Lastline Enterprise On-Premises Release Notes

Version 7.14

New features

  • Knowledgebase new interface and workflows
  • Improved Analyst API Authentication
  • Email analysis improvements
  • Support for changing the primary customer account
  • Improved management of reporting configurations
  • Improvements to custom dashboards
  • New search terms in the Knowledge Base interface
  • Update of supported browsers
  • Improved file analysis
  • Improved analysis of password-protected content
  • Accept RFC-2822 encoded emails in Analyst API
  • Run appliance test utility periodically

Knowledge Base new interface and workflows

Users with a Knowledge Base license now have access to a new version of the Knowledgebase interface through the Lastline Enterprise Portal's Intelligence Page. With this version, licensed users can, in a few steps, validate Indicator of Compromises (IoCs), enrich these IoCs for greater coverage, triage and export these IoCs for use within their environment.

The intelligence page results have been enriched and reorganized to support flexible workflows. Knowledge Base search results are now divided into different tabs for an easier navigation and direct access to the information needed: - A "Summary" tab providing statistical charts about the results for fast IoC validation, - A "Reports" tab providing examples of analysis reports in order to support exploration and drill downs, - A "Threat Profile" tab providing the related malicious activities for a quick assessment of the IoC severity, - A "Network IoCs" tab providing enriched lists of related IPs and domains; these lists are completed with reputation information for a quick triage and can be directly exported for faster reaction (plain text and STIX formats supported). - A "DNS" tab providing DNS information around the query. - A "Clustering" tab pointing to similar analysis reports, based on code or dynamic execution similarities, for additional exploration and further enrichment of the original set of IoCs.

All these new features as well as the rich set of information returned by the interface are described in details within the Lastline Portal Guide.

Improved Analyst API Authentication

This release enables users of the Analyst API to leverage Session IDs as an alternative to authentication using API Key and Token embedded in each request. There is no plan to deprecate the existing behavior (the new solution is designed to be fully backward compatible), but clients should consider switching to the improved authentication mechanism.

The Analyst API documentation contains a detailed description of this change.

Email analysis improvements

  • Allow selection of email headers (or SMTP envelope values) to use for reporting sender and recipients of analyzed emails. Default to email To/From headers for MTA without delivery and default to SMTP envelope values for full MTA mode.
  • LLMAIL-340: In case of POP3/IMAP errors, retry every 60 seconds instead of every 10, and allow the value to be configured.
  • FEAT-1656: Make sure the email subject tag is still used in suspicious emails when malicious emails are configured to be dropped.
  • USER-2348: Allow selecting the warning/blocking threshold for URLs and attachments even if the URL/attachment policy is set to "Do not add in-body warning".
  • LLMAIL-346: Support enabling a workaround to prevent Microsoft Outlook Web Mail from displaying body of blocked emails as attachment.

Support for changing the primary customer account

Before this release, changing the primary customer email, as displayed in the License Information View, required contacting Lastline support.

With this release, the primary customer email can be changed in the Portal by selecting an existing administrator account as the new primary one while editing the account under the All Accounts View. Please note that this operation needs to be performed on the hosted Lastline portal rather than on the On-Premises appliance's UI.

This improvement is tracked internally as FEAT-1510.

Improved management of reporting configurations

Lastline Enterprise can be configured to periodically send reports about the protected networks by email in HTML or PDF formats. This existing feature can be accessed in the Reports View of the Lastline Enterprise portal.

With this release, management of report configurations has been revamped with a number of improvements:

  • Administrators can now view, update and delete all periodic report configurations, regardless of the user who set them up.
  • Changes to reporting configurations are now tracked in Audit Log.
  • Fix issue where timezone of reporting configuration was based on offset from UTC instead of timezone name, so it did not behave correctly across DST changes.

This improvement is tracked internally as FEAT-929.

Improvements to custom dashboards

With this release, we are making some improvements to the custom dashboards functionality that was introduced with release 7.13:

  • USER-2243: dashboard configuration UI now provides preview screenshots of widgets before they are added.
  • USER-2261: events map is now supported also in custom dashboard configuration.
  • FEAT-1556: change in terminology: UI now refers to "widgets" rather than "gadgets" that can be added to a custom dashboard configuration.

New search terms in the Knowledge Base interface

The Knowledge Base interface now supports two additional search terms, accessible through the Intelligence Page:

  • Users can now search for HTTP user-agents when dealing with malware using suspicious or masquerading user-agents.

  • Users can now search by TLS certificate fingerprints when dealing with malware using secured communications for their C&C.

Update of supported browsers

With this release, we are updating the list of supported browsers to the following:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Internet Explorer 11
  • Apple Safari

This removes support for Microsoft Internet Explorer versions 9 and 10, since Microsoft Windows Vista has reached end of extended support. Microsoft Vista was the last desktop OS on which Internet Explorer versions below 11 were still supported by Microsoft.

Improved analysis of password-protected content

With this release, we are extending the support for password-protected content. The password provided as part of a file submission using the submit_file API function (previously used only for archive decryption) is now used for more file-types, including Microsoft Office documents.

Additionally, we have extended this function to accept more than one password using the "password_candidates" parameter. This is useful when the caller does not know the password but can narrow down the set of possible entries to a small list of candidates.

Accept RFC-2822 encoded emails in Analyst API

FEAT-1118 FEAT-865 Starting with this release, the Lastline Analyst API accepts RFC-2822 encoded email messages for analysis. Similar to the handling in the Lastline Enterprise Sensor appliance, submitted emails are analyzed for suspicious content and any email attachments that are found to be suspicious are extracted and analyzed as child task of the originally submitted email.

