Lastline Enterprise On-Premises Release Notes

Version 7.16.1

New features

  • Improved file analysis
  • Bug fixes and improvements

Improved file analysis

  • LLADOC-445 LLFILE-383: decrypt more Microsoft Office document file types for extracting embedded objects.

We have made enhancements to the detection of

  • ANREV-3981 memory scraper tools.
  • ANREV-4167 SIGLOGSCAN-218 SIGLOGSCAN-228 Tyupkin ATM malware.
  • ANREV-4213 using DiskCryptor drivers.
  • ANREV-4223 EternalRomance exploits.
  • LLADOC-454 LLADOC-482 LLADOC-493 exploits using external commands or DDE Links in Microsoft Office documents.
  • LLADOC-489 LLADOC-503 LLADOC-504 embedded objets in RTF files.
  • LLADOC-498 Microsoft Office VBA macro infections.
  • SIGLOGSCAN-160 system fingerprinting via registry values.
  • SIGLOGSCAN-173 SIGLOGSCAN-173 exploits using ASLR bypasses.
  • SIGLOGSCAN-205 x86 shellcode injected into applications.
  • SIGLOGSCAN-208 fileless payloads.
  • SIGLOGSCAN-210 network share enumeration.
  • SIGLOGSCAN-211 samples using cryptography APIs.
  • SIGLOGSCAN-227 sandbox evasions via checking for known usernames/hostnames.
  • SIGLOGSCAN-229 Turla Carbon variants.
  • SIGREPSCAN-264 processor fingerprinting via WMI.
  • SIGREPSCAN-301 using Geo-IP URLs.
  • SIGREPSCAN-314 use of anomalous filenames violating Microsoft Windows requirements.
  • SIGREPSCAN-336 forced application deletion.
  • SIGREPSCAN-337 file dropping in non-standard/suspicious locations.
  • SIGREPSCAN-338 file permission modifications.
  • SIGREPSCAN-339 previewing dropped files.
  • SIGREPSCAN-340 concealing file extensions.
  • SIGREPSCAN-341 sample self-deletion.
  • SIGREPSCAN-342 script download-execute behavior.
  • SIGREPSCAN-347 exploits abusing CVE-2017-8759.
  • SIGREPSCAN-351 changing file-access and -modification timestamps.
  • SIGREPSCAN-353 code compilation from Microsoft Office macros.
  • SIGREPSCAN-354 suspicious code unpacking in Microsoft Windows kernel drivers.
  • SIGREPSCAN-370 evasions via process enumeration.
  • SIGREPSCAN-371 SIGREPSCAN-376 SIGREPSCAN-378 ransomware behavior.

and improved the reliability of

  • LLADOC-484 LLADOC-496 LLADOC-502 LLADOC-514 extracting text content from Microsoft Office documents and emails.
  • LLADOC-494 detecting anomalous VBA macros.
  • LLADOC-486 static analysis of nested Microsoft Office document streams.
  • LLADOC-477 extracting embedded Flash files from Microsoft Office documents.
  • LLFILE-389 classifying scripts types.

Bug fixes and improvements

  • LLANTA-283: lower default limit for collecting NetFlow information.
  • MALS-2338: less aggressive truncation of large data fields stored in analysis reports.

Deprecation of API methods

All methods of the legacy API (/ll_api/ll_api) have been deprecated.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 810
  • Lastline Engine version 810
  • Lastline Sensor version 725.2
  • Lastline All-in-one (Pinbox) version 810

Released sandbox images versions

The sandbox images version remains at 2017-07-17-01.

Distribution Upgrade

As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base

7.16 7.16.2