Version 7.16.4
Detection Improvements
We have made enhancements to the detection of
- LLADOC-500 Microsoft Word document template infections,
- LLADOC-517 obfuscated DDE commands,
- LLADOC-523 remote OLE embedded in Microsoft Office document footer/header sections,
- LLAM-3248 Microsoft Office exploits targeting the equation editor,
- SIGLOGSCAN-208 fileless payloads,
- SIGLOGSCAN-208 fileless payloads,
- SIGLOGSCAN-236 Sofacy variants,
- SIGREPSCAN-365 corrupted Microsoft Office documents,
- SIGREPSCAN-374 executables generated as part of a document analysis,
- SIGREPSCAN-385 scriptlets embedded in RTF files,
and extended anti-evasion techniques to detect abusing
- ANREV-4368 known sandbox host or usernames,
- LLAM-3205 hashing of process names,
- LLAM-3214 low-level network adapter settings,
- LLAM-3287 hooking LdrGetProcedureAddress,
- SIGLOGSCAN-212 LLAM-3219 excessive calls to timing API functions,
and improved the reliability of
- LLADOC-491 LLADOC-516 classifying Microsoft Office macro code accessing the host file system,
- LLADOC-516 LLADOC-524 finding suspicious, embedded objects in RTF files,
- LLAM-3063 executing different entry points during a Microsoft Windows DLL analysis,
- LLAM-3112 extracting data from Microsoft Windows registry,
- LLAM-3324 extracting system Network Adapter information,
- LLFILE-392 analyzing password-protected rar5 archives,
- SIGREPSCAN-392 classifying behavior of Microsoft Internet Explorer triggered during the analysis of documents,
- SIGREPSCAN-402 classifying suspicious use of unreachable hosts on the internet from Microsoft Batch files,
- SIGREPSCAN-419 classifying behavior of Internet Explorer spawned during document analysis.
Deprecation of API methods
All methods of the legacy API (/ll_api/ll_api) have been deprecated.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:
- Lastline Analyst version 825.1
and for Lastline Detonator On-Premises:
- Lastline Manager version 825.1
- Lastline Engine version 825.1
Released sandbox images versions
The sandbox images version remains at 2017-07-17-01.
Distribution Upgrade
As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.
For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.