Question 1

Is Loki still maintained in 2024?

Accepted Answer

No, Loki is deprecated and in inactive maintenance mode. The author recommends using THOR Lite or LOKI-RS for better performance and ongoing support, as stated in the README's important note.

Question 2

How to add custom YARA rules to Loki?

Accepted Answer

Place .yar files in the './signature-base/yara' folder, and Loki will initialize them during scans. The README's Signature and IOCs section explains the format and scoring for user-defined rules.

Question 3

Loki vs THOR Lite: which is better for incident response?

Accepted Answer

THOR Lite is faster, more stable, and actively maintained, making it superior for most cases. Loki is simpler and portable but deprecated, so THOR Lite is preferred for production use, per the author's comparison.

Question 4

Can Loki scan network drives on Windows?

Accepted Answer

Yes, use the '--alldrives' flag to scan all drives including network drives, as mentioned in the usage options. However, performance may vary, and administrative privileges are recommended.

Question 5

What causes false positives in Loki scans?

Accepted Answer

False positives can arise from legitimate system files or software matching IOCs. The README advises verifying findings via VirusTotal and reporting issues, with examples in the screenshots section.

Question 6

How to compile Loki from source on Linux?

Accepted Answer

Set up a Python virtual environment, install dependencies like yara-python and psutil, then run the scripts as per the 'Use LOKI on Mac OS X or Linux' section. It requires manual steps and can be complex.

LOKI

What is LOKI?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions