Lastline Analyst and Detonator On-Premises Release Notes

Version 8.0

With the onpremises v8.0 release, the Dell R440 hardware platform is fully certified. We have also made changes to the recommended hardware platform to improve the overall performance and ensure the features and functionality we provide to our customers operate as expected. For more details, please refer to Lastline Support Knowledge Base.

New features

  • Updated look and feel for Lastline Portal
  • Enforce a strong password policy for new passwords on Lastline Portal
  • Improved user interface for file submission
  • Backup to private AWS S3 storage
  • Disable TLSv1.0 on Manager/Pinbox/Analyst appliances
  • Support granular permissions for viewing and managing individual appliances

Updated look and feel for Lastline Portal

This release introduces a new styling for the Lastline Portal, with the aim of reducing visual clutter and adopting a more up-to-date look-and-feel. Note that this does not change the overall structure and functionality of the Portal: while the Portal looks different, the same functionality remains available in the same places, so existing users should be able to quickly adapt to the new look.

This change was tracked internally as FEAT-2790

Enforce a strong password policy for new passwords on Lastline Portal

With this release, the Lastline Portal will begin enforcing a stronger password policy for all new account passwords. This change applies:

  • At account creation
  • When changing the password of an account
  • When using the password reset functionality to change the password of an account

In all these cases, if the user selects a password that is too weak, the portal will display an informative error message that should assist the user in selecting a better password.

To determine if a password is weak and suggest how it can be improved, we do not just rely on its length and on hard-coded rules on the character classes it contains. Password character composition rules are both cumbersome for users and ineffective at ensuring password strength. Instead, we adopt industry best practices for detecting weak passwords by using the zxcvbn library to estimate password strength.

This change was tracked internally as FEAT-2745

Improved user interface for file submission

With this release, the functionality for submitting files for analysis in the Lastline Portal has been revamped, so users now can:

  • Select multiple files to be submitted for analysis
  • Drag and drop files to be analyzed into the page
  • View the status of multiple submissions directly in the submission page

This change was tracked internally as FEAT-2521

Backup to private AWS S3 storage

This release extends the existing functionality for storing back ups of Lastline installations to Amazon AWS S3. With this new version, customers can configure backups to be stored to their private S3-compatible storage, instead of using Amazon's cloud-based storage.

This change was tracked internally as FEAT-2308

Disable TLSv1.0 on Manager/Pinbox/Analyst appliances

Disable TLSv1.0 on customer appliances to enhance the security by removing weak cipher on Manager/Pinbox/Analyst.

This change was tracked internally as FEAT-2284

Support granular permissions for viewing and managing individual appliances

With this release, we are increasing the granularity of our permissions to support granting permissions to view and manage specific appliances. This change affects the existing permissions:

  • can_view_appliances: this permission allows viewing information about appliances, such as overall status, configuration, logs and metrics.

  • can_manage_appliances: this permission allows to perform administrative tasks on an appliance, including installation, configuration and upgrade.

Prior to this change, these two permissions could only be granted for all of a customer's appliances. With this change, they can now also be granted on individual licenses or sensors, providing fine-grained control on which appliances an account can view and manage.

