Lastline Analyst and Detonator On-Premises Release Notes

Version 7.17

New features

  • Increased visibility in Mac OS analysis framework
  • Display labels for the classification of samples in analysis overview
  • Improved appliance configuration page
  • Support for testing notification configurations

Increased visibility in Mac OS analysis framework

This release marks the general availability of an improved analysis for threats targeting Mac OS. These improvements have been phased in pieces over recent months.

The new system improves deep inspection of any application started in the Lastline Mac OS sandbox, increases visibility in activities performed, allows more flexible anti-evasion techniques, supports additional file-types, and more.

This improvement was tracked internally as

  • FEAT-1161 FEAT-1744: improved visibility into behaviors and anti-evasion techniques,
  • FEAT-1328: improved inspection of Unix syscalls,
  • FEAT-1750: improved analysis of DMG, Mac OS Application bundles, as well as Mac Universal Binaries, and
  • FEAT-1633: more flexible tracking of behaviors and detection of suspicious activities.

This change was tracked internally as FEAT-2817

Display labels for the classification of samples in analysis overview

When displaying the analysis overview for the analysis of a file or URL, the Lastline Portal will now display additional information on the classification of the sample. Specifically, the following three fields will be displayed, if information is available for each of them for the sample:

  • Antivirus class: this is the general classification of this sample according to antivirus technology, and has values such as "trojan", "ransomware", "adware".
  • Antivirus family: this is the more specific classification of the sample according to antivirus technology, and has values such as "locky", "bundleinstaller", "virut".
  • Malware: this is the Lastline malware name attributed to this sample based on the network traffic that was observed during analysis.

This change was tracked internally as FEAT-2483

Improved appliance configuration page

The appliance configuration page of the Lastline Portal has been redesigned and improved. The available configuration options are now organized into tabs by category.

This change was tracked internally as FEAT-2172

Support for testing notification configurations

When setting up a notification configuration, users are now able to send a test message to verify that the setup is correct.

This functionality is available for a number of integrations supported by Lastline:

  • Email notifications
  • Syslog notifications (SIEM)
  • Generic HTTP notifications
  • Streaming API notifications

This functionality can be triggered from the Lastline Portal by clicking on the "Send test notification" button when viewing a notification configuration. This allows users to verify end-to-end delivery of a notification to its intended recipient.

This change was tracked internally as FEAT-945

Bug Fixes and Improvements

  • USER-2713: Updated favicon for a cosmetic fix
  • USER-2702: Fix bug that could result in failed login attempts being inaccurately displayed in audit log as originating from local IP address 127.0.0.1.
  • USER-2699: Clarify in Lastline Portal text that an administrator can change another account's password without knowing its current password. The password that is requested to confirm this action is the administrator account's own password.
  • USER-2598: fix issue where appliance upgrade dialog would suggest enabling auto-update even though it was already on
  • SENT-754: the upgrade of sensor appliances to trusty introduced issues in our support for Silicom NICs. The Silicom NIC driver has been updated to address the issues.
  • PLTF-71: Stop reporting unhelpful, generic errors such as "Error(s) occurred while running lastline_test_appliance". The individual errors that occurred are already reported separately.
  • PLTF-56: Fixed a bug that could rarely lead processing of appliance monitoring logs to get stuck due to an invalid message.
  • PLTF-28: Fix issue that could cause lastline test appliance utility to report error because there is "Not enough free space in the LVM", just because backup is currently running.
  • LLUPL-545: fix issue where report generation could leave files in /tmp
  • LLMAIL-420: More robust handling of email URL extraction (better handling of non-lowercase schemas)
  • LLAM-3063: fix bug when executing different entry points during a Microsoft Windows DLL analysis.
  • FEAT-2550: Tool for analyzing the local analysis data-usage: analyst_scheduler_data_usage.py
  • FEAT-2507: table in appliance selection modal to remember table view settings such as column visibility and width.
  • FEAT-2475: fix typo in portal when deleting an account.
  • FEAT-2457: More accurate and reliable emulation of recent hardware platforms in the analysis sandbox.
  • FEAT-2446: change file downloads tab to make all downloads the default view.
  • FEAT-2342: disable Cipher Block Chaining (CBC) algorithms in the SSH server.
  • FEAT-2330: support for searching by file's imports hash in intelligence tab.
  • FEAT-2134: the downloads and manuals pages of the Lastline Portal have been updated. The downloads page now displays ISO downloads that are relevant for a user's available licenses.
  • ENG-2300: fix to bug causing SSH daemon to crash if a monitoring account is set up.
  • CC-2104: fix timeout when running lastline_register for customer with extremely high number of licenses.
  • CC-1670: lastline_test_appliance: avoid false positive error about CPU

Deprecation of API methods

All methods of the legacy API (/ll_api/ll_api) have been deprecated.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:

  • Lastline Analyst version 830.1

and for Lastline Detonator On-Premises:

  • Lastline Manager version 830.1
  • Lastline Engine version 830.1

Released sandbox images versions

The sandbox images version remains at 2017-07-17-01.

Distribution Upgrade

As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

7.16.4 7.17.1