Lastline Network and Email Defender On-Premises Release Notes

Version 9.6

New Features

  • AI-based scoring in Anti-Malware Sandbox
  • Prefilter for Scripts
  • Suricata 6 IDS Engine

AI-BASED SCORING IN ANTI-MALWARE SANDBOX

The new AI-based scoring logic was introduced in Anti-Malware Sandbox to increase the quality of the detection and significantly reduce the number of false positives.

This new feature was tracked internally as FEAT-5239

PREFILTER FOR SCRIPTS

A new script prefiltering component reduces the load on customer's infrastructure by filtering out clearly benign scripts from the sandbox analysis.

This new feature was tracked internally as FEAT-6141

SURICATA 6 IDS ENGINE

The sensor ships with an updated version of the Suricata IDS Engine, updated to version 6.0.4. This leads to a number of performance and stability improvements as well as new security functionalities that may be leveraged in future releases.

This new feature was tracked internally as FEAT-7343

Detection Improvements

  • LLAM-8537: Improved detection of patched UPX packed samples.
  • FEAT-7287: Improved correlation of lateral movement activity into campaigns. In particular, various types of server-side lateral movement are now better supported.
  • LLAM-8482: Improved detection for ELF samples with malformed ELF headers.
  • LLAM-8037: Reduced false positives on documents analysis.
  • LLAM-8249: Improved detection of ELF coinminer.
  • LLAM-7803: Improved detection for XLSB document downloaders.
  • TRES-2614: Improved detection of the Valyria malware.
  • TRES-2598: Improved detection of the XMR miner.
  • TRES-2563: Improved detection of the Meterpreter payload.
  • FEAT-6978: A new detector raises alerts upon observing anomalous spikes in the number of SMB logon failures. SMB logon events occur when users authenticate prior to accessing remote resources over the network. A spike in the number of SMB logon failures can be used to identify potential bruteforce attempts.
  • LLAM-7607: Improved detection for malware samples that evade sandbox by checking characteristic CPU vendor information.
  • LLAM-8033: Improved detection of CVE-2021-40444.
  • LLAM-8357: Improved detection of Monero miners.

Bug Fixes and Improvements

  • FEAT-7562: Fix and improve handling of OS security updates: -- Ensure all tested security updates are installed when an appliance version is upgraded. -- Ensure emergency security updates are automatically installed within 24 hrs of release. -- Remove "Install daily OS security updates automatically" setting in the UI and replace it with an API setting. -- Add appliance management API setting "apt_allow_ubuntu_security_updates" (default "true") to allow disabling automatic installation of emergency security updates (not recommended). -- Notice: after a successful upgrade of an appliance to this version from an older version, it is recommended to perform a "Retrigger configuration" action from the web UI or API in order to ensure all security updates have been applied.
  • SENT-3390: Fix an issue where mail-specific allowlists would be incorrectly ignored by the appliance.
  • PLTF-2925: Improve scalability of processing of analysis results. This can result in significantly reduced IO load on the manager in installations where many files are captured for analysis on the network or in email.
  • LLANTA-2167: Fix an issue that caused some nodes (including those associated with reputation-based events) to not be included in the campaign blueprint.
  • PLTF-3040: Fix performance issue in processing of detection events, that could result in high CPU usage in cases where many complex user-defined rules for event postprocessing/suppression have been configured.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 1130
  • Lastline Engine version 1130
  • Lastline Data Node version 1130
  • Lastline Sensor version 1311
  • Lastline All-in-one (Pinbox) version 1130

Released Sandbox Images Versions

The sandbox images version will remain at 2021-06-25-01.

Distribution Upgrade

Version 9.4.5 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 9.6, you must be running Bionic as the operating system distribution.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

9.5.3 9.6.1