This change was tracked internally as FEAT-1662

Detection Improvements

  • ANREV-4433: Better detection of malware persistency mechanisms installed directly from Microsft Office.
  • ANREV-4476: Better detection of OSX/BackTrack.
  • ANREV-4508, ANREV-4522: Better detection of CVE-2018-4878.
  • ANREV-4525, SIGREPSCAN-456: Better detection for building MSBuild projects from Microsoft Office.
  • LLADOC-541: Better detection of exploits against Equation Editor OLE objects embedded in Microsoft Office documents.
  • LLADOC-557: Better detection of remote OLE objects embedded in Microsoft Office documents.
  • LLAM-3466: Better detection of websites dropping HTA files.
  • LLAM-3519: Better detection of Cryptojacking.
  • LLAM-3530 Better detection for launching malicious wscript through ActiveX.
  • SIGLOGSCAN-239: Better detection of Ebowla payloads.
  • SIGLOGSCAN-253: Better detection of OSX bitcoin miners.
  • SIGLOGSCAN-258: Better detection of anomalous use of MMX registers.
  • SIGLOGSCAN-260: Better detection of samples using Tiny Shell backdoor.
  • SIGLOGSCAN-261: Better detection of OSX/MaMi family.
  • SIGLOGSCAN-264: Better detection of Samsam ransomware.
  • SIGLOGSCAN-266: Better detection of files packed with unregistered versions of Enigma Protector.
  • SIGREPSCAN-360: Better detection of malware dropping Microsoft Office Add-Ins.
  • SIGREPSCAN-363: Better detection of drivers dropped by malware.
  • SIGREPSCAN-433: Better detection for communicating with hosts via TOR proxy servers.
  • SIGREPSCAN-437: Better detection of malware persistency mechanisms.
  • SIGREPSCAN-438: Better detection of FTP credential stealing.
  • SIGREPSCAN-444: More robust detection of corrupted Microsoft Office files.
  • SIGREPSCAN-461: Better detection of files downloaded via certutil utility.
  • SIGREPSCAN-466: Better detection of samples using VMProtect.
  • SIGLOGSCAN-220: Better detection of evasions via known Sandbox mutex names.
  • SIGLOGSCAN-283: Better detection of evasions via Guest Addition registry key fingerprinting.
  • SIGREPSCAN-443: Better detection of evasions via bitsadmin utility.
  • SIGREPSCAN-447: Better detection of evasions via machine serial numbers.
  • SIGREPSCAN-450: Better detection of evasions using log-on information of the current user.
  • SIGREPSCAN-452: Better detection of evasions via network information collected via scutil.
  • SIGREPSCAN-448, SIGREPSCAN-449: Better detection of evasions via network information collected on Mac OS.
  • LLAM-3440: Better user emulation for Microsoft Office analysis on Mac OS.
  • SIGLOGSCAN-242: Better handling of evasions via system information gathered from GetLocaleInfo calls.
  • SIGLOGSCAN-252: Better handling of evasions using system uptime information.
  • SIGREPSCAN-432: Better handling of evasions via querying Win32_PnpSignedDriver WMI class.
  • SIGREPSCAN-422: Better handling of obfuscation via dotless IP addresses.
  • LLADOC-540: More robust extraction of malicious PDFs embedded in RTF documents.
  • LLADOC-547: Improved handling of malformed RTF documents containing binary data.
  • SIGREPSCAN-445: Less aggressive classification of installer programs.
  • ANREV-4490, LLADOC-538: Less aggressive classification of scripts modifying files on disk embedded in Microsoft Office documents.
  • LLADOC-542: More robust extraction of Ole-10-native files from Microsoft Office documents.
  • LLADOC-543: More robust parsing of RTF files in the prefilter module.
  • LLADOC-549, LLFILE-400: Improved analysis of URLs in Internet Shortcut files.
  • LLADOC-551: More robust parsing of invalid XML.
  • LLFILE-380: Improved file type classification for non-Office files using OpenXML file format.
  • LLFILE-393: Improved extraction of partially-corrupted 7z archives.
  • LLFILE-395: Improved analysis of Microsoft Office Spreadsheet-ML files.
  • LLFILE-399: Improved analysis of Microsoft Office Presentation-ML files.
  • FEAT-2829: Support the analysis of SYLK (SYmbolic LinKs) files in Lastline Sandbox, to be opened in Excel and other spreadsheet applications.
  • FEAT-2808: Improved handling of malicious code embedded in CSV files for Microsoft Excel.

Bug Fixes and Improvements

  • PLTF-201: Improved handling of non-ASCII character encodings.
  • MALS-2591: Better detection of exploits launched from infected websites.
  • MALS-2368: Extend tool for analyzing submission volume to the analysis system.
  • LLFILE-406: More robust detection of archives containing Mac OS applications/bundles.
  • LLFILE-405: More robust content-based detection of macro-enabled OpenXML documents.
  • LLFILE-402: More robust content-based detection of macro-enabled Microsoft Excel spreadsheets.
  • LLAM-3613: Better analysis of websites hosting exploits and using TLS1.1/TLS1.2.
  • LLADOC-564: More robust handling of large analysis reports for structural document analysis.
  • FEAT-2827: Daily OS security updates are now scheduled in a way that ensure they will not fail in case an appliance reconfiguration is running at the same time.
  • FEAT-2649: Trigger analysis of documents with Mac-OS-specific macros in Microsoft Office for Mac.
  • FEAT-2196: Lastline Managers no longer have TCP port 25 open, as this is no longer needed for our architecture, and unnecessarily increased the potential attack surface of our appliances.
  • FEAT-1714: Extend Lastline Analyst API report to show more information on files inside archive/container files submitted for analysis.

Deprecation of API methods

All methods of the legacy API (/ll_api/ll_api) have been deprecated.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:

  • Lastline Analyst version 900

and for Lastline Detonator On-Premises:

  • Lastline Manager version 900
  • Lastline Engine version 900

Released sandbox images versions

The sandbox images version is now updated to 2018-03-02-01.

Distribution Upgrade

As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

7.17.1 8.0.1