explaingit

neo23x0/loki

3,753PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

Loki is a free malware scanner for Windows and Linux that checks files, running processes, and network connections against known threat signatures using YARA rules, file hashes, and IOC lists, built for incident responders and forensic investigators.

Mindmap

mindmap
  root((loki))
    What It Does
      Scans files and paths
      Checks process memory
      Matches network connections
      Color-coded triage output
    Detection Methods
      YARA rules
      File hash database
      Filename patterns
      C2 server list
    Use Cases
      Incident response
      Forensic sweeps
      Threat hunting
    Tech Stack
      Python
      YARA
      Windows executable
    Status
      Deprecated Python build
      Rust rewrite planned
      THOR Lite alternative
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Sweep a compromised Windows or Linux server for known malware during an incident response engagement without installing antivirus.

USE CASE 2

Run YARA-based detection across a file system to hunt for attacker tools or implants matching known signatures.

USE CASE 3

Add custom IOC files and YARA rules to the signatures folder so Loki automatically picks them up on the next scan.

USE CASE 4

Triage a suspected system quickly using pre-built signatures and color-coded results before escalating to deeper forensic analysis.

Tech stack

PythonYARA

Getting it running

Difficulty · easy Time to first run · 30min

Run the built-in updater to download signatures before first scan, no Python install needed on Windows when using the pre-built executable.

License terms are not stated in the explanation, check the repository directly.

In plain English

Loki is a scanner that checks files and running processes on a Windows or Linux computer for signs of malware or attacker activity. It was built for incident response and forensics work, where an investigator needs to sweep a system for known threats without installing a full antivirus product. The tool uses four detection methods. It checks file names and paths against a list of patterns associated with malware. It runs YARA rules, which are pattern-matching signatures used in the security industry, against file contents and running process memory. It compares file hash values (MD5, SHA1, SHA256) against a database of known malicious files. It also compares active network connections from processes against a list of known command-and-control server addresses. Results are color-coded as green, yellow, or red so investigators can quickly triage findings. Loki ships with a pre-built Windows executable so no Python installation is required on the target machine. Signatures are stored in a separate sub-repository and can be updated by running a built-in updater. Custom YARA rules and IOC files can be added to the signatures folder and Loki will pick them up automatically on next run. The README is direct about the project's current status: the Python version of Loki is officially deprecated and no longer actively developed. The author built a faster commercial scanner called THOR (with a free tier called THOR Lite) and is separately working on a Rust rewrite called Loki 2. The README includes a flow chart to help users decide which scanner fits their situation. For teams that already have Loki integrated into workflows, it still runs and the author merges bug fix pull requests. For new deployments, the README points toward the Rust rewrite or THOR Lite as better alternatives.

Copy-paste prompts

Prompt 1
Using Loki, how do I add a custom YARA rule file to the signatures folder and verify it triggers on a test file during a scan?
Prompt 2
Walk me through what Loki's red, yellow, and green result colors mean and how to prioritize findings after running a scan.
Prompt 3
I want to update Loki's signatures to the latest version, show me the exact command to run the built-in updater.
Prompt 4
Compare Loki (deprecated Python), THOR Lite, and the Loki 2 Rust rewrite: which should I use for a new incident response workflow?
Prompt 5
Write a PowerShell one-liner that runs Loki against C:\Users, saves the output log to a timestamped file, and alerts if any red findings are found.
Open on GitHub → Explain another repo

← neo23x0 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.