Run appliance test utility periodically

The existing lastline_test_appliance utility is now configured to run periodically to check the appliance's status. Any issues detected by that utility are then reported to our backend so they are visible in the appliance monitoring logs view of the portal, and are included as appropriate into appliance status notifications that user has configured.

This can help to proactively detect a wide variety of error conditions on an installation. This improvement was tracked internally as FEAT-500.

Bug fixes and improvements

  • Fix bugs in file downloads tab of the Lastline Portal. Filtering on "Contacted IP" and on "File Type" was not working correctly
  • Added get_pending function for retrieving pending submissions via the Analyst API
  • More robust handling of Unicode in filenames on the Sensor
  • Upgrade of the Sensor's IDS codebase to libhtp 0.5.23, improving HTTP parsing robustness
  • Improve the analysis of URLs fetched by PDF files via the app.launchURL API
  • Improve the analysis of JavaScript files that use the Blob API to drop additional artifacts. In particular, the determination of the file type of the dropped file has been improved, leading to potentially more precise analysis results
  • Improve the export of analysis reports to PDF/RTF for Flash files submitted for analysis
  • Fix missing screenshots in export of analysis report to PDF/RTF
  • Fix truncation of authenticode-signer information in analysis overview
  • Fix export of analysis report activities (strip and suppress internal data)
  • Fix download of analysis report artifact
  • Fix missing analysis subject metadata in analysis reports
  • Allow configuration of multiple NTP server in lastline_setup.
  • USER-2348: Fix bug in sensor configuration UI that caused the threshold setting to disappear if the "Do not add inline warning" option was selected.
  • FEAT-1470: In UI for submitting files for analysis, clarify what analysis will be performed on submission of a PCAP file.
  • FEAT-1596: Add "Minimum impact" filter in monitoring logs view. Set it to 30 to view all Warning and Error messages only.
  • USER-2280: For customers making use of Lastline's Active Directory integration, show logged in users also in the host activity view.
  • USER-2351: Fix display of small numbers on hover in queued mails graph in Mail Metrics View
  • USER-2354: Correctly show "pending" status for downloaded files in File Download Logs View
  • USER-2253: Rename "detection" column of network events table to "contacted host". The name "detection" was not appropriate for all classes of events.
  • USER-2295: In intelligence tab, add a clear search icon to the search bar.
  • CC-1665: Improved diagnostic output in lastline_test_appliance for processing having and abnormally high CPU usage.
  • SURI-551: Improvements to compatibility with Blue Coat proxies in sniffing mode.
  • SENT-556: Fix improving the reliability of the ICAP service.
  • SENT-565: Fix erroneous "Inconsistent interfaces" notifications in the web UI's monitoring logs.
  • LLFILE-349, MALS-2134: Improve support of LZMA archives.
  • FEAT-1530: support resetting individual API tokens in installations with additional licenses
  • FEAT-1682: Display status of the Analysis Traffic (AnonVPN) Routing in the web portal under "Appliance Status".
  • LLAM-2174 LLAM-2175 Extract more static information (entropy and byte distribution) from memory of PE analysis subjects inside the sandbox.
  • MALS-2191: Improved handling of archives with non-UTF8 passwords.
  • MALS-2161: Improved handling of archives containing files using non-UTF8 filenames.
  • MALS-2155: Improved handling of gzip archives by deriving content filenames from original archive filename.
  • MALS-2170: Include information on analysis environment in analysis reports exported as PDF or RTF.
  • MALS-2126 Allow specifying multiple password candidates for archives submitted for analysis via the submit_file function (see parameter "password_candidates").
  • MALS-2143: Allow "low priority" submissions via the Analyst API. This allows submitting large batches of URLs and files with reduced impact on the overall throughput of the analysis queue.
  • FEAT-1228: If the AnonVPN Analysis Traffic Routing is configured in honeypot mode, the portal will now display a warning and disable URL submissions.
  • LLWEB-1701: Improved extraction of JavaScript from PDF files.
  • LLWEB-903: Improved detection of ROP-based shellcode.
  • LLWEB-1707: Improved handling of web responses with content type "application/hta".
  • LLUPL-501: fix bug that could cause failure to generate report about the monitored network
  • USER-2225: fix bug that could prevent selecting a timezone for report generation
  • CC-1868: fix bug that could cause some new MANAGER or PINBOX appliance versions to not become available for manual upgrade from UI.
  • CC-1693: fix bug that could cause setup of Standby Manager to fail when an HTTP proxy was configured
  • USER-2347: support for deregistering sensors in the appliance status view
  • CC-1946: Prevent lastline_test_appliance from hanging in case of unstable network connection.
  • SENT-610: Prevent OS update performed after first registration from hanging.
  • CC-1953: Do not use OPTIONS method when testing connectivity to https proxy.
  • Multiple improvements in error reporting during appliance installation.
  • CC-1859: Fix bug that could prevent successful configuration of a virtual IP address for failover in an HA scenario

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • query_ip_range_whitelist
  • set_ip_range_whitelist
  • delete_ip_range_whitelist
  • query_stats_notifications
  • add_stats_notification
  • update_stats_notification
  • delete_stats_notification

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 725
  • Lastline Engine version 725
  • Lastline Sensor version 720.3
  • Lastline All-in-one (pinbox) version 725

Deprecation of appliance versions

  • sensor versions before 720 are being deprecated with this release. These deprecated sensor versions however will remain supported at least until onpremise release 7.16.

  • sensor versions before 717 have been deprecated since the Enterprise On-premises 7.13 release. These deprecated sensor versions will remain supported at least until onpremise release 7.15.

7.13.5 7.15