Lastline Analyst and Detonator On-Premises Release Notes

Version 7.16.3

NOTE: Features released as part of Lastline Enterprise 7.16.2 did not affect the Lastline Analyst/Detornator on-premises products. As a result, and to maintain a consistent versioning in the 7.16.x releases, the 7.16.2 release was skipped for Lastline Analyst/Detonator on-premises deployments.

New features

  • Improved file analysis
  • Bug fixes and improvements

Improved file analysis

We have made enhancements to the detection of

  • LLADOC-454 LLADOC-482 LLADOC-483 LLADOC-488 LLADOC-507 LLADOC-517 obfuscated DDE commands embedded in Microsoft Office documents,
  • LLADOC-490 LLADOC-513 obfuscated or encoded URLs referring to external scripts embedded in Microsoft Office documents,
  • LLADOC-501 extracting binary data from Hangul documents,
  • LLADOC-515 suspicious JavaScript embedded in PDF documents,
  • SIGREPSCAN-390 launching of anomalous shell commands from Microsoft Office,
  • SIGREPSCAN-382 SIGREPSCAN-385 SIGREPSCAN-386 invocation of remote script code from Microsoft Office,
  • ANREV-4263 ANREV-4280 SIGREPSCAN-376 ransom notes,
  • ANREV-4294 open source XMRig miner,

and extended anti-evasion techniques to detect abusing

  • SIGLOGSCAN-213 SIGREPSCAN-264 known processor manufacturers,

and improved the reliability of

  • LLADOC-508 parsing unnamed VBA functions,
  • MALS-2459 extracting information on Microsoft Windows driver files.

Bug fixes and improvements

  • FEAT-2700: improved analysis of URLs contacting suspicious hosts on the internet.
  • FEAT-2611: improve information about timestamps returned by the Analyst API.
  • MALS-2404: fix bug reporting failures contacting hosted analysis service for downloading analysis metadata.
  • MALS-2445: fix bug requesting analysis metadata when appliance was offline for a long time.
  • FEAT-2299: make Analyst API documentation available via the on-premises web-UI. This allows accessing the API and client documentation for the specific version installed on the local appliance via https:///analyst-api-docs/html/index.html .

Deprecation of API methods

All methods of the legacy API (/ll_api/ll_api) have been deprecated.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:

  • Lastline Analyst version 820

and for Lastline Detonator On-Premises:

  • Lastline Manager version 820
  • Lastline Engine version 820

Released sandbox images versions

The sandbox images version remains at 2017-07-17-01.

Distribution Upgrade

As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base

7.16.1 7.16.4