Lastline Network and Email Defender On-Premises Release Notes

Version 9.7

New Features

  • Support enabling SSH password authentication for additional users
  • Support essentials-only backup for HA standby setup and takeover
  • New AI-based classifier for Windows PE files
  • Malware Analysis pipeline throughput optimization
  • Intelligent Anti-Malware Signatures for Windows PE files

SUPPORT ENABLING SSH PASSWORD AUTHENTICATION FOR ADDITIONAL USERS

Support has been added to specify additional user accounts that can access the system console or via SSH using password authentication. The installation manual contains steps to configure this feature.

This new feature was tracked internally as PLTF-3240

SUPPORT ESSENTIALS-ONLY BACKUP FOR HA STANDBY SETUP AND TAKEOVER

Setting up a Standby Manager for High Availability requires first performing a full backup and creating a restore point from that backup. With this release, it is possible to instead perform an "essentials only" backup, and use it to create a restore point. This is a much smaller backup that is much faster to perform.

In this scenario, non-essential data on the Manager at the time of backup will not be replicated to the Standby Manager. After the Standby is running and replicating data from the Active Manager, however, new non-essential data created on the Active Manager will be replicated to the Standby.

This new feature was tracked internally as FEAT-7626

NEW AI-BASED CLASSIFIER FOR WINDOWS PE FILES

The new AI-based scoring component was introduced into Anti-Malware static analysis to increase the quality of the detection. The component classifies PE files, and its result is visible in the report overview as "Anomaly: AI detected potential threat".

This new feature was tracked internally as FEAT-7677

MALWARE ANALYSIS PIPELINE THROUGHPUT OPTIMIZATION

To utilize resources more efficiently, we introduce an optimization of the malware analysis pipeline by prefiltering Windows PE files. The PE files will be analyzed by our cutting-edge static analysis and ML-based components first. If a file is recognized as benign with high confidence by static analysis and ML-based components, it won't be submitted to the dynamic analysis sandbox. This optimization will decrease the waiting time for benign file analysis, and increase the overall system performance.

This new feature was tracked internally as FEAT-7655

INTELLIGENT ANTI-MALWARE SIGNATURES FOR WINDOWS PE FILES

NSX NDR introduces the new signature-based scoring component into Anti-Malware static analysis to increase the quality of the detection. The signatures are automatically generated by our threat intelligence system using malicious code reuse data. The signatures cover malicious samples belonging to the same malware family and generated to be resilient to evasion. The new component analyzes Windows PE files.

This new feature was tracked internally as FEAT-7689

Detection Improvements

  • LLAM-8872: Improved detection for Guloader malware
  • LLAM-8918: Improved detection for Mimikatz and SharpHound malware families
  • LLAM-8847: Improved detection for document files downloading an external payload
  • LLAM-9369: Improved detection for Powersploit
  • LLAM-9368: Improved detection for Mimikatz
  • LLAM-9334: Improved detection for Sliver
  • LLAM-8796: Improved detection for Mshta files spawned by LNK files
  • LLAM-8676: Improved detection for obfuscated HTML page
  • LLAM-8156: Improved detection for MirrorBlast Malware
  • LLAM-9056: Improved detection for DroperX
  • LLAM-9185: Improved detection for Scarecrow dropper JS malware
  • LLAM-9318: Improved detection for GwisinLocker ransomware
  • LLAM-8976: Improved detection for EmotetDropper using decryption routine
  • LLAM-8974: Improved detection for EmotetEncryptedRsrcId
  • LLAM-8665: Improved detection for leaked Nvidia certificates
  • LLAM-9424: Improved detection for Luna Ransomware
  • LLAM-9622: Improved detection for VIRTUALPITA malware
  • LLAM-9259: Improved detection for Lazagne, Meterpreter and Powersploit
  • LLAM-9258: Improved detection for Cobalt Strike, Improved detection of Lazagne
  • LLAM-9387: Improved detection for HelloKitty ransomware
  • LLAM-9384: Improved detection for Babuk ransomware
  • FEAT-7490: A new network anomaly detector has been introduced to alert the user of traffic using known, sensitive protocols, observed over unusual ports, meaning that the protocol and port pairing are typically not associated according to network standards provided by authorities such as the IANA. These anomalous events potentially indicate either poor security practices or, in the worst cases, adversaries trying to bypass network protections such as firewall policies.
  • FEAT-7458: A new network anomaly detector has been introduced to alert the user of anomalies in the parameters of HTTP requests directed to internal web applications for which the behavior can be learnt automatically. Anomalous parameters may indicate attempts from an attacker to discover or exploit vulnerabilities in the web application such directory traversal or SQL injections.
  • LLAM-8992: Improved detection for VBA trojan dropper
  • LLAM-8990: Improved detection for Korplug malware
  • LLAM-8988: Improved detection for Win64EmotetDropperDecryptionRoutine malware
  • LLAM-8875: Improved detection for Kingsoft potentially unwanted applications
  • LLAM-8682: Improved detection for ExcelAddIn
  • LLAM-8876: Improved detection for the following potentially unwanted applications:
  • AskToolbar
  • Babylon
  • Ad2345
  • RelevantKnowledge
  • LLAM-9001: Improved detection for Deadringer malware and its dropper
  • LLAM-9186: Improved detection for ScareCrow loader
  • LLAM-9017: Improved detection for the following malware and adware families:
  • AVUpdatekiller malware
  • Injector malware
  • EmotetDropper malware
  • Linkury Adware
  • LLAM-9118: Improved detection for Injector malware family
  • LLAM-8787: Improved detection for Nsis based Injector malware
  • LLAM-9090: Improved detection for malware that exploits CVE_2022_30190 vulnerability
  • LLAM-8975: Improved detection for EmotetEncryptedRsrcId
  • LLAM-9525: Improved detection for kkrunchy packer
  • LLAM-9373: Improved detection for an anti-analysis technique leveraged by various malware families
  • LLAM-9210: Detection improved for DynamicLoader, ChromeLoader, YTStealer and TrojanMiner
  • LLAM-9187: Detection improved for the Bladabindi malware family for major threats

Bug Fixes and Improvements

  • PLTF-3130: Fixed an issue where sensor group functionality was not taken into account for custom postprocessing rules.
  • SENT-3499: Fixed an issue where sensor appliances generating unusually large amounts of HTTP NTA events could lead to excessive load in the backend processing.
  • FEAT-7567: A custom YARA rule description in the analysis report overview contains the YARA rule's name and version provided by the customer.
  • LLANTA-2385: Updated Elasticsearch and Kibana to version 6.8.23.
  • LLAM-8951: Improved scoring of custom yara signatures during URL analysis.
  • FEAT-7571: Improved account security by increasing the minimum password length to 12 characters for all new passwords.
  • LLAM-8272: Fixed a downloading issue for the additional non-English environments for the sandbox analysis.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 1140
  • Lastline Engine version 1140
  • Lastline Data Node version 1140
  • Lastline Sensor version 1331
  • Lastline All-in-one (Pinbox) version 1140

Released Sandbox Images Versions

The sandbox images version will be updated to 2022-07-16-01.

Distribution Upgrade

Version 9.4.5 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 9.7, you must be running Bionic as the operating system distribution.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

9.6.1 9.7.1