Generic.Scanner.ThorZIP Error

Hey,

strange error (?) here, but perhaps I am doing something wrong. So some facts first:

Velocerator Version: 0.7.0-2 Client OS : Ubuntu 22.04

So if I upload the original zip file thor10.7lite-linux-pack.zip as I downloaded from your servers and start a hunt everything looks good so far except thor is complaining about the missing licence file.

Logs:

[WARNING] 2023-11-30T19:26:19Z Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on /tmp/VQL_Unzip_.jsonl587523809 which will be much slower.
[INFO] 2023-11-30T19:26:21Z File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":115,\"MaxSize\":1073741874,\"AvailableBytes\":57,\"LeasedBytes\":0}","leased_pointer":50}
[INFO] 2023-11-30T19:26:21Z File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":585,\"MaxSize\":1073741874,\"AvailableBytes\":519,\"LeasedBytes\":0}","leased_pointer":50}
[INFO] 2023-11-30T19:26:21Z Sender: Connected to https://velo.xx.xxxx.com:8000/control after waiting for limiter for 20.383µs
[DEBUG] 2023-11-30T19:26:21Z Connection Info {"IdleTime":0,"LocalAddr":{"IP":"10.0.100.53","Port":34640,"Zone":""},"Reused":true,"WasIdle":false}
[INFO] 2023-11-30T19:26:21Z Sender: sent 1011 bytes, response with status: 200 OK after 8.913805ms, waiting for server messages
[INFO] 2023-11-30T19:26:21Z Sender: received 626 bytes in 12.281955ms
[INFO] 2023-11-30T19:26:23Z File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":115,\"MaxSize\":1073741874,\"AvailableBytes\":57,\"LeasedBytes\":0}","leased_pointer":50}
[INFO] 2023-11-30T19:26:23Z shell: Running external command [/tmp/tmp1836198954/thor-lite-linux-64 --json -e /tmp/tmp1836198954]
[INFO] 2023-11-30T19:26:23Z Sender: Connected to https://velo.xx.xxxxx.com:8000/control after waiting for limiter for 4.846µs
[DEBUG] 2023-11-30T19:26:23Z Connection Info {"IdleTime":0,"LocalAddr":{"IP":"10.0.100.53","Port":34640,"Zone":""},"Reused":true,"WasIdle":false}
[INFO] 2023-11-30T19:26:23Z Sender: sent 706 bytes, response with status: 200 OK after 16.990849ms, waiting for server messages
[INFO] 2023-11-30T19:26:23Z Sender: received 626 bytes in 35.55152ms

Result:

{"time":"2023-11-30T19:26:23Z
","hostname":"server03","level":"Error","module":"Init","message":"No valid license file found","scanid":"S-8bEotuRxCy0","log_version":"v1.0.0"}

So I unziped the original thor10.7lite-linux-pack.zip copy the licence file into the folder and rezip and upload it again. But now the thor executable is not found.

Logs:

[INFO] 2023-11-30T19:37:00Z Sender: Connected to https://velo.xx.xxxxxx.com:8000/control after waiting for limiter for 4.014µs
[DEBUG] 2023-11-30T19:37:00Z Connection Info {"IdleTime":0,"LocalAddr":{"IP":"10.0.100.53","Port":34640,"Zone":""},"Reused":true,"WasIdle":false}
[INFO] 2023-11-30T19:37:00Z Sender: sent 1027 bytes, response with status: 200 OK after 59.964077ms, waiting for server messages
[INFO] 2023-11-30T19:37:00Z Sender: received 626 bytes in 80.082987ms
[WARNING] 2023-11-30T19:37:01Z Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on /tmp/VQL_Unzip_.jsonl1931902793 which will be much slower.
[INFO] 2023-11-30T19:37:02Z File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":115,\"MaxSize\":1073741874,\"AvailableBytes\":57,\"LeasedBytes\":0}","leased_pointer":50}
[INFO] 2023-11-30T19:37:02Z File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":369,\"MaxSize\":1073741874,\"AvailableBytes\":303,\"LeasedBytes\":0}","leased_pointer":50}
[INFO] 2023-11-30T19:37:02Z shell: Running external command [/tmp/tmp773096791/thor-lite-linux-64 --json -e /tmp/tmp773096791]
[INFO] 2023-11-30T19:37:02Z shell: fork/exec /tmp/tmp773096791/thor-lite-linux-64: no such file or directory

What is the right way to transfer the licence file to the client?

Thanks for your good work. hag

NextronSystems / velociraptor-artifacts-thor

Generic.Scanner.ThorZIP Error #3