Lastline Analyst and Detonator On-Premises Release Notes

New features

• Show warning when downloading analyzed file
• Adjust error reporting verbosity of appliance test utility
• Show license status in appliances UI
• New timeline tab in Intelligence search results
• Improved example queries in Intelligence search page
• Portal is now a one-page-app
• Support appliance upgrade in UI as soon as new release is available
• File analysis improvements
• URL analysis improvements
• Bug fixes and improvements

Show warning when downloading analyzed file

Portal will now show a warning the first time a user attempts to download a file that was submitted from analysis. The warning will advise the user that file is potentially malicious and should be handled with care.

This improvement was tracked as FEAT-2022.

Adjust error reporting verbosity of appliance test utility

With the previous release 7.14, the existing lastline_test_appliance utility was configured to run periodically on appliances to check the appliance's status. Any issues detected by that utility are then reported to our backend so they are visibile in the appliance monitoring logs view of the portal, and are included as appropriate into appliance status notifications that user has configured.

This can help to proactively detect a wide variety of error conditions on an installation. This change, however, revealed some issues in the error reporting verbosity of the test utility, that have been resolved with this release:

• FEAT-2012: lack of sniffing interfaces is no longer considered an error on sensors where sniffing is disabled, such as mail-only sensors.
• CC-1940: the "SOFTWARE:heavy_processes" check which detects processes with extremely high CPU usage has been downgraded from error to warning.
• CC-1928: errors and warnings about a hardware configuration that is not compliant with minimum requirements for our software have all been downgraded to warning with impact level 30. This is lower than the impact level of other warnings, which start at 40. To receive appliance status notifications but exclude hardware requirements issues reported by lastline_test_appliance, users can configure a notification threshold of 35.

Show license status in appliances UI

The appliance overview and status pages now display information on the validity of an appliance's license. If an appliance's license is expired, or a sensor's subkey is inactive, the appliance's overall status will be set to "License expired".

Furthermore, if an appliance's license will expire in the next 15 days, the appliance's overall status will be "License expires soon".

This improvement was tracked internally as FEAT-1892.

New timeline tab in Intelligence search results

The results of a search in the Intelligence tab now include an additional "Timeline" tab. This displays the timeline of analysis runs where specific search terms were encountered. This is applicable for search terms that are:

• domains
• IP addresses
• file hashes
• threat names

This improvement was tracked internally as FEAT-1742.

Improved example queries in Intelligence search page

With this release, we are improving the query examples provided in the Intelligence search page:

• Example queries can now be frequently updated by Lastline to reflect new malware trends.

• Example queries are now easier to find, rather than hidden under "Advanced Search".

• The expanded list of example queries now includes a description of each example which provides some information on why it can be an interesting query.

This improvement was tracked internally as FEAT-1816.

Portal is now a one-page-app

The Lastline Portal UI is now a single-page web application. What this means for users is faster load times when switching between tabs that were previously separate applications. This improvement was tracked internally as FEAT-1677.

Support appliance upgrade in UI as soon as new release is available

Starting from this release, customers will be able to upgrade their appliances in the Appliances tab of the portal as soon as soon as a new release is announced.

Before this release, customers could only do this after Lastline had triggered auto-upgrade for the release.

This change allows customers who want to get access to the new version earlier to do that.

This improvement is tracked internally as FEAT-423.

File analysis improvements

• LLFILE-359: Improvements to the file type detection accuracy of Microsoft Powerpoint Slideshow files.
• LLFILE-344: Improvements to the file type detection of MSI installer packages.
• LLADOC-388: Improvements to the file type detection for data/scripts embedded in documents.
• SIGREPSCAN-276/277: Improvements to the detection of stalling/download activity using system utilities.
• LLADOC-355: Improvements to the detection of ROP-based document exploits.
• LLADOC-378: Improvements to the detection of EPS-based document exploits.
• LLADOC-386: Improvements to the extraction of URLs embedded in Microsoft Office documents.
• LLADOC-401: Improvements to the extraction of Macro content from Microsoft Office documents.

