Lastline Enterprise On-Premises Release Notes

Version 7.17

New features

  • Explicit proxy improvements
  • Email analysis improvements
  • Increased visibility in Mac OS analysis framework
  • Basic jumbo frame support in sensor
  • Display labels for the classification of samples in analysis overview
  • ICAP/explicit proxy branding configuration
  • New permissions for viewing email information
  • Route email messages based on destination domain
  • Improved appliance configuration page
  • Download blocking events
  • Support for interface bonding on sniffing interfaces
  • HOME_NET awareness on sensor appliances
  • Provide context from Lastline Intelligence for network detections
  • Support for testing notification configurations

Explicit proxy improvements

The explicit proxy now fully validates SSL certificates being inspected. Invalid certificates will be rejected and interaction with the page will be blocked. Additional functionality has been introduced on top of this default behavior:

  • FEAT-2468: it is now possible to instruct the proxy to never perform SSL inspection of specific destinations. This can be configured on the sensor appliance itself by adding hosts to the whitelist file located at the following path:

/etc/lastline/customer_whitelist_domains_ssl_noinspection.txt

Notice: lastline_apply_config must be run after performing modifications to the whitelist file.

  • FEAT-2469: while the default behavior of the proxy will be to block access to domains offering invalid certificates, it is still possible to instruct the proxy to disable certificate validation on specific destinations. This is also configurable by acting on a file on the sensor appliance:

/etc/lastline/customer_whitelist_domains_ssl_invalid_cert.txt

Notice: lastline_apply_config must be run after performing modifications to the whitelist file.

  • SQUID-18: the list of ciphers supported by the SSL proxy has been hardened, and support for ciphers associated to known vulnerabilities has been blocked.

This change was tracked internally as FEAT-2822

Email analysis improvements

  • FEAT-2627: As part of a planned set of improvements to the analysis of URLs in email bodies by the sensor appliances, we have improved the ability of the Sensor to better identify URL hosted on known malicious domains or known to be compromised as part of an ongoing campaign.
  • FEAT-2178: Allow configuring a list of destination domains that llmail is willing to accept in MTA mode. The API setting is currently called llmail::acceptable_recipient_domains_json. It is exposed in the API but not (yet) in the web UI. The setting is a JSON list of regular expression. If this setting is non-empty, llmail will accept only emails that have a RCPT TO with a domain matching one of the regexp.
  • LLMAIL-392: In some cases, incoming SSL/TLS SMTP connections that were not cleanly closed by the upstream SMTP server, were not cleaned up correctly by llmail, leading to an increasing number of incoming stale connections, until the maximum number of incoming connections was reached, and new connections rejected with a temporary SMTP error. This issue is now fixed.
  • LLMAIL-394: The X-Lastline header will now include the tag "analysis-incomplete=analysis-timed-out" (instead of "benign") in case waiting for the analysis result times out and the email is forwarded.
  • LLMAIL-395: In the email tracing log, when a bounce is generated, include a line that links the uuid of the original email with the uuid of the generated bounce email.

This change was tracked internally as FEAT-2821

Increased visibility in Mac OS analysis framework

This release marks the general availability of an improved analysis for threats targeting Mac OS. These improvements have been phased in pieces over recent months.

The new system improves deep inspection of any application started in the Lastline Mac OS sandbox, increases visibility in activities performed, allows more flexible anti-evasion techniques, supports additional file-types, and more.

This improvement was tracked internally as

  • FEAT-1161 FEAT-1744: improved visibility into behaviors and anti-evasion techniques,
  • FEAT-1328: improved inspection of Unix syscalls,
  • FEAT-1750: improved analysis of DMG, Mac OS Application bundles, as well as Mac Universal Binaries, and
  • FEAT-1633: more flexible tracking of behaviors and detection of suspicious activities.

This change was tracked internally as FEAT-2817

Basic jumbo frame support in sensor

Sensor 729 includes support for sniffing packets on interfaces with MTU larger than the default size for Ethernet links, the so-called jumbo frames. If the network being monitored uses jumbo frames, it is possible to reflect this in the sensor configuration by modifying the MTU of the associated sniffing interface. By running "lastline_apply_config" after the MTU reconfiguration the sensor will become aware of the custom MTU setting and configure the sniffing service accordingly.

