Version 8.4
Image Download Time
The overall size of our sandbox images has increased, impacting the time it may take to download these images during the install or upgrade compared to time it took in our most recent 8.3.4 release. The install and upgrade time can be reduced by pre-loading the Lastline sandbox images before you upgrade or install. Instructions on how to pre-load sandbox images can be found here. Additionally, to mitigate this risk upon installation we strongly suggest you enable downloading from a CDN, which is documented in the Lastline Manager Installation Guide. For customers upgrading from a previous version who are concerned about the download speed may also contact support to enable the use of CDNs. As part of 8.4, this option will be exposed to customers via the lastline_register utility.
New Features
- Integrate Antimalware Scan Interface (AMSI) for MS Office document analysis in Lastline sandbox
- Detection of URL Link Chains
- Extract Powershell/VBS/JS executed code to Llama report using Windows 10 AMSI interface
INTEGRATE ANTIMALWARE SCAN INTERFACE (AMSI) FOR MS OFFICE DOCUMENT ANALYSIS IN LASTLINE SANDBOX
The Windows Antimalware Scan Interface (AMSI) was integrated into Lastline Sandbox for MS Office document analysis. The AMSI increases visibility into execution of VBA code, which allow the sandbox to observe not only system level events, but also VBA code specific events.
This new feature was tracked internally as FEAT-4043
DETECTION OF URL LINK CHAINS
Lastline's URL analysis engine extracts and analyzes URLs found in Google Docs submitted for analysis. This allows the engine to follow the URL link chain and detect malicious payloads or phishing pages at the end of the chain.
This new feature was tracked internally as FEAT-3578
EXTRACT POWERSHELL/VBS/JS EXECUTED CODE TO LLAMA REPORT USING WINDOWS 10 AMSI INTERFACE
Lastline Sandbox analysis on Windows 10 is now integrated with AMSI (Antimalware Scan Interface) for Powershell, VBS, JS scripts and Macro code analysis. The new feature increases visibility into script/macro code execution and improves detection capabilities of the sandbox.
This new feature was tracked internally as FEAT-3515
Detection Improvements
- TRES-647: Improved prefilter detection for documents with XL4 macro code
- TRES-641: Improved detection of OSX/Pirrit malware family.
- TRES-584: Improved detection of compiled python scripts.
- TRES-569: Improved detection of PUA/Softcnap malware family.
- TRES-551: Improved prefilter detection for documents with XL4 macro code.
- TRES-490: Reduced false positive rate for executables.
- TRES-478: Improved detection of POWRUNER and BONDUPDATER malware families.
- TRES-460: Improved detection rate of compressed SWF files.
- TRES-436: Improved analysis of malicious executable and document files targeting Mac OS.
- TRES-417: Improved detection of OSX/Callisto malware family.
- TRES-397: Improved detection of Shadow Hammer malware family.
- TRES-387: Improved detection of Flashback, Crisis, XSLCmd, Calisto, Coldroot, Dummy, CreativeUpdate and DarthMiner OSX malware families.
- TRES-377: Improved detection of malicious URL embedded into PDF.
- TRES-371: Improved detection of XSLCmd malware family.
- TRES-370: Improved detection of OSX/Komplex malware family.
- TRES-324: Improved detection of ASLR bypass in Microsoft Office documents
- TRES-301: Improved detection of evasive Microsoft Office documents which use country-specific checks to bypass analysis systems.
- TRES-295: Improved detection of malware exploiting ACE format vulnerability (CVE-2018-20250).
- TRES-197: Improve analysis of encrypted XLS documents.
- TRES-177: Improved detection of LazyMeerkat malware family.
- TRES-163: Improved detection of Chches malware family (APT10).
- TRES-150: Improved detection of embedded API names in OLE streams of XLS files.
- TRES-148: Improved detection of Vflooder malware family.
- TRES-134: Improved detection of exploits targeting Microsoft Equation Editor.
Bug Fixes and Improvements
- USER-3394: The link from Admin / Appliances / Configuration / Integrations / Active Directory to Admin / Data Sources / Active Directory now works as expected.
- USER-3297: Fixed incorrect URLs linking to the AWS documentation.
- TRES-419: Improved extraction and parsing of long encoded Powershell command line.
Deprecation of API Methods
No additional API methods are being deprecated or discontinued in this release.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Deprecation of Legacy Web Threat Analysis System
In the previous 8.3 release, we introduced a new analysis system for the dynamic analysis of web threats. This new system is faster and covers a wider variety of attacks. Until now, the old and new analysis systems were run in parallel to evaluate the detection accuracy of the new system. This meant analysis runs for web threats were showing multiple analysis reports.
As part of this release, we are now deprecating the use of the legacy system, meaning that these duplicate reports (titled "instrumented browser" or "instrumented file-viewer") are no-longer generated as part of the analysis.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:
- Lastline Analyst version 1060
and for Lastline Detonator On-Premises:
- Lastline Manager version 1060
- Lastline Engine version 1060
Released sandbox images versions
The sandbox images version will be upgraded to 2019-04-18-01.
Distribution Upgrade
Version 8.3.2 was the final version to support Ubuntu Trusty as our operating system distribution. In order to upgrade to 8.4, you must be running Xenial as the operating system distribution.
You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", the appliance distribution needs to be upgraded.
For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.