Lastline Enterprise On-Premises Release Notes

Version 7.13.1

New features

  • Updated sideloading the sandbox images
  • Improved Analyst API Authentication
  • Improved URL analysis
  • Improved file analysis

Updated sideloading the sandbox images

Starting with this release, the sandbox images are located in a new directory on Lastline Manager and All-in-one (pinbox) appliances. Customers using the sideloading feature for downloading sandbox images need to adjust their deployment process accordingly.

Additional information can be found in the installation manuals.

Improved Analyst API Authentication

This release enables users of the Analyst API to leverage Session IDs as an alternative to authentication using API Key and Token embedded in each request. There is no plan to deprecate the existing behavior (the new solution is designed to be fully backward compatible), but clients should consider switching to the improved authentication mechanism.

The Analyst API documentation contains a detailed description of this change.

Improved URL analysis

  • Improved analysis of JavaScript files that use the Blob API to drop additional artifacts. In particular, the determination of the file type of the dropped file has been improved, leading to potentially more precise analysis results.
  • Improved detection of files dropped during drive-by exploit analysis.
  • Improved detection of shell script (cmd/Powershell) invocations.
  • Improved detection of hidden iframes.
  • Improved handling and reporting of evasions via browser history.

Improved file analysis

  • Updated sandbox images.
  • Improved detection of suspicious script arguments.
  • Improved emulation of "virtual user".
  • Improved handling of timing-based evasions.
  • Improved detection of malware that requires being run as system service.
  • Improved detection of code injection using ROP.
  • Improved handling of WMI-based system fingerprinting.
  • Improved extraction of PDF content.
  • Fix duplicate extraction of binary executables embedded in documents.
  • Improved detection of embedded EPS exploits.
  • Make file type detection of CDF-based document types more robust.
  • Make analysis of archives using unicode characters more robust.
  • Better handling/inflation of partially-corrupted GZIP archives.

Bug fixes and improvements

  • Better handling of large archives submitted for analysis (avoid filling /var file-system).
  • Added get_pending function for retrieving pending submissions via the Analyst API.
  • Fix Analyst API function get_progress returning -1 for "progress" value.
  • Improve the export of analysis reports to PDF/RTF for Flash files submitted for analysis.
  • Fix missing screenshots in export of analysis report to PDF/RTF.
  • Fix APK capabilities table showing incorrect data in export of analysis report to PDF/RTF.
  • Fix truncation of authenticode-signer information in analysis overview.
  • Fix export of analysis report activities (strip and suppress internal data).
  • Fix download of analysis report artifact.
  • Fix missing analysis subject metadata in analysis reports.

Deprecation of API methods

No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 718
  • Lastline Engine version 718
  • Lastline Sensor version 717.2
  • Lastline All-in-one (pinbox) version 718
7.13 7.13.2