Lastline Analyst and Detonator On-Premises Release Notes

Version 9.0.1

New Features

  • Docker IP Address Configuration

DOCKER IP ADDRESS CONFIGURATION

The lastline_register utility now prompts the user to provide a network address range to use for internal appliance services. In previous releases, this address range was statically configured on a 172.16.0.0/12 network, which could cause a conflict if the range was already in use in the local network.

For details, please refer to the installation manual.

This new feature was tracked internally as FEAT-4742

Detection Improvements

  • TRES-1053: Improved detection of malicious MS Office document with stomped VBA code.

Bug Fixes and Improvements

  • ANST-471: Stability improvement for data-retention of analysis results.
  • SENT-2587: Fixed an issue where a restart of the mail daemon (e.g. during update) could cause certain messages to be held in the mail processing pipeline indefinitely under certain conditions.
  • SENT-2585: Fixed an issue where encoding issues in some of the email message headers could cause email MTA processing to reject the message with an 'Internal Server Error'.
  • SENT-2583: Fixed an issue where a mail sensor may fail at processing messages that had been received by a prior version of the software before an update.
  • SENT-2570: Fixed an issue where the sensor SMB file extraction may erroneously submit large amounts of partial file transfers for analysis.
  • SENT-2521: Fixed an issue in the sensor file processing pipeline where the pipeline may get stuck upon update due to a communication error with the service in charge of on-the-wire webpage inspection feature.
  • MALS-3043: The lastline_check_analysis_submission_load utility was extended to expose Analyst API submission average, maximum, and x-percentile duration information. Additionally, the tool now allows grouping information based on connection metadata to be sent to the API.
  • MALS-3021: Improved performance of Analyst API when searching for cached submission data.
  • MALS-3020: Stability fix for Analyst API submissions taking up to 4 hours.
  • MALS-2988: More robust handling of archives in Analyst API.
  • LLANTA-1120: In some circumstances, the data retention of NTA records was not applied, potentially leading to an overload of Data Nodes. This release fixes the data retention process.
  • LLADOC-820: Fixed an issue where a mail sensor may fail at processing messages containing certain PDF attachments due a segfault in the PDF parser.
  • FEAT-4833: Exposed the file's sha256 hash in Analyst API analysis reports.
  • FEAT-4568: Exposed MITRE ATT&CK stage data as part of the Analyst API analysis/detection results.
  • CINF-196: More reliable restart of internal services during upgrade.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:

  • Lastline Analyst version 1071

and for Lastline Detonator On-Premises:

  • Lastline Manager version 1071
  • Lastline Engine version 1071

Released Sandbox Images Versions

The sandbox images version will remain at 2019-04-18-01.

Distribution Upgrade

Version 8.3.2 was the final version to support Ubuntu Trusty as our operating system distribution. In order to upgrade to 9.0.1, you must be running Xenial as the operating system distribution.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", the appliance distribution needs to be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

9.0 9.1