1.1. Supported Operating Systems¶
The operating systems are limited to the set that supports the Microsoft Defender ATP “Live Response” feature. As of the date of this guide it is limited to Windows 10 workstations and Windows 2019 server systems.
Version 1909 or later
Version 1903 with KB4515384
Version 1809 (RS 5) with KB4537818
Version 1803 (RS 4) with KB4537795
Version 1709 (RS 3) with KB4537816
Windows Server 2019 - Only applicable for Public preview
Version 1903 or (with KB4515384) later
Version 1809 (with KB4537818)
For a current version of the list of supported operating systems, check the following page:
1.2. Enable „Live Response“ Feature¶
You need to enable the live response capability in the “Advanced Features” settings page for Workstations and Servers.
1.3. Hardware Requirements¶
The hardware requirements reflect the scan settings of a default scan.
1 CPU Cores
1 GB of RAM
100MB of temporary disk space
2 CPU cores or more
8 GB of RAM or more
Table 1 - Hardware Requirements
Note: THOR uses between 160 and 300 MB of main memory during the investigation, but there are conditions in which the memory usage can exceed this range for a short time. On very weak end systems, enable “soft” mode in THOR Seeds config section.
1.4. Network Connections¶
1.4.1. On Investigated Workstation¶
(note: this FQDN resolves to multiple IP addresses)
1.4.2. Web Proxies¶
Web proxies are supported albeit not fully tested. THOR Seed, the script that retrieves a license and the temporary THOR scanner package is proxy aware and should use the local proxy configuration.