Lastline Enterprise On-Premises Release Notes

Version 7.15

New features

  • Show warning when downloading analyzed file
  • Improvements to Active Directory integration
  • Explicit proxy support
  • Adjust error reporting verbosity of appliance test utility
  • Show license status in appliances UI
  • New timeline tab in Intelligence search results
  • Improved example queries in Intelligence search page
  • Portal is now a one-page-app
  • Portal support for configuring IDS Rule Variables
  • Improved support for ICAP integration in UI
  • Support appliance upgrade in UI as soon as new release is available
  • Email analysis improvements
  • File analysis improvements
  • URL analysis improvements
  • Traffic sniffing improvements
  • Bug fixes and improvements

Show warning when downloading analyzed file

Portal will now show a warning the first time a user attempts to download a file that was submitted from analysis. The warning will advise the user that file is potentially malicious and should be handled with care.

This improvement was tracked as FEAT-2022.

Improvements to Active Directory integration

The Active Directory integration has seen a number of improvements in this release.

  • Support for explicitly specifying a domain name when configuring the user credentials to be used for fetching login events from a domain controller. This can be done by providing a username in the form DOMAINNAME\USERNAME

  • Official support for domain controllers running Windows Server 2016

  • Enforce use of NTLMv2 for authentication to domain controller, instead of weaker authentication such as NTLMv1

These improvements were tracked as FEAT-1962.

Explicit proxy support

It is now possible to configure a Lastline sensor appliance to act as an explicit HTTP/HTTPS proxy. It is possible to configure it to listen on a specific sensor interface as well as defining ACL rules for the network ranges that should be allowed to perform requests towards it. By default the proxy performs man-in-the-middle inspection of HTTPS interactions by using a locally-generated CA certificate. It is possible to define one or more upstream proxies the sensor will rely on when serving requests; if TLS inspection is enabled, the upstream proxies are required to support SSL encryption. The detection and blocking capabilities of the proxy are equivalent to those currently offered through the ICAP service, and include:

  • Analysis of artifacts identified in HTTP responses, with the possibility to block files that have been already analyzed by the platform and whose analysis score is above a configurable threshold.

  • Matching of destination IPs/domains against our threat intelligence data.

Blocking based on threat intelligence information and more complete support for C&C and drive-by download detection will be supported in a future release.

This improvement was tracked internally with tickets FEAT-1608 and FEAT-1951.

Adjust error reporting verbosity of appliance test utility

With the previous release 7.14, the existing lastline_test_appliance utility was configured to run periodically on appliances to check the appliance's status. Any issues detected by that utility are then reported to our backend so they are visibile in the appliance monitoring logs view of the portal, and are included as appropriate into appliance status notifications that user has configured.

This can help to proactively detect a wide variety of error conditions on an installation. This change, however, revealed some issues in the error reporting verbosity of the test utility, that have been resolved with this release:

  • FEAT-2012: lack of sniffing interfaces is no longer considered an error on sensors where sniffing is disabled, such as mail-only sensors.
  • CC-1940: the "SOFTWARE:heavy_processes" check which detects processes with extremely high CPU usage has been downgraded from error to warning.
  • CC-1928: errors and warnings about a hardware configuration that is not compliant with minimum requirements for our software have all been downgraded to warning with impact level 30. This is lower than the impact level of other warnings, which start at 40. To receive appliance status notifications but exclude hardware requirements issues reported by lastline_test_appliance, users can configure a notification threshold of 35.

Show license status in appliances UI

The appliance overview and status pages now display information on the validity of an appliance's license. If an appliance's license is expired, or a sensor's subkey is inactive, the appliance's overall status will be set to "License expired".

Furthermore, if an appliance's license will expire in the next 15 days, the appliance's overall status will be "License expires soon".

This improvement was tracked internally as FEAT-1892.

New timeline tab in Intelligence search results

The results of a search in the Intelligence tab now include an additional "Timeline" tab. This displays the timeline of analysis runs where specific search terms were encountered. This is applicable for search terms that are:

  • domains
  • IP addresses
  • file hashes
  • threat names

This improvement was tracked internally as FEAT-1742.

Improved example queries in Intelligence search page

With this release, we are improving the query examples provided in the Intelligence search page:

  • Example queries can now be frequently updated by Lastline to reflect new malware trends.

  • Example queries are now easier to find, rather than hidden under "Advanced Search".

  • The expanded list of example queries now includes a description of each example which provides some information on why it can be an interesting query.

This improvement was tracked internally as FEAT-1816.