We have made enhancements to the detection of

• SIGLOGSCAN-185 installing hooks.
• SIGREPSCAN-255 document exploits via non-ASLR libraries.
• SIGREPSCAN-307 LLADOC-392 LLADOC-419 LLADOC-428 document exploits via remote OLE objects.
• LLADOC-425 hidden action events in Microsoft Powerpoint files.
• LLADOC-422 scripts embedded in documents.
• LLADOC-408 obfuscated, embedded EPS images.
• ANREV-3807 ANREV-3808 spambots.
• ANREV-3899 ransomware behavior.
• ANREV-3845 JavaScript embedded in PDF files.
• ANREV-3899 SIGREPSCAN-157 ransomware behavior.
• ANREV-3901 ANREV-3902 SMB exploit code.
• LLADOC-355 LLADOC-378 LLADOC-387 LLADOC-402 ROP shellcode.
• LLADOC-374 LLADOC-393 environment specific Microsoft Office macro code.
• LLADOC-388 LLADOC-403 embedded script code in Microsoft Office documents.
• LLADOC-407 anomalous macros using system utilities.
• LLADOC-408 LLADOC-411 obfuscated, embedded EPS images.
• SIGLOGSCAN-173 SIGLOGSCAN-187 document exploits via harmful CLSIDs.
• SIGLOGSCAN-183 SIGLOGSCAN-184 code/thread injection.
• SIGLOGSCAN-185 installing hooks.
• SIGLOGSCAN-186 VM fingerprinting behavior.
• SIGLOGSCAN-190 extraction of email addresses from Microsoft Outlook.
• SIGLOGSCAN-193 network scanning behavior.
• SIGLOG-40 searching for AV products.
• SIGREPSCAN-159 SIGREPSCAN-284 anomalous script invocations.
• SIGREPSCAN-252 SIGREPSCAN-272 SIGREPSCAN-308 UAC Bypass.
• SIGREPSCAN-255 document exploits via non-ASLR libraries.
• SIGREPSCAN-264 enumeration of security products via WMI.
• SIGREPSCAN-271 disabling Microsoft Word recovery features.
• SIGREPSCAN-276 SIGREPSCAN-277 abuse of system utilities (such as waitfor.exe and bitsadmin.exe).
• SIGREPSCAN-301 using GEO location services.

and improved the reliability of

• LLADOC-391 extracting OLE streams from Microsoft Office documents.
• LLADOC-392 LLADOC-395 LLADOC-401 extracting URLs from Microsoft Office documents.
• LLADOC-404 LLADOC-414 MALS-375 Ole10Native stream analysis.
• LLADOC-413 WordProcessingML handling.
• LLAM-2806 MALS-2162 MALS-2137 generating program bundles from archives.

URL analysis improvements

• LLWEB-1690: Improvements to the handling of resources downloaded via Content-Disposition header.

• LLWEB-1686: Improvements to the detection of ROP-based shellcode.

Bug fixes and improvements

• USER-2507: fix for portal walk-through with Firefox browser
• USER-2129: In analysis report, improve display of DNS queries that get an NXDOMAIN reply
• USER-2466: Upgrade market verticals and analysis timeline graphs under report overview to new UI standard displays.
• MALS-2229: Better Analyst API documentation for submit file when the file upload is required.
• MALS-2143: Ability to specify low-priority submission in the Analyst API.
• LLAM-2832: Stability improvements when extracting PE metadata.
• LLAM-2620: Improved extraction of files dropped during the analysis inside the analysis sandbox.

• CC-1946: Make sure lastline_test_appliance will not hang forever on a stalling HTTP request, but terminates with a timeout error.

• LLFILE-366 MALS-2222 Analyze files embeddded in ISO containers in the Analyst API.

• LLAM-2176 LLAM-2232 Extract static properties on PE overlay.
• LLAM-2176 LLAM-2232 Extract static properties on resources embedded in PE files.

• MALS-2199 LLFILE-363 Improved reliability of archive inflation.

• FEAT-1590: display help for Network IoC tags in the Intelligence tab.

• FEAT-1308: display the page title in the navbar at the top of the page in the Lastline Portal.

• USER-2115: make appliance selection persistent across all views of Appliances tab.

Deprecation of API methods

All methods of the legacy API (/ll_api/ll_api) are now deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises:

• Lastline Analyst version 740

Released sandbox images versions

With this release, the sandbox images version is updated to 2017-06-19-01.

Distribution Upgrade

The Analyst version 740 which is being made available as part of this release, will be the last versions to support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the following versions, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded. A distribution upgrade can be performed with the "lastline_distribution_upgrade" command-line utility. These updates are not done automatically to prevent unexpected downtime. Please contact support@lastline.com for help with the upgrade process.