Lastline Enterprise On-Premises Release Notes

Version 7.0

New features

  • Notifications for appliance status
  • Improved Flash analysis
  • Document structure display
  • Malware sample sharing
  • Notification extensions
  • Whitelist support in downloads view
  • Analysis report timeline
  • Additional appliance metrics graphs
  • Improved notification configuration UI
  • Check Point firewall integration
  • Generic HTTP POST notifications
  • Improved password reset functionality
  • Home network configuration
  • Sensor improvements
  • Email analysis improvements
  • Appliance installation improvements

Notifications for appliance status

Users can now configure their Lastline installation to deliver notifications of appliance status by email, syslog/SIEM or generic HTTP POST. For this, the existing email notification, syslog/SIEM integration and generic HTTP integrations have been extended to support new notification types. Depending on configuration, users may receive notifications:

  • Whenever an information message, warning or error is logged, as displayed in the appliance monitoring logs
  • Whenever an appliance's status is reporting a warning or error
  • Whenever an appliance checks in, or fails to check in and is therefore considered to have gone offline
  • Whenever a configuration action on an appliance fails, as displayed in the appliance action logs

This should allow users to receive notifications for in situations where the Lastline Portal is reporting a warning or error for an appliance.

Note that existing notification configurations will not be automatically modified to enable appliance status notifications. Users with existing notification configuration will need to extend them by adding the new triggers for appliance status notifications to the existing configurations.

Improved Flash analysis

We now support sending Flash files for in-depth analysis in our analysis engine via both the UI and the analysis API. The results of the analysis include dynamic properties, such as the call graph obtained by running the sample and the strings found during the analysis, as well as structural, static properties such as the file's tags.

Document structure display

The UI for displaying document analysis results now includes a "Structure" tab that displays structural properties of a file, such as its data streams, macros and its textual content.

Malware sample sharing

With this release customers are able to automatically share malicious executable files with the Lastline Cloud to help expand the Lastline Knowledge Base and contribute to the Lastline community. Customers that do not wish to participate can disable this functionality. Refer to the online documentation or contact Lastline customer support for additional information.

Notification Extensions

Syslog/SIEM notifications have been extended to include additional information about the file involved in a suspicious file download or mail attachment detection:

  • The specific file type (magic string) and higher level category (e.g. Executable, Document, etc, as displayed in Lastline Portal)
  • sha1 hash (in addition to md5)

Furthermore, email notifications for suspicious mail attachments have been extended with additional information:

  • email message identifier
  • email message subject
  • email message send time

Finally, syslog/SIEM notifications have been extended to include an impact field (0-100) as displayed in the Lastline Portal.

In additon, two issues have been fixed affecting the subject of email notifications:

  • excessively long sender or receiver fields are now being truncated
  • subject is being correctly encoded in the presence of non-ASCII characters

Whitelist support in downloads view

The downloads tab of the Lastline Portal now takes into account a user's whitelist settings for ignoring hosts within the monitored network that are not of interest. This whitelist behavior is consistent with the existing whitelist functionality in the Console and Events tabs, and can be configured in "display settings".

Analysis report timeline

Analysis reports for Windows executables as well as Office documents can now be displayed in different formats. In addition to the already existing report format, which displays high level operations performed during analysis grouped by the analysis subject (process) that performed them, a timeline view is now available.

The timeline shows the actions performed by indvidual threads under analysis, in the order they were performed. The view can be filtered by zooming in using the view finder below the graph, or by selecting specific classes of actions to display (such as File, Registry or Process actions).

Additional appliance metrics graphs

In addition to the System metrics page, the Lastline Portal now displays graphs for additional metrics about Lastline appliances:

  • Network metrics: displays metrics about network monitoring, such as traffic processed or files captured. This page is applicable to SENSOR and PINBOX appliances.
  • Mail metrics: displays metrics about mail analysis, such as number of mails processed or mail attachments analyzed, or the status of mail analysis queues. This page is applicable to SENSOR and PINBOX appliances that have mail analysis enabled.
  • Analysis metrics: displays metrics about analysis of artifacts, such as the number of artifacts (files or URLs) analyzed, or the status of analysis queues. This page is applicable to MANAGER, ENGINE, ANALYST and PINBOX appliances.

Improved notification configuration UI

Different types of notification integrations are now configured through separate menu options under the integrations menu in the Admin tab of the Lastline Portal.

The tables displaying configured notifications of each type now include additional information that is specific to the type of integration, and therefore provide a more useful summary of the current configuration.

Check Point firewall integration

Lastline Enterprise Hosted installations can now integrate with Check Point Firewall through Check Point's SAM API to block malicious external hosts on the fly. Check Point firewall integration can be configured here.

Generic HTTP POST notifications

Lastline Enterprise Hosted installations can now send notifications of detections on the monitored network using HTTP POST to a custom URL. The body of the POST request includes a JSON message provifing information on the detection event. Generic HTTP POST otifications can be configured here.

Improved password reset functionality

The password reset functionality for users who have lost their password has been revamped to improve the security and convenience of the password reset process.

Home network configuration

A new configuration option is now available for selecting the "home network", the ranges of IP addresses that are protected by each Lastline Sensor. In this version, this setting only affects the Check Point SAM integration. In later versions, the effects of the home network configuration will expand to other aspects of an installation.

Sensor improvements

  • Improved document prefiltering on the sensor
  • Improved reporting of network activity metrics
  • Enhancements to SMTP parsing in the IDS component
  • Robustness fixes for file processing
  • Updated network driver for 10 Gbps interfaces

Email analysis improvements

  • Improved runtime memory usage on the Sensor
  • Log MD5 hashes and attachment Content-Type in email tracing files on the Sensor
  • Accept email messages via SMTP even if line length exceed SMTP specification
  • Stability improvements

Appliance installation improvements

  • Improvements in appliance registration workflow with the Manager or the Lastline backend
  • Require NTP time sync before starting the registration process
  • Fixed race condition that would cause occasional failures at the end of the installation due to a software upgrade starting too early
  • Fixed registration tests when behind proxy or on-premise manager (--skip-tests is no longer required)
  • Honor setting about injection interface

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 700
  • Lastline Engine version 700
  • Lastline Sensor version 700
  • Lastline All-in-one (pinbox) version 700

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • query_download_stats

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

6.4 7.1