Lastline Analyst and Detonator On-Premises Release Notes

Version 9.4

Distribution Upgrade

Version 9.4 will be the final version that supports Ubuntu Xenial as the operating system distribution. In all future releases, Ubuntu Bionic will be required. To support this distribution upgrade, 9.4 will support both Ubuntu Xenial and Ubuntu Bionic. Before upgrading to any future version, appliances on Ubuntu Xenial must be upgraded to Ubuntu Bionic while running version 9.4. The upgrade of the distribution will require a reboot and may take up to an hour to complete.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

New Features

  • License check during Engine installation

LICENSE CHECK DURING ENGINE INSTALLATION

Starting with this release, the appliance registration tool requires you to enter the Product Keys for the Microsoft Windows and Microsoft Office software allocated for running the dynamic analysis sandbox on Analyst, Engine, and All-in-one (Pinbox) appliances.

As per the EULA, these third-party licenses were already required for previous installations, but the installation wizard in lastline_register did not require entering them as part of the installation.

Under Appliance Status, the web-portal now shows which appliances have product keys registered, and the lastline_register configuration utility was extended to allow you to update the Product Keys for previously installed appliances. For details, refer to the appliance installation manuals.

This new feature was tracked internally as FEAT-6547

Detection Improvements

  • TRES-1176: Improved detection for malware that uses conditional command-line execution.
  • TRES-1684: Improved detection of VBA macros and documents that abuse regsvr32.
  • TRES-1586: Improved detection for malware built in Python detecting virtual environments.
  • TRES-1583: Improved detection of Snake ransomware.
  • TRES-1526: Improved static detection of archive-bombs.
  • TRES-1199: Improved detection of malicious encrypted Excel document attachments in email.
  • TRES-1884: Improved detection of Cobalt Strike implant.
  • TRES-1683: Improved detection of documents that leverage Document_Close to trigger their malicious behavior.
  • TRES-1627: Improved detection of malicious XL4 weaponized XLS documents.
  • TRES-1590: Improved detection of ZLoader.
  • TRES-1572: Improved detection of documents accessing geolocation services.
  • TRES-1521: Added detection of malicious Excel documents weaponized with XL4 macro with DConn records.
  • TRES-1279: Improved detection of Shell.Explorer Objects in OLEs.

Bug Fixes and Improvements

  • FEAT-5905: A list of password candidates may be provided when submitting a URL using the Analyst API. This list will be used if the URL is pointing to an encrypted file (for example an encrypted archive).
  • USER-4687: Fixed an issue where inappropriate permissions were being set while creating multiple user accounts.
  • TRES-1915: Fixed a bug related to process creation through WMI.
  • TRES-1594: Added support of unicode characters in file names inside archives.
  • USER-3220: Fixed a bug where global search icon in analysis report view redirects user to 404 error.
  • TRES-1373: Fixed a problem in document application bundle analysis. When a document file is submitted with a password and incorrect extension, we allow renaming the extension to a proper one.
  • TRES-581: Fixed a bug in dynamic analysis when an unknown process "sample.exe" appeared in the report.
  • MALS-3294: Removed SSDeep hash information extracted during static analysis of applications.

Changes to MacOS and Android Support

In the next release, 9.5, we will be changing the way in which we analyze macOS and Android files. We still continue to analyze the macOS files that are likely to compromise systems, as well as PDF and Word documents that can impact both macOS and Windows operating systems, however Android and some macOS file types are no longer analyzed, and llama-macos service will no longer be used or installed. For additional details please contact Lastline Support.

Deprecation of API Methods

The following KnowledgeBase features, announced for deprecation in On-Premise 9.2, will be effectively decommissioned, both at the UI and API levels, in the Lastline Analyst and Detonator On-Premise 9.4 release:

  • To improve performance, the KnowledgeBase clustering service will be discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
  • All strings will remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you cannot search for strings by sub-key location (heap, stack, memory block or executable section).
  • The KnowledgeBase will no longer provide the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:

  • Lastline Analyst version 1110

and for Lastline Detonator On-Premises:

  • Lastline Manager version 1110
  • Lastline Engine version 1110

Released Sandbox Images Versions

The sandbox images version will remain at 2020-03-13-01.

9.3.2 9.4.1