Lastline Analyst and Detonator On-Premises Release Notes

Version 7.14

New features

  • Knowledgebase new interface and workflows
  • Improved Analyst API Authentication
  • Support for changing the primary customer account
  • New search terms in the Knowledge Base interface
  • Update of supported browsers
  • Improved file analysis
  • Improved analysis of password-protected content
  • Accept RFC-2822 encoded emails in Analyst API
  • Run appliance test utility periodically

Knowledge Base new interface and workflows

Users with a Knowledge Base license now have access to a new version of the Knowledgebase interface through the Lastline Analyst Portal's Intelligence Page. With this version, licensed users can, in a few steps, validate Indicator of Compromises (IoCs), enrich these IoCs for greater coverage, triage and export these IoCs for use within their environment.

The intelligence page results have been enriched and reorganized to support flexible workflows. Knowledge Base search results are now divided into different tabs for an easier navigation and direct access to the information needed: - A "Summary" tab providing statistical charts about the results for fast IoC validation, - A "Reports" tab providing examples of analysis reports in order to support exploration and drill downs, - A "Threat Profile" tab providing the related malicious activities for a quick assessment of the IoC severity, - A "Network IoCs" tab providing enriched lists of related IPs and domains; these lists are completed with reputation information for a quick triage and can be directly exported for faster reaction (plain text and STIX formats supported). - A "DNS" tab providing DNS information around the query. - A "Clustering" tab pointing to similar analysis reports, based on code or dynamic execution similarities, for additional exploration and further enrichment of the original set of IoCs.

All these new features as well as the rich set of information returned by the interface are described in details within the Lastline Portal Guide.

Improved Analyst API Authentication

This release enables users of the Analyst API to leverage Session IDs as an alternative to authentication using API Key and Token embedded in each request. There is no plan to deprecate the existing behavior (the new solution is designed to be fully backward compatible), but clients should consider switching to the improved authentication mechanism.

The Analyst API documentation contains a detailed description of this change.

Support for changing the primary customer account

Before this release, changing the primary customer email, as displayed in the License Information View, required contacting Lastline support.

With this release, the primary customer email can be changed in the Portal by selecting an existing administrator account as the new primary one while editing the account under the All Accounts View. Please note that this operation needs to be performed on the hosted Lastline portal rather than on the On-Premises appliance's UI.

This improvement is tracked internally as FEAT-1510.

New search terms in the Knowledge Base interface

The Knowledge Base interface now supports two additional search terms, accessible through the Intelligence Page:

  • Users can now search for HTTP user-agents when dealing with malware using suspicious or masquerading user-agents.

  • Users can now search by TLS certificate fingerprints when dealing with malware using secured communications for their C&C.

Update of supported browsers

With this release, we are updating the list of supported browsers to the following:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Internet Explorer 11
  • Apple Safari

This removes support for Microsoft Internet Explorer versions 9 and 10, since Microsoft Windows Vista has reached end of extended support. Microsoft Vista was the last desktop OS on which Internet Explorer versions below 11 were still supported by Microsoft.

Improved analysis of password-protected content

With this release, we are extending the support for password-protected content. The password provided as part of a file submission using the submit_file API function (previously used only for archive decryption) is now used for more file-types, including Microsoft Office documents.

Additionally, we have extended this function to accept more than one password using the "password_candidates" parameter. This is useful when the caller does not know the password but can narrow down the set of possible entries to a small list of candidates.

Accept RFC-2822 encoded emails in Analyst API

FEAT-1118 FEAT-865 Starting with this release, the Lastline Analyst API accepts RFC-2822 encoded email messages for analysis. Similar to the handling in the Lastline Enterprise Sensor appliance, submitted emails are analyzed for suspicious content and any email attachments that are found to be suspicious are extracted and analyzed as child task of the originally submitted email.

Run appliance test utility periodically

The existing lastline_test_appliance utility is now configured to run periodically to check the appliance's status. Any issues detected by that utility are then reported to our backend so they are visible in the appliance monitoring logs view of the portal, and are included as appropriate into appliance status notifications that user has configured.

This can help to proactively detect a wide variety of error conditions on an installation. This improvement was tracked internally as FEAT-500.

Bug fixes and improvements

  • Added get_pending function for retrieving pending submissions via the Analyst API
  • Improve the analysis of URLs fetched by PDF files via the app.launchURL API
  • Improve the analysis of JavaScript files that use the Blob API to drop additional artifacts. In particular, the determination of the file type of the dropped file has been improved, leading to potentially more precise analysis results
  • Improve the export of analysis reports to PDF/RTF for Flash files submitted for analysis
  • Fix missing screenshots in export of analysis report to PDF/RTF
  • Fix truncation of authenticode-signer information in analysis overview
  • Fix export of analysis report activities (strip and suppress internal data)
  • Fix download of analysis report artifact
  • Fix missing analysis subject metadata in analysis reports
  • Allow configuration of multiple NTP server in lastline_setup.
  • FEAT-1470: In UI for submitting files for analysis, clarify what analysis will be performed on submission of a PCAP file.
  • FEAT-1596: Add "Minimum impact" filter in monitoring logs view. Set it to 30 to view all Warning and Error messages only.
  • USER-2295: In intelligence tab, add a clear search icon to the search bar.
  • CC-1665: Improved diagnostic output in lastline_test_appliance for processing having and abnormally high CPU usage.
  • LLFILE-349, MALS-2134: Improve support of LZMA archives.
  • FEAT-1682: Display status of the Analysis Traffic (AnonVPN) Routing in the web portal under "Appliance Status".
  • LLAM-2174 LLAM-2175 Extract more static information (entropy and byte distribution) from memory of PE analysis subjects inside the sandbox.
  • MALS-2191: Improved handling of archives with non-UTF8 passwords.
  • MALS-2161: Improved handling of archives containing files using non-UTF8 filenames.
  • MALS-2155: Improved handling of gzip archives by deriving content filenames from original archive filename.
  • MALS-2170: Include information on analysis environment in analysis reports exported as PDF or RTF.
  • MALS-2126 Allow specifying multiple password candidates for archives submitted for analysis via the submit_file function (see parameter "password_candidates").
  • MALS-2143: Allow "low priority" submissions via the Analyst API. This allows submitting large batches of URLs and files with reduced impact on the overall throughput of the analysis queue.
  • FEAT-1228: If the AnonVPN Analysis Traffic Routing is configured in honeypot mode, the portal will now display a warning and disable URL submissions.
  • LLWEB-1701: Improved extraction of JavaScript from PDF files.
  • LLWEB-903: Improved detection of ROP-based shellcode.
  • LLWEB-1707: Improved handling of web responses with content type "application/hta".
  • CC-1946: Prevent lastline_test_appliance from hanging in case of unstable network connection.
  • SENT-610: Prevent OS update performed after first registration from hanging.
  • CC-1953: Do not use OPTIONS method when testing connectivity to https proxy.
  • Multiple improvements in error reporting during appliance installation.
  • CC-1868: fix bug that could cause some new ANALYST appliance versions to not become available for manual upgrade from UI.

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On Premise:

  • Lastline Analyst version 725
7.13.5 7.15