Lastline Analyst and Detonator On-Premises Release Notes

Version 9.2

COVID-19 Announcement

For more information on Lastline preparedness and response during the COVID-19 outbreak visit this page.

New Features

  • Support for online DB migrations

SUPPORT FOR ONLINE DB MIGRATIONS

During the upgrade of Lastline appliances, any required database schema migrations will now happen at the start of the upgrade process via an online schema migration process, which avoids locking database tables. This reduces the potential for downtime during the upgrade process on installations with large amounts of data to be migrated.

This new feature was tracked internally as FEAT-4950

Detection Improvements

  • FEAT-4855: Improved coverage of MITRE ATT&CK Tactics and Techniques in Lastline Sandbox.
  • TRES-1214: Improved detection of CVE-2020-0601.
  • TRES-935: Improved phishing document prefilters.
  • TRES-890: Improved detection of office phishing documents.
  • TRES-1308: Improved coverage of MITRE ATT&CK Tactics and Techniques in Lastline Sandbox.
  • TRES-1237: Improved detection of malicious MS Office document that is abusing subDocument tags to load an external document.
  • TRES-1171: Improved detection of Mansabo trojan.
  • TRES-1166: Improved detection of malicious URLs in documents.
  • TRES-1103: Improved detection of CVE-2015-1701.
  • TRES-1038: Improved detection of macro-based XLS ursnif downloader that is using multiple macro-modules for evasion.
  • TRES-1023: Improved detection of Padodor malware family.
  • TRES-999: Improved detection of batch files, spawning Visual Basic Script files.
  • TRES-975: Improved detection of Turla malware family.
  • TRES-901: Improved More_eggs backdoor detection.
  • TRES-547: Reduced false positives on benign files that were affected by privilege escalation signatures.
  • TRES-1234: Improved detection on phishing pages pretending to be Microsoft login.
  • TRES-1092: Improved detection of macro-based XLS ursnif downloader that is using filename check for evasion.
  • TRES-1041: Improved scanners to include MITRE ATT&CK information
  • TRES-1032: Improved detection of malicious binary file that is packed with a custom packer.
  • TRES-948: Improved detection of malware abusing remote XLS files using WMI queries.

Bug Fixes and Improvements

  • TRES-927: Improved detection of malicious JAR files.
  • MALS-3091: Fixed a bug in the Analyst API utilities "submit_files.exe" and "submit_files.py" that would truncate files when uploaded from a Microsoft Windows system.
  • FEAT-5217: The Lastline Analyst API now reports errors found during a sandbox dynamic analysis when all the sandbox analysis runs have failed. This is intended to aid troubleshooting when submissions are not able to be analyzed.
  • TRES-1282: Improved URL extraction during PDF analysis.
  • TRES-1125: Improved URLs extraction from documents.
  • TRES-1105: Improved PE authenticode certificate blacklisting capabilities.
  • FEAT-4941: Analyst API now accepts ELF binaries for analysis. The analysis of ELF binaries will be limited to static detection of internal structure.

New Linux kernel: Reboot Recommended

Lastline has upgraded the Linux kernel running on each appliance from 4.4.0 to 4.15.0, which improves support for more recent hardware. A reboot is recommended on each appliance after the upgrade.

When running the appliance in a VMware virtual machine, you may experience a kernel boot lockup under the following conditions:

  • In the VM settings, hypervisor.cpuid.v0 = FALSE (this is not the default)
  • VMware version 6.5 or 5.5 on Intel Xeon CPU E5-2620 v2/v4

If this issue is encountered while upgrading, steps for a workaround can be found here.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises:

  • Lastline Analyst version 1090.1

and for Lastline Detonator On-Premises:

  • Lastline Manager version 1090.1
  • Lastline Engine version 1090.1

Released Sandbox Images Versions

The sandbox images version will remain at 2019-04-18-01.

Knowledgebase Feature Deprecation

The following KnowledgeBase features are have been deprecated with this release:

  • To improve performance, the KnowledgeBase clustering service is discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
  • All strings remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you can no longer search for strings by sub-key location (heap, stack, memory block or executable section).
  • The KnowledgeBase no longer provides the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.

Removal of Lastline Checkpoint Integration

Lastline's integration with the Check Point firewall has been removed from this release. The Check Point VPN-1 firewall product the Lastline integration supports is no longer supported by Check Point. Please contact technical support if you have questions regarding this integration.

End of Support For Dell R320 and Dell R420

Lastline is deprecating support for the Dell R320 and Dell R420 starting with the release of On-Premises 9.3. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our (hardware support page)[https://support.lastline.com/hc/en-us/articles/224566907-Lastline-Hardware-Specifications-Dell-Hardware].

9.1.2 9.2.1