Version 9.5
New Features
- Permalink Option for Interactive Analysis Reports
- Support for license-based permissions for custom intel
- Change default NTP server to ntp.lastline.com
PERMALINK OPTION FOR INTERACTIVE ANALYSIS REPORTS
The permalink features allows for a link to an interactive Malware Analysis report to be made available to others within the organization without the need to log in to the NSX Defender Portal to view the details. To create a shareable report permalink, click on the "Share Report" button when viewing an Analysis Report.
This new feature was tracked internally as FEAT-6081
SUPPORT FOR LICENSE-BASED PERMISSIONS FOR CUSTOM INTEL
The "can view custom threat intelligence entries" and "can manage custom threat intelligence entries" permissions are now available at per-license granularity.
This new feature was tracked internally as PLTF-2094
CHANGE DEFAULT NTP SERVER TO NTP.LASTLINE.COM
The default NTP server configured in lastline_register for appliances has been changed from update.lastline.com (or update.emea.lastline.com) to ntp.lastline.com (or ntp.emea.lastline.com).
This will not affect existing installations, however in a future release update.lastline.com (and update.emea.lastline.com) will no longer be an applicable domain for the NTP server configuration.
This new feature was tracked internally as CINF-696
Detection Improvements
- TRES-1979: Improved detection of d77fd67d malware family.
- FEAT-5882: A new anomaly detector for RDP records has been added. The detector learns the normal values of various fields in RDP connections and raises an alert when it observes an unexpected value.
- TRES-1855: Improved detection of Abracadabra malware family.
- TRES-1529: Improved detection of documents executing rundll32.
- TRES-1990: Improved detection of malware abusing image file execution options.
Bug Fixes and Improvements
- FEAT-4626: A minimum version of TLS1.2 is now required for connections to AnonVPN service. Previously less secure versions of TLS were allowed.
- FEAT-7075: Fix issue that could cause some detections with verification outcome "failed" or "blocked" to have unexpectedly high impact score.
- FEAT-6505: The TLS version and the cipher suite used in a TLS session are now exposed in TLS records accessible via the Network Explorer page.
- TRES-1932: Improved detection of benign process hollowing.
- FEAT-6922: Appliances now support configuring a shell inactivity timeout for interactive shell sessions. This setting is not enabled by default. For instructions on how to configure this new setting, refer to the Administration Operations Guide.
- PLTF-2670: Make sure last modified time for custom rules is displayed in user time zone.
Deprecation of API Methods and Functionality
- Remove McAfee DXL integration
- MacOS Dynamic Analysis sandbox no longer supported
- Windows XP dynamic analysis sandbox no longer supported
- Android-based APK file analysis no longer supported
No additional API methods are being deprecated or discontinued in this release.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
REMOVE MCAFEE DXL INTEGRATION
We are announcing the removal of the existing integration with McAfee Threat Intelligence Exchange.
This deprecation was tracked internally as FEAT-6237
MACOS DYNAMIC ANALYSIS SANDBOX NO LONGER SUPPORTED
As announced previously, this release deprecates support for the dynamic analysis in macOS operating systems. MacOS engine appliances are no longer supported. We still continue to analyze macOS files that are likely to compromise systems, as well as PDF and Word documents that can impact macOS. For additional details please contact VMware Technical Support.
This deprecation was tracked internally as FEAT-6259
WINDOWS XP DYNAMIC ANALYSIS SANDBOX NO LONGER SUPPORTED
As announced previously, this release deprecates support for the dynamic analysis in Windows XP operating systems. Most malware explicitly targeting Windows XP environments will still be detected using other analysis environments, analysis techniques and analysis of dormant code. For additional details please contact VMware Technical Support.
This deprecation was tracked internally as FEAT-6625
ANDROID-BASED APK FILE ANALYSIS NO LONGER SUPPORTED
As announced previously, this release deprecates support for the analysis of Android files for malicious content.
This deprecation was tracked internally as FEAT-6415
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:
- Lastline Analyst version 1120
and for Lastline Detonator On-Premises:
- Lastline Manager version 1120
- Lastline Engine version 1120
Released Sandbox Images Versions
The sandbox images version have been updated to 2021-06-25-01.
Distribution Upgrade
Version 9.4.5 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 9.5, you must be running Bionic as the operating system distribution.
You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.
For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.