Version 7.8
New features
- Fixes to Mail tab of portal
- No default inclusion of VLAN IDs in flow hashing
- Email analysis improvements
- Time-range selection and filtering in Analysis History UI
- Whois links in portal for IPs and domains
- Support for custom Yara rules
- Bug fixes and improvements
Fixes to Mail tab of portal
-
In Mail messages view, replace terms "Infected"/"Watchlist"/"Nuisance", which are not correct in this context, with "Malicious"/"Suspicious"/"Benign"
-
Fixed a bug that could lead to empty mail messages view if no notifications are configured
-
Fixed a bug with minimum score filter in mail attachments view
No default inclusion of VLAN IDs in flow hashing
The Sensor no longer automatically includes the VLAN ID(s) of any VLAN-borne flows in its flow hashing. This means that setups in which one direction of a flow travels on one VLAN while the other direction resides on another (or isn't VLAN'd) now automatically work correctly. This approach more adequately fits the scenarios we commonly encounter in our customer base.
The inclusion of VLAN IDs can still be altered (and persist) for individual Sensors. Contact Lastline Customer Support for assistance.
Email analysis improvements
The email analysis component on the sensor was improved by adding a timeout for incoming SMTP connections. The timeout is set to 60 seconds.
Additionally, the following improvements were added to the in-line (MTA) deployment mode:
- Save emails with blocked content into a local temporary storage on the sensor for system administrator inspection and recovery.
- Support email analysis shutdown with request to complete all en-route email analysis and delivery before terminating.
- Degrade analysis and keep forwarding emails if the analysis backend is not reachable.
- Allow completely disabling email analysis and acting as a simple email forwarder.
- Fix rare cases where the sensor would break the DKIM signature for benign emails.
Time-range selection and filtering in Analysis History UI
The Analysis History page of the Lastline Portal now supports selecting the time range of submissions to display, as well as a number of filters:
- Submission type: File or URL
- MD5 hash of submitted file
- SHA1 hash of submitted file
- File name: this searches for this substring in submitted file names
- Analyst UUID: search for submissions with this unique identifier
- URL: search for submissions of this URL
Whois links in portal for IPs and domains
The Lastline Portal now includes links to whois information for IP addresses and domain names. These links are included for convenience and lead to whois information publicly available on third-party websites.
Support for custom Yara rules
The Lastline Custom Intelligence API now allows uploading Yara rules (in version 1.7 compatible format) to be matched during the analysis of artifacts.
Bug fixes and improvements
-
New option in appliance configuration, "Install daily OS security updates automatically". Disabling automated installation of OS security updates is only recommended in environments where a custom process is in place for keeping appliance up to date with security updates.
-
Improved display in report UI of processes spawned during analysis of a URL.
-
Support for searching by SHA-256 hash in Intelligence tab.
-
Fix to an issue that was leading to unexpectedly high impact scores for blacklist hits on certain compromised domains.
Deprecation of API methods
No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:
- Lastline Manager version 712
- Lastline Engine version 712
- Lastline Sensor version 711.1
- Lastline All-in-one (pinbox) version 712