• Separate loki-upgrader.exe (loki-upgrader.py) that allows upgrading the loki.exe program executable
• Preparations for 3rd generation file name signature format

LOKI Upgrader

The upgrader allows upgrading program and signature files. The --update parameter in previous versions did only update the signature-base subdirectory. The upgrader is provided as separate script/program so that file locks on Windows systems do not interfere with upgrading the loki.exe program executable.

You can use the upgrader separately or start LOKI with the --update parameter. Using the --updateparameter will spawn a new loki-upgrader process and exit the loki process in order to update the program files.

usage: loki-upgrader.py [-h] [-l log-file] [--sigsonly] [--progonly] [--nolog]
                        [--debug]

Loki - Upgrader

optional arguments:
  -h, --help   show this help message and exit
  -l log-file  Log file
  --sigsonly   Update the signatures only
  --progonly   Update the program files only
  --nolog      Don't write a local log file
  --debug      Debug output

3rd Generation File Name Signature Format

The new format extends the existing format by a third column that allows to include a regular expression to filter the matches.

This allows to define signatures for suspicious file locations, e.g.:

Regex;Score;False Positive Regex

\\ncat\.exe;70;\\(bin|sbin)\\ncat\.exe
(?i)\\MsMpEng\.exe;60;(?i)\\(Microsoft Security Client|Windows Defender|AntiMalware)

The first signature matches on ncat.exe files that are NOT located in bin or sbin folders. The second one matches on all MsMpEng.exe executables found outside the three folders defined in the false positive expression.

This is a great method to detect anomalies as e.g. legitimate and signed program executables used in DLL side-loading or legitimate system file names in uncommon folders. Check @mbevilacqua's post on threat hunting and his AppCompatProcessor Repo for interesting ideas on suspicious executable file locations.

The problem with the 3rd generation file name signatures is that LOKI versions older than v0.21.0 will process the first two columns only and ignore the regular expression filter in the 3rd column. I therefore withhold some new signature updates for 'signature-base' in order to give everyone time to upgrade the LOKI version that they are using. I'll also include a notice for the new signatures that recommends upgrading the pre-0.21.0 versions of LOKI.

• Increased the default for the maximum file size

• Bugfix: Unicode decode error in rootkit check
• Pushed source code changes from the 0.20.0 release

• Double Pulsar Rootkit Check provided by @jukelennings @countercept https://github.com/countercept/doublepulsar-detection-script
• Double Pulsar XOR key calculation provided by @FireFart
• Bugfix: Result messages noting suspicious indicators caused by outdated/non-existent signatures

• Shows new signature files during the update process

[INFO] Retrieving signature database from git repo https://github.com/Neo23x0/signature-base
[INFO] Downloading https://github.com/Neo23x0/signature-base/archive/master.zip ...
[INFO] New signature file: apt_servantshell.yar
[INFO] Update successful

• Fixed the Update / Signature Download Routine

Bugfix Release

• Fixes Unicode bugs in command line output

New 0.18.1

• now provided as release package with automatic signature-base initialisation
• Removed 'loki.exe' from source repository

From 0.18.0

• Consolidated file scan message lines
• New combined score on file scan events (only shows one event per
  matched file
• New result line with total of alerts, warnings and notices
• File modification time stamps MAC
• File size
• set custom message type levels (e.g. -a 300 to generate an alert with
  score 300 or higher)
• Log lines in file output contain the message type (e.g. LOKI:
  Warning: ...)

• Massively improved speed

• first release
• stable version

DISCLAIMER
Use on your own risk in production environments!
There are some files and directories that should not be read by scanners like LOKI. Those folders and files receive a special treatment by THOR and are not automatically excluded or skipped by LOKI.

Please see the following links for more details:

Windows
https://support.microsoft.com/en-us/kb/822158
Citrix
https://www.citrix.com/blogs/2013/09/22/citrix-consolidated-list-of-antivirus-exclusions/
Other 3rd party products
https://esupport.trendmicro.com/solution/en-US/1059795.aspx