Lastline Network and Email Defender On-Premises Release Notes

Version 9.8

New Features

  • Introduce Permission for Viewing Analysis Reports of Other Accounts

INTRODUCE PERMISSION FOR VIEWING ANALYSIS REPORTS OF OTHER ACCOUNTS

This introduces a new permission "Can View Analysis History". With this permission, a user is able to view the history of file and URL analysis submissions performed by any account under Analyst -> Submission History. Users without this permission are only able to view their own submissions.

Previously, only users with administrator permissions were able to view submissions from other accounts.

This new feature was tracked internally as FEAT-7762

Detection Improvements

  • LLAM-10326: Reduced false positives in script behavior analysis
  • LLAM-10825: Improved detection of Malform RTF
  • LLAM-11128: Improved detection of QiLin ransomware
  • LLAM-11117: Improved detection for Knight Ransom Loader
  • LLAM-11095: Improved detection for Darkgate
  • LLAM-11032: Improved detection of Akira ransomware
  • LLAM-10922: Improved detection of Kryptik
  • LLAM-10895: Improved detection of Shellcode Runner
  • LLAM-10902: Improved detection for Whirlpool Linux Backdoor
  • LLAM-10859: Improved detection of Sapphire Stealer
  • LLAM-10787: Improved detection of Mallox ransomware
  • LLAM-10695: Improved detection for Bandit stealer
  • LLAM-10693: Improved detection for IcedID trojan
  • LLAM-10685: Improved detection for Meduza Stealer
  • LLAM-10672: Improved detection for PyCrypter
  • LLAM-10826: Improved detection for Nitrogen Installer
  • LLAM-10775: Improved detection of Qakbot
  • LLAM-10670: Improved detection for Ponyshell Downloader
  • LLAM-10790: Improved detection for Amadey Clipper
  • LLAM-10704: Improved detection for Invicta Stealer
  • LLAM-10660: Improved detection for Perl Shellbot
  • LLAM-11139: Improved detection for MSIL Shellcode Downloader
  • LLAM-10894: Improved detection of a Powershell Loader
  • LLAM-10893: Improved detection for MathTypeObfs exploit
  • LLAM-11130: Improved detection for Mirai Botnet
  • LLAM-11131: Improved detection for Info Stealer
  • LLAM-10961: Detection improvement for OilRig Trojan
  • LLAM-10856: Improved detection for elevation of UIAccess applications
  • LLAM-10236: Improved detection of Disdroth trojan
  • LLAM-10237: Detection of Telegram bot (informational)
  • LLAM-10615: Improved detection of Bruteforce hacktool
  • LLAM-10617: Improved detection for Boxter Runner
  • LLAM-10649: Improved detection for GreetingGhoul Infostealer
  • LLAM-10546: Improved detection of Parite malware
  • LLAM-10555: Improved detection of Rootkits
  • LLAM-10570: Improved detection of Buhti ransomware
  • LLAM-10571: Improved detection of Earthworm hacktool
  • LLAM-10545: Improved detection of Kimsuky malware
  • LLAM-10475: Improved detection of Nukesped malware
  • LLAM-10474: Improved detection of CrimsonRAT
  • LLAM-10519: Improved detection for ClipBanker
  • LLAM-10473: Improved detection of Mirai MooBot
  • LLAM-10469: Improved detection of a Downloader
  • LLAM-10440: Improved detection of Keyplug malware
  • LLAM-10447: Improved detection of Amadey malware
  • LLAM-10525: Improved detection of Ransomwares
  • LLAM-10516: Improved detection of Python Stealer
  • LLAM-10529: Improved detection of Nokoyawa ransomware
  • LLAM-10505: Improved detection for the RokRat Powershell starter.
  • LLAM-10838: Improved detection for HookAMSI has been found in Raccoon Stealer.
  • LLAM-11172: Improved detection of a VBS Downloader
  • LLAM-11159: Improved detection for Ddostf Botnet
  • LLAM-11121: Improved detection of BATLoaders
  • LLAM-11120: Improved detection of RunPE Loader
  • LLAM-11046: Improved detection for Poverty Stealer
  • LLAM-11011: Improved detection for dotRunpeX Injector
  • LLAM-11018: Detection improvement for Stealer Loader
  • LLAM-10990: Improved detection for Bunny Loader
  • LLAM-10919: Improved detection of Webshell
  • LLAM-10915: Improved detection of Shellcode Runner
  • LLAM-10920: Improved detection of Blueshell malware
  • LLAM-10813: Improved detection of Mirai
  • LLAM-10762: Improved detection for Boxter Downloader
  • LLAM-10745: Improved detection of a Downloader
  • LLAM-10743: Improved detection of persistence techniques used by malwares in MEME#4CHAN attack
  • LLAM-10742: Improved detection of Rootkits
  • LLAM-10686: Improved detection for WarHawk backdoor
  • LLAM-10671: Improved detection for Mirai Condi Botnet
  • LLAM-10651: Improved detection for Clipper dropper
  • LLAM-10744: Improved detection of XWorm
  • LLAM-10735: Improved detection for Spyder trojan
  • LLAM-10774: Improved detection for Linpeas Hacktool
  • LLAM-10771: Improved detection of malware files in MEME#4CHAN attack
  • LLAM-10747: Improved detection of Prikormka malware
  • LLAM-10668: Improved detection for Emeka Crypter
  • LLAM-11166: Improved detection of BeaverTail malware
  • LLAM-11137: Improved detection of Kinsing malware
  • LLAM-11129: Improved detection for Stealer Downloader
  • LLAM-10957: Improved detection for Veeam Dumper
  • LLAM-10975: Improved detection for MSIL Exploit CVE-2022-22718
  • LLAM-10989: Improved detection for Lumma Stealer
  • LLAM-10852: Improved detection for DreamBus Botnet
  • LLAM-10849: Improved detection of Qbot
  • LLAM-10848: Improved detection for Logcleaner Hacktool
  • LLAM-10842: Improved detection for Shellscript miner
  • LLAM-9980: Improved detection of NTDLL unhooking evasion
  • LLAM-10597: Improved detection for malicious LNK files executing msiexec.exe
  • LLAM-10563: Improved detection of BlackCat ransomware
  • LLAM-10562: Improved detection of Nanodump hacktool
  • LLAM-10561: Improved detection of Ligolo hacktool
  • LLAM-10595: Improved detection for malicious LNK files executing PowerShell
  • LLAM-10543: Improved detection for Mirai Botnet
  • LLAM-9979: Improved detection of NTDLL unhooking evasion
  • LLAM-10518: Improved detection for Qakbot

