6.3

03 Apr 2015

Version 6.3

New features

In-depth Windows Kernel Analysis
Persistent sensor and license selection
Improved sensor selection in dashboard
Microsoft SMB protocol support
Improved display of traffic capture for network events
Display captured URLs for network events
Similar events dropdown
Hide/show offline sensors in sensor status widget
Improved archive analysis and report
Stats on all files downloaded in the network
Appliance status improvements
Support for triggering blocking of malicious traffic with custom IDS rules
Notification of broken customer-provided IDS rules
Portal fixes
CSRF vulnerability fix
Session fixation fix
Manuals page

In-depth Windows Kernel Analysis

We greatly improved support for in-depth dynamic analysis of Windows kernel rootkits. This provides unprecedented insights into this pernicious type of malware hidden in the kernel of Microsoft Windows operating systems and helps better detect and respond to kernel-based threats with enhanced, in-depth analysis. This kernel-mode analysis capability adds to existing network-based detection of kernel components in the platform.

Persistent sensor and license selection

The portal now remembers what license or sensor was selected, and this selection persists across tabs and across sessions.

Improved sensor selection in dashboard

When selecting a sensor in the dashboard, it is now possible to select "all licenses" in the license dropdown and directly select any sensor from the sensor dropdown.

Microsoft SMB protocol support

Lastline sensors can now capture for analysis files transfered over the protected network using the Microsoft SMB protocol version 2.

Improved display of traffic capture for network events

Display of captured traffic has been improved. In alternative to viewing the raw captured traffic, the portal can now display application-layer information extracted from the traffic for common protocols such as HTTP.

Display captured URLs for network events

When viewing the details of a network event in the Lastline Enterprise Portal, the "Captured traffic" section now includes a listing of URLs that were captured in traffic associated with the network events.

Similar events dropdown

The event details now include a "similar events" dropdown. This dropdown provides a shortcut for viewing other events from the same time frame as the selected one, based on one or more filter criteria, such as having the same source, destination, malware, or being detected by the same sensor.

Hide/show offline sensors in sensor status widget

The sensor status widget in the Dashboard page has been improved, and is now more consistent with what is shown in the appliance overview.

By default, offline sensors are no longer included in the widget
A user can select to show or hide offline sensors
An offline sensors is considered to be in a "warning" (yellow) state

Improved archive analysis and report

When an archive file (such as a zip file) is submitted for analysis, multiple analysis tasks may now be started for different files contained within the archive. Furthermore, the analysis report for the archive itself now contains links to each individual analysis task.

Stats on all files downloaded in the network

The graphs showing downloaded files over time in the Dashboard and Downloads pages can now optionally show numbers for all files that were downloaded in the protected network, as opposed to only for the subset of downloaded files that were uploaded for malware analysis.

Appliance status improvements

The display of appliance status has been improved, to make it more consistent with the appliance overview:

Appliance update status is now shown
The status of the last (configuration) action is now shown

Support for triggering blocking of malicious traffic with custom IDS rules

We now support blocking of malicious flows based on customer-provided IDS rules with the "reject" action (i.e., rules starting with the "reject" keyword, as opposed to the more common "alert" action). When blocking is enabled for the Sensor and such rules match on observed network traffic, the Sensor now injects RST packets into the offending flows to terminate them.

Notification of broken customer-provided IDS rules

We now notify customers who use our Custom Intelligence API when any custom IDS rules they provide fail to install correctly on the Sensor. The list of any such rules is visible in the Monitoring Logs section of a given appliance in the Appliances pane of the web UI. The notifications include the signature and group ID as provided in the rules when passed to the Custom Intelligence API. We currently do no include the reason why rule installation failed, but plan to do so in a future release.

Portal fixes

A number of minor fixes and improvements were made to the Lastline Enterprise Portal

Additional help icons (questionmark) are now shown next to widgets in the portal. They provide some information about the widget and a link to the more extensive documenation in the portal guide.
Sensor status widget now displays correct information when a single sensor is selected
Fix bug that sometimes caused inaccurate display of the status of the mail component in the Sensor status widget
Fixed memory leak that led browser tabs to crash if certain pages of the Lastline Portal were left open for a long time.
Fixed bug that could lead to display of outdated information about a sensor license (such as the sensor name), because of an inappropriate policy for caching information in the browser's local storage.

CSRF vulnerability fix

This version fixes a cross-site request forgery (CSRF) vulnerability in the Lastline Portal. In previous versions of the portal, an attacker could trick the browser of a victim user, who is already authenticated to the portal, into performing malicious API requests on the Lastline Portal. Successful exploitation of the CSRF flaw could lead to the attacker obtaining the permissions of the victim user on the portal. The impact of this vulnerability is mitigated by the fact that the attacker would need to lure the victim user to visit a malicious website while he is authenticated to the portal.

Credit for reporting this vulnerability goes to Dana Traversie and Sean Wright from Dell SecureWorks and Francisco Ribeiro from Mimecast. This issue is tracked by Dell as Security Advisory SWRX-2015-002.

Session fixation fix

This version fixes an issue that, in specific scenarios, enables session fixation/hijack attacks against the Lastline Portal. Before this version, the Lastline portal did not regenerate the session token after a successful login. If an attacker were to obtain the session token assigned to an unauthenticated user (e.g., via a phishing or man-in-the-browser attack) and that user later logged in the Lastline Portal, then the attacker could leverage the session token to hijack an authenticated session. Notice that since the Lastline Portal has always stored the session token in an HTTP-only cookie, this issue was not exploitable using less powerful attacks (e.g., XSS) for a session hijacking attack.

Credit for reporting this vulnerability goes to Dana Traversie and Sean Wright from Dell SecureWorks. This issue is tracked by Dell as Security Advisory SWRX-2015-003.

Manuals page

A Manuals page has been added, which provides links to installation and configuration manuals as well as API documentation.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use on-premise:

Lastline Manager version 606
Lastline All-in-one (pinbox) version 606
Lastline Engine version 606
Lastline Sensor version 605

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

query_file_downloads
query_binaries/binaries
query_downloaded_files
set_appliance_geoposition
query_network_status
switch_to_key
switch_to_timezone

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.