Lastline Network and Email Defender On-Premises Release Notes

Version 9.5

New Features

  • Permalink Option for Interactive Analysis Reports
  • Home network setting to default to RFC1918 private IP ranges.
  • Support for license-based permissions for custom intel
  • Allow configuration of archive file limit for on-premises defender.
  • Change default NTP server to ntp.lastline.com

PERMALINK OPTION FOR INTERACTIVE ANALYSIS REPORTS

The permalink features allows for a link to an interactive Malware Analysis report to be made available to others within the organization without the need to log in to the NSX Defender Portal to view the details. To create a shareable report permalink, click on the "Share Report" button when viewing an Analysis Report.

This new feature was tracked internally as FEAT-6081

HOME NETWORK SETTING TO DEFAULT TO RFC1918 PRIVATE IP RANGES.

The home network setting has become increasingly important to Defender functionality. Home network information is taken into account throughout the detection and correlation pipeline, and is important to ensure accurate detection, classification and correlation of relevant threats.

For this reason, if a user has not configured a home network setting for a sensor group, we now default to setting its home network to the standard RFC1918 private IP ranges:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

For users who have already configured a home network for their sensor groups, nothing is changing, but we encourage all users to verify that their home network setting is appropriate for their environment. Home network settings are located under Network -> Network Settings -> Home network.

This new feature was tracked internally as FEAT-6913

SUPPORT FOR LICENSE-BASED PERMISSIONS FOR CUSTOM INTEL

The "can view custom threat intelligence entries" and "can manage custom threat intelligence entries" permissions are now available at per-license granularity.

This new feature was tracked internally as PLTF-2094

ALLOW CONFIGURATION OF ARCHIVE FILE LIMIT FOR ON-PREMISES DEFENDER.

The maximum number of files extracted from an archive for malware analysis is 25. Previously this number was fixed, but now this number can be configured for a specific manager installation (as well as other archive settings like the depth of parsing through the archive). Please see the following VMware Knowledge Base article for instructions: https://kb.vmware.com/s/article/86279?lang=en_US. If you are unsure on any details, please contact VMware Support for more information.

This new feature was tracked internally as FEAT-7268

CHANGE DEFAULT NTP SERVER TO NTP.LASTLINE.COM

The default NTP server configured in lastline_register for appliances has been changed from update.lastline.com (or update.emea.lastline.com) to ntp.lastline.com (or ntp.emea.lastline.com).

This will not affect existing installations, however in a future release update.lastline.com (and update.emea.lastline.com) will no longer be an applicable domain for the NTP server configuration.

This new feature was tracked internally as CINF-696

Detection Improvements

  • TRES-1979: Improved detection of d77fd67d malware family.
  • FEAT-5882: A new anomaly detector for RDP records has been added. The detector learns the normal values of various fields in RDP connections and raises an alert when it observes an unexpected value.
  • TRES-1855: Improved detection of Abracadabra malware family.
  • TRES-1529: Improved detection of documents executing rundll32.
  • TRES-1990: Improved detection of malware abusing image file execution options.

