3. Start a THOR Scan¶
3.1. Start a Live Response Session¶
You find different locations in Microsoft Defender Security Center that allow you to initiate a Live Response session.
3.2. Upload THOR Seed¶
Use the button in the upper right corner of the window to upload “thor-seed.ps1” into the Live Response script library.
Make sure to check “Overwrite file” to replace an older version of THOR Seed in your library.
3.3. Run THOR Seed¶
After uploading THOR Seed to the Live Response script library, you can start the script with the “run” command.
3.4. Interrupted THOR Seed Sessions¶
Microsoft Defender Security Center allows scripts a run time of a maximum of 30 minutes and then terminates the script. However, the sub process “thor64.exe” is still running.
3.4.1. Check the Scan Status¶
In THOR Seed versions before v0.18, it was difficult to get the scan status of THOR in the background or find the log files that THOR produces during the scan and the HTML report that is generated at the end of the scan.
Users can check of THOR is still running with
processes -name thor64.exe
Since THOR Seed version 0.18 you just run thor-seed.ps1 again and will see the information that THOR is still running, where to find the current log file and the last 3 log lines of that file.
You can run the script as often as you like to get an information on the current status of the scan. A normal scan takes between 20 and 180 minutes to complete.
3.4.2. Detect a Finished Scan¶
The moment that you run “thor-seed.ps1” while “thor64.exe” has finished its job in the background, you get a listing of all generated log files and HTML reports in the output directory and commands to download them and remove them from the end system.
It shows a list of three actions to proceed:
- Retrieve the available log files and HTML reportsget file "C:\ProgramData\Microsoft\Windows Defender Advanced…
- Use the following command to clean-up the output directoryrun thor-seed.ps1 -parameters "-Cleanup"
- Start a new THOR scan withrun thor-seed.ps1
3.5. Retrieve the Results¶
The output of THOR Seed already contains the right commands to download a report after the scan has finished.
Simply copy and paste the full “getfile” command line to retrieve the HTML report.
getfile "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\client-atp-01\_thor\_2021-02-02\_1817.html"
In order to run another THOR scan, you have to remove all previous log files and HTML reports using the following command:
run thor-seed.ps1 -parameters "-Cleanup"
After removing the text logs and HTML reports you can start a new scan on this end system.