Portal support for configuring IDS Rule Variables

The Lastline Enterprise Portal now provides a first piece of support for displaying and configuring custom intelligence, which was previously only available through the Lastline API.

In this version, this is limited only to configuring address group IDS rule variables used by custom IDS rules. These configruation options are available through the Custom Intelligence dropdown in the Admin tab. This improvement was tracked internally as FEAT-1393.

Portal is now a one-page-app

The Lastline Portal UI is now a single-page web application. What this means for users is faster load times when switching between tabs that were previously separate applications. This improvement was tracked internally as FEAT-1677.

Improved support for ICAP integration in UI

Our support for integrating with HTTP proxies using the ICAP protocol has been improved:

  • Add support for configuring ICAP blocking settings through the appliance configuration view of the Appliances tab. If the sensor appliance was previously configured for blocking by editing the local file /etc/appliance-config/override.yaml, we recommend removing the relevant lines from the override file.

  • Metrics about the ICAP integration are now available in the ICAP Metrics view.

This improvement is tracked internally as FEAT-1507.

Support appliance upgrade in UI as soon as new release is available

Starting from this release, customers will be able to upgrade their appliances in the Appliances tab of the portal as soon as soon as a new release is announced.

Before this release, customers could only do this after Lastline had triggered auto-upgrade for the release.

This change allows customers who want to get access to the new version earlier to do that.

This improvement is tracked internally as FEAT-423.

Email analysis improvements

  • FEAT-1265: Expose in the Sensor/Pinbox settings web UI the ability to enable a workaround for Microsoft Outlook Web Mail. Without such workaround Microsoft Outlook Web Mail would display the body of blocked emails as an attachment.
  • LLMAIL-352: Time-limit HTML analysis, to prevent it from stalling the email pipeline.
  • LLMAIL-337: Warn in manager web UI if email queue utilization is above 85%.
  • FEAT-1773: Allow users to enable a workaround to prevent Microsoft Outlook Web Mail from displaying body of blocked emails as attachment.

File analysis improvements

  • LLFILE-359: Improvements to the file type detection accuracy of Microsoft Powerpoint Slideshow files.
  • LLFILE-344: Improvements to the file type detection of MSI installer packages.
  • LLADOC-388: Improvements to the file type detection for data/scripts embedded in documents.
  • SIGREPSCAN-276/277: Improvements to the detection of stalling/download activity using system utilities.
  • LLADOC-355: Improvements to the detection of ROP-based document exploits.
  • LLADOC-378: Improvements to the detection of EPS-based document exploits.
  • LLADOC-386: Improvements to the extraction of URLs embedded in Microsoft Office documents.
  • LLADOC-401: Improvements to the extraction of Macro content from Microsoft Office documents.

We have made enhancements to the detection of

  • SIGLOGSCAN-185 installing hooks.
  • SIGREPSCAN-255 document exploits via non-ASLR libraries.
  • SIGREPSCAN-307 LLADOC-392 LLADOC-419 LLADOC-428 document exploits via remote OLE objects.
  • LLADOC-425 hidden action events in Microsoft Powerpoint files.
  • LLADOC-422 scripts embedded in documents.
  • LLADOC-408 obfuscated, embedded EPS images.
  • ANREV-3807 ANREV-3808 spambots.
  • ANREV-3899 ransomware behavior.
  • ANREV-3845 JavaScript embedded in PDF files.
  • ANREV-3899 SIGREPSCAN-157 ransomware behavior.
  • ANREV-3901 ANREV-3902 SMB exploit code.
  • LLADOC-355 LLADOC-378 LLADOC-387 LLADOC-402 ROP shellcode.
  • LLADOC-374 LLADOC-393 environment specific Microsoft Office macro code.
  • LLADOC-388 LLADOC-403 embedded script code in Microsoft Office documents.
  • LLADOC-407 anomalous macros using system utilities.
  • LLADOC-408 LLADOC-411 obfuscated, embedded EPS images.
  • SIGLOGSCAN-173 SIGLOGSCAN-187 document exploits via harmful CLSIDs.
  • SIGLOGSCAN-183 SIGLOGSCAN-184 code/thread injection.
  • SIGLOGSCAN-185 installing hooks.
  • SIGLOGSCAN-186 VM fingerprinting behavior.
  • SIGLOGSCAN-190 extraction of email addresses from Microsoft Outlook.
  • SIGLOGSCAN-193 network scanning behavior.
  • SIGLOG-40 searching for AV products.
  • SIGREPSCAN-159 SIGREPSCAN-284 anomalous script invocations.
  • SIGREPSCAN-252 SIGREPSCAN-272 SIGREPSCAN-308 UAC Bypass.
  • SIGREPSCAN-255 document exploits via non-ASLR libraries.
  • SIGREPSCAN-264 enumeration of security products via WMI.
  • SIGREPSCAN-271 disabling Microsoft Word recovery features.
  • SIGREPSCAN-276 SIGREPSCAN-277 abuse of system utilities (such as waitfor.exe and bitsadmin.exe).
  • SIGREPSCAN-301 using GEO location services.

