Runtime in comment is misleading

[ketumbra]

nextron-helper-scripts/thor-seed/thor-seed.ps1

Line 171 in 9d31976

# cloudconf: [!]PresetConfig_FullLookback [Full Scan with Lookback] Performs a full disk scan with all modules but only checks elements changed or created within the last 14 days - best for SOC response to suspicious events (5 to 20 min)

Contrary to the runtime comment on L166, L171 implies this is a quick scan when it is really the slowest of the 3 presets I think.

[redteampanda-ng]

This will be updated once https://github.com/NextronSystems/nextron-helper-scripts/tree/feature/cockpit-thor-seed is merged

[ketumbra]

oh, ok. So you'd still expect "FULL with lookback" to be much quicker than "FULL" (no global_lookback although both have lookback=14)?
I think the comment on line 195 also does not match the value on line 205.
If there's anything we can do here to clarify the distinction between these 2 presets, I think that would be really helpful.
Many Thanks

[redteampanda-ng]

Thanks for checking. I changed the values. This was not changed after the commit 73a4463 (or some time around that commit). Can you check if this is clear to you now?

Regarding the runtimes of "Full with lookback" and "Full". "Full" runs a full scan, the lookback only applies to the Eventlogs. "Full with lookback" also has the flag global-lookback, which also applies the lookback value to other modules (like the Filescan module). It is a bit confusing, but the flags are correct and the times should somewhat reflect that.

Per default lookback only applies to the Eventlog. So the "Full" scan scans every file on your disk, but only events from your Eventlog (created within the last 14 days).

[ketumbra]

Erm, so 'full with lookback' is quicker because it only looks at the last 14days of any activity, whereas 'Full' looks at the complete available history (except only the last 14 days of event logs)?
Maybe 'full with lookback' could be renamed '2 week history' or 'Full (2 weeks)' and 'full' could be 'Full (no limit)' or similar?
'Lookback' implies to me that it is doing additional searching in older data and thus would be slower.
Anyway, thanks for the clarification.

[redteampanda-ng]

I agree with that the naming could be different. I will forward your suggestions internally and see if we can change the names. The script is used in other parts of our products, and customers might get confused (at first) by the new presets. So I am not sure if we will change the names anytime soon.

For the time being I added a little explanation to the two presets, which I am not sure will make it into the master branch. The reason for that is that we try to communicate with our customers (and to an extend to everyone), that they should: a) never run a script without checking what it does beforehand, and b) understand what the different THOR flags actually do. This also helps that any user of THOR understands what can and cannot be done with THOR.

We have extensive explanations in the --fullhelp of THOR itself, and in our documentation online (which is basically the --fullhelp in "pretty").