Lastline Analyst and Detonator On-Premises Release Notes

Version 9.3

New Features

  • Added support for pushing image-based phishing detection updates
  • Added support for extra windows sandbox environment with custom localization
  • Added support for analysis of spreadsheetML files

ADDED SUPPORT FOR PUSHING IMAGE-BASED PHISHING DETECTION UPDATES

Lastline now supports the ability to push new image-based phishing signature updates to all customers in a matter of minutes without the need to upgrade to a newer package version.

This new feature was tracked internally as FEAT-4776

ADDED SUPPORT FOR EXTRA WINDOWS SANDBOX ENVIRONMENT WITH CUSTOM LOCALIZATION

By default, Lastline Windows sandbox performs analysis using the English (en-US) version of the guest operating systems. Lastline now supports the ability to specify a second language version when running lastline_register. The available guest operating systems (Windows 7 and Windows 10) to select from are:

  • Chinese (zh-CN)
  • French (fr-FR)
  • German (de-DE)
  • Italian (it-IT)
  • Japanese (ja-JP)
  • Spanish (es-ES)

Enabling an additional language increases the load on the hardware provided for analysis as every sample will be sent to both the default English guest operating system and the guest operating system running with the selected second language. Each additional operating system is estimated to place on average another 50% load on the hardware for each O/S selected. However, the amount of extra load depends directly on type of files observed in your environment. In some cases, the load might be up to 100%. It is likely you will need additional hardware to support the extra load. Please contact support if you have any concerns before enabling this feature.

This new feature was tracked internally as FEAT-5210

ADDED SUPPORT FOR ANALYSIS OF SPREADSHEETML FILES

Lastline now supports the analysis of SpreadsheetML files.

This new feature was tracked internally as TRES-537

Detection Improvements

  • TRES-1161: Improved detection of binaries that are built using AutoIt.
  • TRES-1341: Ursnif Gen13 now properly detected.
  • TRES-1438: Improved detection of Ursnif family.
  • TRES-1432: Fixed false positive on benign files caused by protection remover tool.
  • TRES-1423: Improved detection of viruses, searching for EXE files.
  • TRES-1362: Improved detection of phishing PDF files.
  • TRES-1321: Improved detection of Sytro malware family.
  • TRES-1273: Improved detection of Service and Driver components of Turla malware.
  • TRES-1272: Improved detection of Darkshell rootkit drivers.
  • TRES-1243: Improved detection of Ursnif macro based samples.
  • TRES-1200: Improved detection of End of game malware.
  • TRES-1169: Added detection of C# compiler being invoked from non-powershell processes.
  • TRES-1149: Improved detection of Regasm/Regsvcs Abuse - Mitre ID: T1121.
  • TRES-1147: Improved detection of Donvibs malware family.
  • TRES-1137: Improved detection of XL4 macros in Office documents.
  • TRES-1096: Improved detection on ransomware using stealth technique to move files.
  • TRES-1054: Improved detection of Cyber Agent client samples.
  • TRES-1051: Improved detection of third-party files that claim Microsoft authorship.
  • TRES-1046: Improved detection of scripts, executing themselves multiple times.
  • TRES-1029: Implemented detection of signed binary proxy execution (MITRE T1218).
  • TRES-434: Improved detection of malformed zip archive file using byte order mark for detection bypass.
  • TRES-1483: Improved detection of CMSTP - Mitre ID T1191.
  • TRES-1448: Improved detection of document files spawning Windows Host executable.
  • TRES-1396: Improved detection of Ursnif.
  • TRES-1293: Identify Qemu Detection by Visual Basic 6 malware.

Bug Fixes and Improvements

  • FEAT-4940: Lastline now supports the submission of ELF (Linux) executables for static analysis.
  • USER-4422: Fixed an issue with password verification when editing an account.
  • USER-4320: Fixed an issue that was preventing the display of logged in user records in the details section of an event.
  • TRES-1435: Fixed a bug involving the proper invocation of EQNEDT32.exe.
  • ANST-484: Improved data retention for analysis results: remove empty results directories to improve backup speed.
  • TRES-1384: Improved URL extraction from PDF documents.
  • TRES-846: Fixed LHA archive extraction problem.
  • MALS-3019: The Lastline Analyst API will no longer support mmh3 hashing. As a result, calling query_file_hash with a mmh3 hash will no longer return any results.
  • FEAT-5955: Customers are able to specify a password for downloaded artifacts from the Lastline portal.
  • FEAT-5741: Dynamic analysis of Flash files is no longer performed. This file type is less prevalent in most environments and static analysis covers these cases.
  • FEAT-5318: If the contents of an archive submitted for analysis is only able to be partially analyzed due to an error in unpacking, then the Lastline analyst API will now return an error describing the unpacking error.

End of support for TLS 1.1

Starting with this release, all requests to the Lastline user portal and APIs must use HTTPS with support for TLS 1.2 or above. TLS 1.1 is no longer be supported. All client applications that send data to the Lastline portal or APIs will be required to support TLS 1.2 or above. More details are here.

Knowledgebase Feature Deprecation

The following KnowledgeBase feature is being deprecated with this release:

  • Industries information remain available and displayed under the summary returned by searches in the Intelligence page. However, this information can no longer be used as a filter to refine your search. Filtering by detection severity, antivirus label or file type remain available.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises:

  • Lastline Analyst version 1100

and for Lastline Detonator On-Premises:

  • Lastline Manager version 1100
  • Lastline Engine version 1100

Released Sandbox Images Versions

This release includes an update of sandbox images to version 2020-03-13-01, which may have an impact on the length of time the upgrade/installation takes. In order to minimize the potential impact, you can download the sandbox images before you perform the upgrade or install by following the instructions here.

End of Support For Dell R320 and Dell R420

With this release, Lastline is ending support for the Dell R320 and Dell R420. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our hardware support page.

9.2.1 9.3.1