and improved the reliability of

  • LLADOC-391 extracting OLE streams from Microsoft Office documents.
  • LLADOC-392 LLADOC-395 LLADOC-401 extracting URLs from Microsoft Office documents.
  • LLADOC-404 LLADOC-414 MALS-375 Ole10Native stream analysis.
  • LLADOC-413 WordProcessingML handling.
  • LLAM-2806 MALS-2162 MALS-2137 generating program bundles from archives.

URL analysis improvements

  • LLWEB-1690: Improvements to the handling of resources downloaded via Content-Disposition header.

  • LLWEB-1686: Improvements to the detection of ROP-based shellcode.

Traffic sniffing improvements

  • SENT-583: Improvements to file extraction when transferring script files.

  • SENT-583, LLWEB-1705: Improvements to on-the-wire webpage inspection detection capabilities.

Bug fixes and improvements

  • USER-2507: fix for portal walk-through with Firefox browser
  • USER-2129: In analysis report, improve display of DNS queries that get an NXDOMAIN reply
  • USER-2466: Upgrade market verticals and analysis timeline graphs under report overview to new UI standard displays.
  • MALS-2229: Better Analyst API documentation for submit file when the file upload is required.
  • MALS-2143: Ability to specify low-priority submission in the Analyst API.
  • LLAM-2832: Stability improvements when extracting PE metadata.
  • LLAM-2620: Improved extraction of files dropped during the analysis inside the analysis sandbox.
  • SENT-615: It is now possible to configure the sensor as an ICAP server without need to enable the sniffing services.
  • SENT-624: Support for the analysis and detection of .jse files on sensor.
  • SURI-579: A bug was preventing the correct analysis of SMTP exchanges in sniffing mode when the SMTP transaction was involving a large number of recipients.
  • LLMAIL-360: No longer test nexthop SMTP connection with NOOP commands.

  • CC-1946: Make sure lastline_test_appliance will not hang forever on a stalling HTTP request, but terminates with a timeout error.

  • Improvement to the stability of the sensor sniffing capabilities.

  • ICAP stability and performance improvements.
  • LLFILE-366 MALS-2222 Analyze files embeddded in ISO containers in the Analyst API.
  • LLAM-2176 LLAM-2232 Extract static properties on PE overlay.
  • LLAM-2176 LLAM-2232 Extract static properties on resources embedded in PE files.

  • MALS-2199 LLFILE-363 Improved reliability of archive inflation.

  • FEAT-1590: display help for Network IoC tags in the Intelligence tab.

  • FEAT-1308: display the page title in the navbar at the top of the page in the Lastline Portal.

  • USER-2115: make appliance selection persistent across all views of Appliances tab.

  • SENT-544: improvements to ICAP service stability and performance.

  • SURI-586: bug fix addressing possible false positives in TLS C&C detection.

Deprecation of API methods

With this release, all methods of the legacy API (/ll_api/ll_api) are now deprecated. The following final API methods of the legacy API are being deprecated in this version:

  • add_host_label
  • delete_host_label
  • query_host_labels
  • set_incident_read_status
  • set_incident_archived_status
  • set_source_cleaned_status
  • set_source_threat_ignored_status

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 740
  • Lastline Engine version 740
  • Lastline Sensor version 722.6
  • Lastline All-in-one (pinbox) version 740

Released sandbox images versions

With this release, the sandbox images version is updated to 2017-06-19-01.

Deprecation of appliance versions

  • sensor versions before 720 were deprecated in the Enterprise On-premises 7.14 release. We will be dropping support for sensor versions before 720 with release 7.16.

  • sensor versions before 717 were deprecated in the Enterprise On-premises 7.13 release. We will be dropping support for sensor versions before 717 with release 7.16.

Distribution Upgrade

The appliance versions which are being made available as part of this release, will be the last versions to support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the following versions, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded. A distribution upgrade can be performed with the "lastline_distribution_upgrade" command-line utility. These updates are not done automatically to prevent unexpected downtime. Please contact support@lastline.com for help with the upgrade process.

7.14 7.15.1