Version 9.6
New Features
- AI-based scoring in Anti-Malware Sandbox
- Prefilter for Scripts
AI-BASED SCORING IN ANTI-MALWARE SANDBOX
The new AI-based scoring logic was introduced in Anti-Malware Sandbox to increase the quality of the detection and significantly reduce the number of false positives.
This new feature was tracked internally as FEAT-5239
PREFILTER FOR SCRIPTS
A new script prefiltering component reduces the load on customer's infrastructure by filtering out clearly benign scripts from the sandbox analysis.
This new feature was tracked internally as FEAT-6141
Detection Improvements
- LLAM-8537: Improved detection of patched UPX packed samples.
- FEAT-7287: Improved correlation of lateral movement activity into campaigns. In particular, various types of server-side lateral movement are now better supported.
- LLAM-8482: Improved detection for ELF samples with malformed ELF headers.
- LLAM-8037: Reduced false positives on documents analysis.
- LLAM-8249: Improved detection of ELF coinminer.
- LLAM-7803: Improved detection for XLSB document downloaders.
- TRES-2614: Improved detection of the Valyria malware.
- TRES-2598: Improved detection of the XMR miner.
- TRES-2563: Improved detection of the Meterpreter payload.
- LLAM-7607: Improved detection for malware samples that evade sandbox by checking characteristic CPU vendor information.
- LLAM-8033: Improved detection of CVE-2021-40444.
- LLAM-8357: Improved detection of Monero miners.
Bug Fixes and Improvements
- PLTF-3040: Fix performance issue in processing of detection events, that could result in high CPU usage in cases where many complex user-defined rules for event postprocessing/suppression have been configured.
- PLTF-2925: Improve scalability of processing of analysis results. This can result in significantly reduced IO load on the manager in installations where many files are captured for analysis on the network or in email.
- FEAT-7562: Fix and improve handling of OS security updates: -- Ensure all tested security updates are installed when an appliance version is upgraded. -- Ensure emergency security updates are automatically installed within 24 hrs of release. -- Remove "Install daily OS security updates automatically" setting in the UI and replace it with an API setting. -- Add appliance management API setting "apt_allow_ubuntu_security_updates" (default "true") to allow disabling automatic installation of emergency security updates (not recommended). -- Notice: after a successful upgrade of an appliance to this version from an older version, it is recommended to perform a "Retrigger configuration" action from the web UI or API in order to ensure all security updates have been applied.
Deprecation of API Methods
No additional API methods are being deprecated or discontinued in this release.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:
- Lastline Analyst version 1130
and for Lastline Detonator On-Premises:
- Lastline Manager version 1130
- Lastline Engine version 1130
Released Sandbox Images Versions
The sandbox images version will remain at 2021-06-25-01.
Distribution Upgrade
Version 9.4.5 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 9.6, you must be running Bionic as the operating system distribution.
You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.
For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.