Lastline Analyst and Detonator On-Premises Release Notes

Version 8.2

Detection Improvements

  • LLADOC-581 Improved detection of suspicious XSL scripts.
  • LLADOC-600 LLADOC-601 LLADOC-621 LLADOC-624 LLADOC-626 More robust parsing of data streams in Microsoft Office documents.
  • LLADOC-604 Improved extraction of OLE2.0 streams from Microsoft Office documents.
  • LLADOC-611 Improved detection of script code with the capability to communicate using web-services.
  • LLADOC-614 Improved extraction of orphan streams in Microsoft Office OLE streams.
  • LLADOC-622 More robust classification of Microsoft Office documents accessing remote OLE resources.
  • LLADOC-633 Improved detection of very large XML files embedded in Microsoft Office documents.
  • LLADOC-644 LLADOC-308 LLFILE-326 More robust detection of Microsoft Support Diagnostic cab files.
  • LLADOC-645 Improved extraction of zlib-compressed objects embedded in Microsoft Office documents.
  • LLADOC-650 Improved extraction of objects/metadata from RTF documents.
  • LLADOC-651 Improved extraction of email body text using RTF encoding.
  • LLADOC-653 More robust detection of embedded remote OLE objects in Microsoft Office documents.
  • LLAM-3080 LLAM-3806 Improved interception of stalling code in user and kernel space.
  • LLAM-3803 Improved hooking of direct system call invocations.
  • LLFILE-296 More robust detection of Microsoft Batch scripts.
  • LLFILE-419 More robust content-based file-type detection of Mach-O files.
  • LLFILE-421 More robust type detection for XPS documents.
  • LLFILE-422 More robust detection of Microsoft HTA files.
  • LLFILE-424 More robust inflation of archives containing very large files.
  • LLMAIL-452 Deeper inspection of unreadable archives.
  • MALS-2343 Fixed the extraction of network connection metadata (e.g., missing TCP port data) in the sandbox analysis reports.
  • MALS-2667 LLADOC-607 LLADOC-608 LLADOC-609 Improved detection for malformed archives.
  • MALS-2670 More robust inflation of archives that contain large files when submitted to the analysis system.
  • MALS-2687 Fixed a bug that misinterprets filenames containing domains as Microsoft COM executables.
  • MALS-2696 More robust inflation of archives containing unknown filename encodings.
  • MALS-2730 Fixed a bug to enable robust parsing of Microsoft Windows command lines.
  • SIGLOGSCAN-143 Improved detection of anomalous interactions with critical system processes.
  • SIGLOGSCAN-175 SIGLOGSCAN-176 Improved detection of malware checking user privileges.
  • SIGLOGSCAN-179 Improved detection of InviZzzible evasion tools.
  • SIGLOGSCAN-191 Improved detection of Fuzzbunch payloads.
  • SIGLOGSCAN-194 Improved detection of Sougu PUA.
  • SIGLOGSCAN-215 Improved detection of malware retrieving hardware information.
  • SIGLOGSCAN-229 Improved detection of Turla Carbon.
  • SIGLOGSCAN-238 Improved detection of anomalous reading of foreign process memory.
  • SIGLOGSCAN-288 More robust detection of documents containing suspicious URLs.
  • SIGLOGSCAN-298 Improved detection of malware with the ability to change parent process attributes.
  • SIGLOGSCAN-307 Improved detection of code evading code-emulation via GetSystemMetrics API.
  • SIGLOGSCAN-313 Improved detection of accessing CPU information via the Microsoft Windows Registry.
  • SIGLOGSCAN-314 Improved detection of system fingerprinting for presence of a hypervisor.
  • SIGLOGSCAN-318 Improved detection of ASProtect.
  • SIGLOGSCAN-320 Improved detection of Windows task scheduler LPE vulnerability.
  • SIGLOGSCAN-321 SIGLOGSCAN-322 Improved detection of stealing browser credentials (and add support for Flock browser).
  • SIGLOGSCAN-323 Improved detection of Mimikatz.
  • SIGREPSCAN-138 SIGREPSCAN-502 SIGREPSCAN-512 SIGREPSCAN-522 SIGREPSCAN-523 SIGREPSCAN-524 SIGREPSCAN-525 SIGREPSCAN-526 SIGREPSCAN-527 SIGREPSCAN-528 SIGREPSCAN-529 SIGREPSCAN-532 SIGREPSCAN-533 SIGREPSCAN-536 SIGREPSCAN-537 Better hooking of WMI queries.
  • SIGREPSCAN-159 SIGREPSCAN-284 More aggressive detection of anomalous use of HTA script code.
  • SIGREPSCAN-177 SIGREPSCAN-178 More aggressive detection of evasions abusing Zone.Identifier information.
  • SIGREPSCAN-190 More robust classification of Microsoft Office accessing online resources that are unavailable.
  • SIGREPSCAN-213 Better detection of logoff activity.
  • SIGREPSCAN-246 SIGREPSCAN-550 Improved detection of file decoding using system binaries (e.g., certutil).
  • SIGREPSCAN-252 SIGREPSCAN-272 SIGREPSCAN-308 SIGREPSCAN-225 Improved detection of attempted Microsoft Windows UAC bypassing.
  • SIGREPSCAN-334 More robust classification of file type confusion attacks.
  • SIGREPSCAN-355 Improved detection of raw access to physical drive.
  • SIGREPSCAN-356 Clarify description of driver-loading activities.
  • SIGREPSCAN-361 SIGREPSCAN-421 SIGREPSCAN-493 SIGREPSCAN-515 More robust detection of code failing at communicating with a remote server.
  • SIGREPSCAN-391 SIGREPSCAN-507 More aggressive detection of anomalous invocations of script code from Microsoft Office.
  • SIGREPSCAN-488 Improved detection of anomalous use of system utilities.
  • SIGREPSCAN-495 Improved detection of macOS migration tool bypass.
  • SIGREPSCAN-499 Improved detection of code disabling the Microsoft Windows Control Panel.
  • SIGREPSCAN-500 Improved detection of sandbox fingerprinting via VMware DLLs.
  • SIGREPSCAN-501 SIGREPSCAN-503 SIGREPSCAN-505 SIGREPSCAN-264 Improved detection of hardware fingerprinting via WMI.
  • SIGREPSCAN-504 More robust detection of ransomware.
  • SIGREPSCAN-506 Improved detection of VMProtect packers.
  • SIGREPSCAN-508 Improved detection of exploits using ASLR bypass.
  • SIGREPSCAN-509 More robust classification of communication with private IP addresses.
  • SIGREPSCAN-511 Improved extraction of activities using of relative paths.
  • SIGREPSCAN-513 Improved detection of hijacking of Microsoft Outlook COM objects.
  • SIGREPSCAN-518 More robust detection of suspicious modification of system files.
  • SIGREPSCAN-538 SIGREPSCAN-534 More aggressive detection of exploits using ASLR bypass.