Bug Fixes and Improvements

  • SENT-3227: Fix an issue where a sensor reconfiguration could cause a small number of email messages to be released without full analysis.
  • SENT-3261: Improved performance in the reverse resolution of NTA records during sensor data processing.
  • FEAT-7075: Fix issue that could cause some detections with verification outcome "failed" or "blocked" to have unexpectedly high impact score.
  • SENT-3250: Fix to a bug introduced in the previous release where the IDS service would fail to start in under-specced appliances.
  • SENT-3198: The i40e driver in sniffing appliances was updated to version 2.11.25, including support for some recently released NIC cards.
  • FEAT-7064: Improved performance and reduced memory usage in the processing of NTA records on sniffing appliances.
  • SENT-3208: Improved allocation of appliance threads to the sniffing components on sensor. While this update will overall increase performance in most deployments, it will negatively affect appliances where the list of sniffing interfaces contains inactive/unused interfaces. We invite all customers to double check their sniffing appliance configurations and ensure that the list of sniffing interface contains only active/useful interfaces.
  • SENT-3143: Fix to an issue where an appliance would not correctly respond to an attempt to disable processing of NTA URL logs.
  • SENT-3124: Fix to an issue where the ICAP daemon would not properly perform filetype pre-filtering when processing REQMOD requests. This would lead an ICAP installation submitting a large amount of bodies in HTTP requests to cause unreasonable load.
  • SENT-3098: Fixed an issue where we would incorrectly report packet loss statistics on sniffing sensors processing limited throughput.
  • LLANTA-1770: Increased the open files limit for Elasticsearch on data nodes to 1048576 (from the previous limit of 65535).
  • LLANTA-1762: Adjusted the OOM killer value for Elasticsearch on data nodes so that, in cases where the system is under memory pressure, it is unlikely that the Elasticsearch process is forcibly stopped.
  • LLANTA-1745: Fixed an issue with handling unexpected characters in the AWS netflow collector name.
  • LLANTA-1720: Fixed the parsing of malformed TLS certificates in anomaly detectors.
  • LLANTA-1116: Extended the monitoring logs for data nodes to report stats for thread pools in Elasticsearch (e.g., write and query pools), which can be used to determine the load status of the Elasticsearch cluster.
  • FEAT-6505: The TLS version and the cipher suite used in a TLS session are now exposed in TLS records accessible via the Network Explorer page.
  • TRES-1932: Improved detection of benign process hollowing.
  • LLANTA-1801: Improved the handling of flow records displayed as evidence for anomaly events by taking into account the flow's transport protocol.
  • FEAT-6922: Appliances now support configuring a shell inactivity timeout for interactive shell sessions. This setting is not enabled by default. For instructions on how to configure this new setting, refer to the Administration Operations Guide.
  • SENT-2941: Sensor appliance monitoring logs now include packet processing statistics collected from the IDS service. The statistics include average bandwidth, percentage of packet loss encountered, TCP reassembly anomalies (reassembly gaps) and cases of unexpectedly long flows (stream length reached). If any of the statistics reach abnormally high levels that may be indicative of a problem on the sniffing interface, the IDS component will be switched to warning state.
  • FEAT-6687: Sniffing and ICAP sensors now support the extraction from the wire of Executables and Linkable Format (ELF) files.
  • SENT-3220: Fix to an issue in the sensor netflow collector codebase where the presence of a large number of independent collector instances could cause the system to believe it was out of disk space.
  • SENT-3082: Fix to an issue where the hash allowlist on a sensor appliance would not have effect on the sniffing file processing pipeline.
  • PLTF-2670: Make sure last modified time for custom rules is displayed in user time zone.
  • FEAT-4626: A minimum version of TLS1.2 is now required for connections to AnonVPN service. Previously less secure versions of TLS were allowed.

Deprecation of API Methods and Functionality

  • Remove McAfee DXL integration
  • MacOS Dynamic Analysis sandbox no longer supported
  • Windows XP dynamic analysis sandbox no longer supported
  • Android-based APK file analysis no longer supported

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

REMOVE MCAFEE DXL INTEGRATION

We are announcing the removal of the existing integration with McAfee Threat Intelligence Exchange.

This deprecation was tracked internally as FEAT-6237

MACOS DYNAMIC ANALYSIS SANDBOX NO LONGER SUPPORTED

As announced previously, this release deprecates support for the dynamic analysis in macOS operating systems. MacOS engine appliances are no longer supported. We still continue to analyze macOS files that are likely to compromise systems, as well as PDF and Word documents that can impact macOS. For additional details please contact VMware Technical Support.

This deprecation was tracked internally as FEAT-6259

WINDOWS XP DYNAMIC ANALYSIS SANDBOX NO LONGER SUPPORTED

As announced previously, this release deprecates support for the dynamic analysis in Windows XP operating systems. Most malware explicitly targeting Windows XP environments will still be detected using other analysis environments, analysis techniques and analysis of dormant code. For additional details please contact VMware Technical Support.

This deprecation was tracked internally as FEAT-6625

ANDROID-BASED APK FILE ANALYSIS NO LONGER SUPPORTED

As announced previously, this release deprecates support for the analysis of Android files for malicious content.

This deprecation was tracked internally as FEAT-6415

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 1120
  • Lastline Engine version 1120
  • Lastline Data Node version 1120
  • Lastline Sensor version 1281
  • Lastline All-in-one (Pinbox) version 1120

Released Sandbox Images Versions

The sandbox images version have been updated to 2021-06-25-01.

Distribution Upgrade

Version 9.4.5 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 9.5, you must be running Bionic as the operating system distribution.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

9.4.5 9.5.1