Lastline Enterprise On-Premises Release Notes

Version 7.9

New features

  • Added "info" network events to provide additional context
  • Added tutorial videos to the Lastline Portal
  • Processing of Adobe Flash artifacts
  • Email Analysis improvements
  • ICAP improvements
  • Support SHA256 in submissions and queries to Analyst API
  • Bug fixes and improvements

Added "info" network events to provide additional context

Lastline sensors monitoring a protected network can now generate a new class of "info" events, that do not by themselves indicate a malicious behavior, but can provide useful context when investigating an incident. This is in contrast to the "detection" events that actually indicate malicious activity.

A few examples of "info" events that we may detect are:

  • Use of Remote Desktop Protocol and other similar traffic that may be indicative of lateral movement of an attacker within a compromised network. The reason this activity leads to an "info" event (and not a "detection" event) is that Remote Desktop Protocol is not per se malicious, and has legitimate use cases for remote administration.

  • Use of web services that are commonly used by malware. Malware frequently takes advantage of some freely available web utilities for tasks such as obtaining the IP address or geographic location on which it is running. The reason this activity leads to an "info" event (and not a "detection" event) is that these services are not per se malicious and may also be used by benign applications.

Over time, we expect our coverage of "info" events we generate to broaden to provide more and more context for incident investigation.

By default, "info" events are not shown in event listings. Users can make use of the "Event Outcome" filter to choose to show:

  • only "detection" events (the default, which corresponds to this view's behavior before this release)
  • only "info" events
  • all events

When viewing the details of a single host in the Infections view of the Console tab, a new "Info events" table may now be shown that displays "info" events occurring on the selected host.

Added tutorial videos to the Lastline Portal

The Lastline Portal now includes support for tutorial videos.

The Portal offers to show videos contextually the first time a relevant page is visited. The video can also be viewed later by clicking on the camera icon.

Available videos are also listed in the videos Page, which can be reached from the Help menu.

Processing of Adobe Flash artifacts

The Sensor now extracts, pre-filters, and submits for analysis Flash artifacts of the CWS, FWS, and ZWS types.

Email Analysis improvements

The following improvements have been added for the in-line deployment:

  • If the disk or the internal email queues in the sensor fill up the sensor will start rejecting incoming emails with a "431 Disk/Queue full" SMTP error message (the previous behavior was causing the connection to hang and possibly cause a timeout in the sender).
  • It is possible to send a test email from the sensor console with the llmail_test_email command.

ICAP improvements

The following improvements have been made to the sensor ICAP support:

  • Support for blocking malicious artifacts: once enabled, the ICAP service will cache the response body for interesting files to identify artifacts that are already known to Lastline. It is possible to define a score threshold beyond which artifacts will be removed from the HTTP transaction and replaced with an HTTP/403 error message.

  • Improved interoperability with Bluecoat appliances.

Support SHA256 in submissions and queries to Analyst API

The Lastline Analyst API now supports using the SHA256 hash of a file when submitting files for analysis or querying for existing analysis results. Furthermore, functions returning submission metadata will include the SHA256 of the submitted file (if this information is available).

Bug fixes and improvements

  • Fixed bug that would cause an error when attempting to schedule a periodic report email in the Report view.

  • Fixed visual glitch when the Analysis history page reloads the data to display.

  • Display country flag for IPs also in file downloads view.

  • Added support for the submission of network traffic capture files (in tcpdump pcap format). The traffic contents are analyzed to determine the presence of malicious traffic or communication with malicious endpoints. Notice that at the moment, any artifact contained in the capture is not extracted and analyzed.

  • Updated IDS codebase to Suricata 3.0.1.

  • Improvement to the logic in charge of generating pcap captures upon occurrence of network alerts. Improvements target specifically alerts that occur "deep" into long flows.

Deprecation of API methods

No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 713
  • Lastline Engine version 713
  • Lastline Sensor version 712.1
  • Lastline All-in-one (pinbox) version 713
7.8 7.9.1