standalone application, you can switch to the SigDev signature set using the thor-util helper tool.
Run the following command in your terminal:
thor-util upgrade --sigdev
To reset the signature set to the latest stable version, run:
thor-util update --force