Version 9.1
New Features
- MITRE ATT&CK techniques and details now available in Analysis report
- Added password protection support for analysis artifact download
- Docker IP Address Configuration
MITRE ATT&CK TECHNIQUES AND DETAILS NOW AVAILABLE IN ANALYSIS REPORT
Users are now able to see the MITRE ATT&CK techniques and details under the Analysis Overview section in the Lastline Analysis report.
This new feature was tracked internally as FEAT-4590
ADDED PASSWORD PROTECTION SUPPORT FOR ANALYSIS ARTIFACT DOWNLOAD
Users downloading malicious files for further analysis via the Analysis Overview page now have the option of downloading an encrypted (password-protected) ZIP archive of the file, so that other solutions monitoring traffic do not automatically inspect the threat.
This new feature was tracked internally as FEAT-4627
DOCKER IP ADDRESS CONFIGURATION
The lastline_register utility now prompts the user to provide a network address range to use for internal appliance services. It defaults to the 169.254.64.0/20 network. In previous releases, this address range was statically configured on a 172.16.0.0/12 network, which could cause a conflict if the range was already in use in the local network. The new default is less likely to overlap with a existing networks. If you previously configured an override to use a different network, this earlier configuration is still honored.
For details, please refer to the installation manual.
This new feature was tracked internally as FEAT-4742
Detection Improvements
- FEAT-4302: Improved detection of phishing URLs. Lastline URL analysis engine performs an analysis of a rendered web page to recognize if the page is similar to a known phishing page based on image similarity.
- TRES-928: Improved detection of evasive Microsoft Office documents using country-specific checks
- TRES-691: Improved detection of phishing PDF files.
- TRES-1002: Improved certificate extraction from PE samples.
- TRES-919: Reduced false positives on benign LNK file that points to a locally installed program
- TRES-876: Reduced false positives on benign Office documents which have a remote image on an unreachable server.
- TRES-824: Improved detection of malware which has PowerShell script after the end of an archive to bypass detection.
- TRES-749: Improved detection of Dridex banking trojan.
- TRES-734: Improved detection of malware using extended attribute of the file to hide malicious payload.
- TRES-616: Improved detection of malware which is abusing Microsoft signed script proxy execution.
- TRES-552: Improved detection of Microsoft Office document auto-loading OLE objects.
- FEAT-4515: Improved detection of malicious MS Office documents which use VBA code protection feature to hide malicious payload.
- FEAT-4420: Unknown URLs extracted from MS Office documents or PDFs are analyzed in an instrumented browser to expose potential drive-by exploits or phishing pages.
- FEAT-4088: The Lastline Analyst API can now submit URLs to the Lastline Hosted Service in order to improve detection of phishing attacks. This feature is optional, and is disabled by default.
- TRES-843: Improved detection of malware with the ability to check the current keyboard layout.
- FEAT-4372: Unknown URLs extracted from script or process memory during dynamic analysis in Windows sandboxes are analyzed in the instrumented browser to expose potential CnC or malicious updates.
Bug Fixes and Improvements
- FEAT-4053: The Analyst API supports an improved way to collect internal information about completed tasks to be used by technical support engineers for customer support.
- PLTF-1275: Fixed race condition that could occur under load and result in the portal returning 504 errors.
- TRES-918: Improved scanners logic based on parent/child process relation.
- TRES-834: Reduced false positive rate for script-based automation tools
- TRES-722: Reduced false positive rate of benign installers
- FEAT-4293: Improved analysis performance for benign web analysis file subjects, such as Javascript or HTML files.
- FEAT-5038: Extended the Analyst API submission helper tools to support providing password candidates.
- FEAT-4079: The Lastline Analyst API now allows submitting files for analysis using purely static- and AI-based analysis components. This allows trading classification performance for accuracy to detect known threats rapidly (but may have reduced detection accuracy for 0-day threats). This functionality is currently in BETA and exposed only to OEM integrations with specific, additional permissions.
Known Issues
With this release of Lastline Analyst and Lastine Detonator On-Premises 9.1, there is potential when upgrading appliances from any version pre-9.1 the status of the appliance will get stuck in a status of "In Progress". If this occurs, access the appliance console and run "service-lastline appliance-update restart", then re-trigger configuration on the appliance and the status should return to OK. If the issue persists, contact Lastline Technical Support for further assistance. A fix for this issue is included in this release for future upgrades from 9.1.
Deprecation of API Methods
No additional API methods are being deprecated or discontinued in this release.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
KnowledgeBase features deprecation schedule
The following KnowledgeBase features will be deprecated in the Lastline Analyst and Detonator On-Premise 9.2 release:
- To improve performance, the KnowledgeBase clustering service will be discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
- All strings will remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you cannot search for strings by sub-key location (heap, stack, memory block or executable section).
- The KnowledgeBase will no longer provide the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:
- Lastline Analyst version 1080
and for Lastline Detonator On-Premises:
- Lastline Manager version 1080
- Lastline Engine version 1080
Released Sandbox Images Versions
The sandbox images version will remain at 2019-04-18-01.
End of Support For Dell R320 and Dell R420
Lastline is deprecating support for the Dell R320 and Dell R420 starting with the release of Lastline Analyst and Lastline Detonator On-Premises 9.3. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our (hardware support page)[https://support.lastline.com/hc/en-us/articles/224566907-Lastline-Hardware-Specifications-Dell-Hardware].
Lastline Supported Browsers
With this release, we will support the current versions of Google Chrome, Apple Safari, Mozilla Firefox and Microsoft Edge for Windows. Support for issues identified with versions of Internet Explorer, as well as any other unlisted browsers, will be based upon best effort, however, identified bugs will only be addressed with currently supported browsers.
Distribution Upgrade
Version 8.3.2 was the final version to support Ubuntu Trusty as our operating system distribution. In order to upgrade to 9.1, you must be running Xenial as the operating system distribution.
You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", the appliance distribution needs to be upgraded.
For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.