Lastline Enterprise On-Premises Release Notes

Version 7.4

New features

  • Support for custom routing of analysis traffic
  • Email analysis improvements
  • URL analysis improvements
  • Microsoft Office macro analysis improvements
  • Improved analysis of analysis artifacts
  • Support for inline deployment of the Sensor
  • Support for customized Sensor-side whitelisting of events
  • Bug fixes and improvements

Support for custom routing of analysis traffic

In the default configuration, traffic generated inside the Lastline analysis sandbox is routed to the Internet via a secure tunnel. This tunnel allows us to anonymize the public IP of our customers and to avoid getting blacklisted when connecting to malware command-and-control infrastructure by periodically rotating this IP.

Even more, the tunnel prevents malware running inside the sandbox from accessing services in the local network of the customer in which the system runs.

For customers who do not want to make use of this feature, the lastline_setup configuration utility now allows to specify a custom network connection for routing sandbox traffic to the Internet. While this does not give the same security guarantees as the default configuration, it allows customers with stringent privacy concerns to control the traffic routing, as described in more detail in the installation manual.

Email analysis improvements

The email analysis module received the following improvements:

  • Improved logging on Sensor about email attachment filetype.
  • Improved logging on Sensor about email delivery and destination address rejection.
  • Fixed delayed inbox refresh issues when fetching emails from an IMAP server.
  • When configured to drop whole emails, only drop emails with malicious content (and not if they only have suspicious content).
  • In in-line mode, ensure multi-line template text terminates with a newline.
  • In in-line mode, do not hold email for more than 30 minutes if analysis results are delayed.
  • Better handling of some non-RFC emails in MTA mode.

URL analysis improvements

Reports for URL analyses now include strings that have been observed during an analysis. They are listed in the "Memory contents" section of the report.

Microsoft Office macro analysis improvements

Reports for Microsoft Office documents containing macro code now contain more information about VBA macro anomalies.

Improved analysis of analysis artifacts

Artifacts encountered as part of an analysis run are now analyzed in more detail. For example, any applications found as part of a URL analysis or found embedded in documents are included linked as extra analysis run to the original analysis report.

Support for inline deployment of the Sensor

The Lastline Sensor now supports inline deployment using one pair of network interfaces. In inline mode the Sensor actively relays traffic between the pair of interfaces. The Sensor can be configured to block activity by firewalling offending activity at varying flow granularities, and supports HTTP 302 redirection of visits to known-bad URLs.

Simultaneous operation of additional passive sniffing ports is supported.

This configuration needs to be done with the assistance of a Lastline engineer. We will expand automation and UI support in a future release.

This feature is currently not available to Lastline Enterprise All-in-one (pinbox) configuration.

Support for customized Sensor-side whitelisting of events

We now support customized whitelisting of events directly on the Sensor, including file hashes, domain names, and IP addresses. This whitelisting applies to blacklist hits, file artifact extraction, and signature hits.

This feature is currently not available to Lastline Enterprise All-in-one (pinbox) configuration.

Bug fixes and improvements

  • More robust filetype detection for script types.
  • Improved filetype detection for obfuscated MIME structures.
  • Prefilter performance improvements on the Sensor.
  • Support for RAR archives of version 5+, ACE archives, and Windows Script Files.
  • Improved coverage of DMG images and MIME archives.
  • Fix analysis submission file cache, clearing unneeded files faster.
  • More robust file scoring to avoid analysis runs taking longer to score than needed.

The on-premise Sensor also features the following improvements:

  • We now correctly report the contacted host's name when the Sensor resides behind an HTTP proxy.
  • Customer-provided signatures with the REJECT action now correctly downgrade to alerting when blocking is not enabled.
  • Improved configurability of flow hashing with/without VLAN IDs.
  • Flow state timeouts in the sniffer are now tunable, to accommodate site-specific needs.
  • Expanded analysis of archive contents, including script files and nested archives.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use on-premise:

  • Lastline All-in-one (pinbox) version 705
  • Lastline Manager version 705
  • Lastline Engine version 705
  • Lastline Sensor version 706

Deprecation of API methods

No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.

7.3 7.5