Lastline Enterprise On-Premises Release Notes

Version 7.12

New features

  • Multiple built-in dashboards
  • Improved interface for managing licenses and sensors
  • Support for multiple pairs of interfaces in the inline Sensor
  • More granular permissions for downloading analyzed files
  • Audit log extensions
  • New protocol for communication between Sensor and backend
  • Improved analysis of URLs embedded in Microsoft Office documents
  • Support for Silicom bypass adapters in the inline Sensor
  • Email analysis improvements and bugfixes
  • Bug fixes and improvements

Multiple built-in dashboards

The dashboard view that provides Lastline Enterprise customers an overview of their network, has been extended to provide multiple built-in dashboards that focus on different aspects, accessible from a dropdown menu.

  • The overview dashboard is the default view in this tab and is similar to the dashboard that was displayed in previous versions.

  • The network dashboard focuses on network events, infections and network traffic processed.

  • The mail dashboard focuses on mail processing and detection.

  • The files dashboard focuses on analyzed files whether they were captured on the network or found in mail attachments.

Improved interface for managing licenses and sensors

The interface for viewing and managing license and sensor subkey information has been redesigned, and now provides the following pages.

  • License details page for managing license details such as organization and contact information

  • Licenses page lists all active and non active licenses

  • Sensors page lists all sensor subkeys, optionally filtered by license, and allows to rename them, activate and de-activate them

  • Add Sensor page allows to generate a new sensor license

Support for multiple pairs of interfaces in the inline Sensor

The Sensor now supports inline deployment using multiple pairs of interfaces. To configure, use lastline_setup's inline_interfaces option and specify a comma-separated list of dash-paired interface names, e.g. "eth2-eth3, eth4-eth5". The old syntax ("eth2, eth3") continues to work when using a single interface pair.

More granular permissions for downloading analyzed files

This release adds two new permissions that provide granular control for access to analyzed files.

  • The "can_access_analyzed_files" permission allows users to download files of less sensitive types that were analyzed by Lastline. These are files such as executables and scripts that are less likely to include sensitive information.

  • The "can_access_sensitive_analyzed_files" permission allows users to download files of more sensitive types that were analyzed by Lastline. These are files such as Office documents or PDFs, that are more likely to include sensitive information. This permission does not imply "can_access_analyzed_files", so both permissions should be granted individually.

Note that, as for all permissions, accounts with administrator permission implicitly have these new permissions as well. Other users who wish to download analyzed files will need to request these permissions from their administrator.

Audit log extensions

With this release, additional information will be included in the audit log which is available in the Lastline portal, API, and in audit log notifications.

  • Include creation of new sensor subkeys
  • Include updates to a sensor subkey, including activating or de-activating it
  • Include updates to license information

New protocol for communication between Sensor and Manager

Sensors released with this version use a new communication protocol to talk to the Manager to download threat intelligence and upload detection information. The new protocol provides improved reliability and robustness compared to the legacy one.

To support older Sensor versions, the Manager continues to support the legacy protocol, which will remain supported at least until onpremise release 7.14.

Improved analysis of URLs embedded in Microsoft Office documents

With this release, the analysis system will extract and follow URLs embedded in more types of documents (specifically Microsoft Office) submitted for analysis. Any anomalies found as part of the URL analysis are included in the classification of the originally analyzed document.

Support for Silicom bypass adapters in the inline Sensor

The Lastline Sensor now supports Silicom's bypass adapters, enabling packet forwarding in the presence of appliance failure or power outages.

Email analysis improvements and bugfixes

  • Allow customization of what email/SMTP headers are used for reporting sender and recipients of analyzed emails.
  • Allow overriding the default maximum line length for IMAP.
  • Relax the strictness of the recipient email address parsing for SMTP sniffing.
  • In email in-line mode, if the analysis of an artifact is skipped, the fact will be indicated in the X-Lastline header. New values that can be added to this header are:
    • analysis-disabled: the analysis has been explicitly disabled
    • analysis-incomplete=backend-unreachable: the full analysis was not performed because the Lastline backend was not reachable.
    • analysis-skipped=REASON-whitelisted: the email or artifact was not analyzed because of a whitelisted element. REASON can be one from sender, recipient, subject, attachment-filename, attachment-md5, url.
  • In email in-line mode, it is now possible to configure the sensor to start rejecting incoming emails if the nexthop rejection ratio is too high.
  • A bug in matching of sender whitelist in SMTP sniffing mode has been fixed by stripping angle brackets from email addresses before matching.

Bug fixes and improvements

  • Fix bug that caused incorrect URLs to be included in notification messages delivered by mail, Syslog and other notification backends. Due to this bug, the URLs linking to the Manager's portal would omit the "user." prefix of the hostname and include a double "/" character between hostname and path.
  • When performing a backup over ssh, no longer verify destination archive by listing archive contents. This step was redundant to other verification steps and could lead to timeout issues for extremely large backup archives.
  • Fix memory consumption problem in classification of corrupted CDF documents.
  • Improved resilience to erroneous whitespace in IDS range variables provided via the Custom Intelligence API.
  • Improved robustness when handling base64-encoded files.
  • Improved configurability of pcap filter expressions on the Sensor, supporting e.g. capture only on select VLANs.
  • Display also SHA256 hash of analyzed file in analysis report overview.
  • Fix issue where, in some corner-cases, email notification for a detected URL could contain the un-escaped malicious URL.
  • Fix a bug in Sensor statistics collection that could break the web UI's "Concurrent flows" networking metrics plot.
  • Increased robustness when downloading threat intelligence to the Sensor over very slow links.
  • Fix a bug in our filetype classifier that could cause some obfuscated WSF files to get skipped in the Sensor's prefilter.
  • Managers now cache threat intelligence downloaded from our backend to serve it to Sensors. This reduces the amount of bandwidth used between a Lastline Manager and our backend for installations with many sensors.

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • query_license_details
  • update_license_details
  • update_sensor_details

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Furthermore, with this release we are deprecating the legacy malscape api (/malscape). Functionality that replaces this API is available in the analysis module of the Lastline API. Additionally, analysis functionality can be accessed directly through the Lastline Analyst API.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 716.2
  • Lastline Engine version 716.2
  • Lastline Sensor version 716.2
  • Lastline All-in-one (pinbox) version 716.2

Deprecation of appliance versions

Because of the change to the communication protocol between sensor and backend, sensor versions before 716 are being deprecated with this release. These deprecated sensor versions however will remain supported at least until onpremise release 7.14.

7.11 7.13