Bug Fixes and Improvements

  • PLTF-3652: Fixed issue on the standby manager that could cause it to incorrectly authenticate to the active manager during install or upgrade, and could cause the standby manager to go into an Error state.
  • SENT-3700: Fixed an issue where the sensor would incorrectly estimate the number of flows that are being inspected in parallel on an appliance, causing the estimate to continue to grow monotonically. The information is reported in the metrics section of the appliances tab in the UI.
  • ASDK-572: The sensor component that submits files to the Lastline backend (RAPID) is allocated additional memory as a result of needing to process larger files. In addition this component is now configured to silently refresh its service periodically to prevent memory from being consumed when no longer required. This should address out of memory errors and restarts of this component that had sometimes been present in the previous release.
  • LLCC-2762: Improved database performance in environments with high disk throughput but high I/O latency, by increasing the number of concurrent I/O threads. Updated appliance diagnostic checks to account for this type of environment.

NSX NDR END-OF-LIFE (EOL) ANNOUNCEMENT FOR FILE ANALYSIS ON WINDOWS 7

To ensure a satisfactory level of security, it is not advisable to use Windows 7. As a consequence, testing the maliciousness of files in this environment is no longer deemed relevant. Therefore, we have decided to gradually phase out the analysis of files on Windows 7. With this latest release, file analysis on Windows 7 will become optional. All analysis on Windows 7 will cease in the next major release.

EXPLICIT PROXY DEPRECATION

NSX Defender On-premise 9.8 is the last major release to support the use of the sensor explicit proxy capabilities. The sensor explicit proxy functionality allows to run a squid proxy on the appliance with basic TLS decapsulation functionality. This feature will no longer be available in the next major release of NSX Defender on-premise. Support for ICAP integrations will not be affected by this deprecation.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender On-Premises:

  • Lastline Manager version 1150
  • Lastline Engine version 1150
  • Lastline Data Node version 1150
  • Lastline Sensor version 1371

Released Sandbox Images Versions

The sandbox images version will remain at 2022-07-16-01.

Distribution Upgrade

Version 9.4.5 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 9.8, you must be running Bionic as the operating system distribution.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

9.7.5