1. Requirements

1.1. Supported Operating Systems

The operating systems are limited to the set that supports the Microsoft Defender for Endpoint "Live Response" feature.

Table 1 - Supported Operating Systems

Operating System	Version
Windows 10 & 11	Version 1909 or later
	Version 1903 with KB4515384
	Version 1809 (RS 5) with with KB4537818
	Version 1803 (RS 4) with KB4537795
	Version 1709 (RS 3) with KB4537816
macOS	Minimum required version: 101.43.84. Supported for Intel-based and ARM-based macOS devices.
Linux	Minimum required version: 101.45.13
Windows Server 2012	R2 with KB5005292
Windows Server 2016	with KB5005292
Windows Server 2019	Version 1903 or (with KB4515384) later
	Version 1809 (with KB4537818)
Windows Server 2022

For a current version of the list of supported operating systems, check the following page.

1.2. Enable "Live Response" Feature

You need to enable the Live Response capability in the "Advanced Features" settings page for Workstations and Servers.

Additionally, you need to change the Live response unsigned script execution option in the same page, which allows you to run unsigned [1] scripts in a live response session.

[1]

thor-seed.ps1 is an unsigned powershell script

Hint

We recommend that you sign your scripts with a code signing certificate to avoid the need to change this setting.

1.3. Hardware Requirements

The hardware requirements reflect the scan settings of a default scan.

Table 2 - Hardware Requirements

Minimum	Recommended
1 CPU Core	2+ CPU Cores
1 GB of RAM	8+ GB of RAM
100 MB of temporary Disk Space

Hint

THOR uses between 160 and 300 MB of main memory during the investigation, but there are conditions in which the memory usage can exceed this range for a short time. On very weak end systems, enable "soft" mode in THOR Seeds config section.

1.4. Network Connections

For a detailed and up to date list of our update and licensing servers, please visit https://www.nextron-systems.com/hosts/.

1.4.1. On Investigated Workstations

Table 3 - Remote Hosts

Variant	Remote Host	Port
THOR Seed	cloud.nextron-systems.com	443/tcp
THOR Cloud	thor-cloud.nextron-services.com	443/tcp

Hint

Above FQDNs resolve to multiple IP addresses. See https://www.nextron-systems.com/hosts/.

1.4.2. Web Proxies

Web proxies are supported albeit not fully tested. THOR Seed, the script that retrieves a license and the temporary THOR scanner package is proxy aware and should use the local proxy configuration.