Bug Fixes and Improvements

  • USER-3017: Fixed a bug that could prevent authorized portal users from seeing the analysis subject download button and downloading the analysis subject.
  • USER-2990: Fixed a bug that removed "Allow network traffic" option in the UI. It now appears in the Analyst tab.
  • USER-2972: Fixed a bug that showed variables on URL Analysis page instead of displaying the URLs.
  • USER-2924: Fixed a bug that caused analyst customers to view the links to global search in analysis overview page, leading to 404 pages.
  • MALS-2728: The default behavior of APK analysis has changed to query global intelligence using MD5, SHA1, and APK package name (instead of the APK content). This makes APK cloud-analysis consistent with the default behavior of the other file types.
  • MALS-2719: More robust processing of analysis results and handling of temporary out-of-memory issues.
  • MALS-2696: More robust inflation of archives containing unknown filename encodings.
  • MALS-2687: Fixed a bug that misinterprets filenames containing domains as Microsoft COM executables.
  • MALS-2670: More robust inflation of archives that contain large files when submitted to the analysis system.
  • MALS-2661: More robust processing of archives containing very long filenames.
  • MALS-2651: More robust handling of invalid Lastline application bundles.
  • MALS-2479: More robust handling of invalid Lastline application bundles using non-ASCII filenames.
  • LLFILE-424: More robust inflation of archives containing very large files.
  • LLFILE-421: More robust content-based file-type detection of XPS files.
  • LLFILE-419: More robust content-base file-type detection of Mach-O files.
  • LLFILE-296: More robust detection of Microsoft Batch scripts.
  • FEAT-3268: The submission helper for bulk submissions to the Analyst API has been rewritten to better handle file-upload selection and errors.
  • FEAT-3267: Include extended version of "analyze_files" utility (formerly "analyze_binaries") in the Analyst API documentation. The new version contains various improvements allowing which files to select for analysis as well as improved error handling.
  • FEAT-2979: Fixed a bug that truncated output in the PDF report as compared to the content in the UI.
  • FEAT-2918: Include Content Security Policy HTTP header in responses from Lastline portal.
  • FEAT-1681: Lastline's integration for logging in to the portal via RADIUS now officially supports Windows Server 2016 as a RADIUS server.

Deprecation of API methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:

  • Lastline Analyst version 1000

and for Lastline Detonator On-Premises:

  • Lastline Manager version 1000
  • Lastline Engine version 1000

Released sandbox images versions

The sandbox images version is updated to 2018-10-16-01. Note that the update of OS image may imply longer download times compared to previous updates.

Distribution Upgrade

As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

8.1 8.3