This change was tracked internally as FEAT-2756

Display labels for the classification of samples in analysis overview

When displaying the analysis overview for the analysis of a file or URL, the Lastline Portal will now display additional information on the classification of the sample. Specifically, the following three fields will be displayed, if information is available for each of them for the sample:

  • Antivirus class: this is the general classification of this sample according to antivirus technology, and has values such as "trojan", "ransomware", "adware".
  • Antivirus family: this is the more specific classification of the sample according to antivirus technology, and has values such as "locky", "bundleinstaller", "virut".
  • Malware: this is the Lastline malware name attributed to this sample based on the network traffic that was observed during analysis.

This change was tracked internally as FEAT-2483

ICAP/explicit proxy branding configuration

It is now possible to customize the blocking behavior of the sensor when operating in ICAP or explicit proxy mode. The following customizations are possible:

  • Modify the message reported to the user when an HTTP transfer was blocked by Lastline for security reasons.
  • Remove the Lastline logo from the blocking pages.
  • Remove Lastline-specific details from the blocking pages: if a URI is blocked by Lastline, additional information is included in the page such as the internal UUID of the analysis that led to the blocking decision. This information can now be hidden.
  • Disable X-Lastline-* headers: the sensor usually adds Lastline-specific headers to the headers of the transactions that have been inspected. These headers are useful to understand the reason that led to a blocking decision and diagnose problems. It is now possible to disable the inclusion of these headers to the inspected transactions.

This change was tracked internally as FEAT-2432

New permissions for viewing email information

This release introduces more granular permissions for controlling access to email information collected by Lastline Enterprise. For this, it introduces two new permissions: "Can view emails" and "Can view benign emails".

  • can view emails: This permission is required to view any information about emails in the Mail tab. It only allows viewing information (mail messages, attachments, or URLs in emails) that is suspicious (score of 30 or above). This permission can be granted globally, or limited to specific licenses or subkeys.

  • can view benign emails: This permission can be granted in addition to can view emails. It allows access also to mail information that is not suspicious (score below 30).

To minimize the impact of this change on existing installations and user workflows, this release also grants the "can view emails" permission to all accounts that have the corresponding "can access alerts" permission. Existing non-administrator accounts will therefore continue to have visibility into mail messages that are at least suspicious. To view information about benign email messages, however, they will need to request the new "can view benign email" permission from their administrator.

This change was tracked internally as FEAT-2300

Route email messages based on destination domain

It is now possible to customize the MTA next hop used by the Lastline sensor based on the destination domain. Multiple next hop tables can now be defined, and associated to either exact destination domains (e.g. "@domain.com") or subdomains of a given prefix (e.g. ".domain.com" matching "@sub1.domain.com"). Within each next hop table, multiple next hop endpoints can be defined and can be associated to different priorities.

This change was tracked internally as FEAT-2298

Improved appliance configuration page

The appliance configuration page of the Lastline Portal has been redesigned and improved. The available configuration options are now organized into tabs by category.

This change was tracked internally as FEAT-2172

Download blocking events

Starting from this release, the sensor reports information on blocking actions performed on file downloads that have been processed by ICAP or by explicit proxy. Depending on the blocking mode configured for a given filetype, the sensor applies different strategies to block the transfer of known malicious files. If the file transfer was blocked by the appliance, the information will be reported in the UI with the tag "blocking attempted".

This change was tracked internally as FEAT-2157

Support for interface bonding on sniffing interfaces

The sensor now fully support the use of interface bonding to aggregate the two traffic directions when operating with TAP devices. The sensor will detect the presence of a bonded interface in the list of sniffing interfaces and correctly configure the NIC for best performance.

This change was tracked internally as FEAT-1573

HOME_NET awareness on sensor appliances

The Custom Intelligence page in the Admin tab already allows the definition of custom IDS variables to be applied to all or to specific sensors. The definition of the HOME_NET variable allows to define one or more CIDR prefixes that should be considered as internal to a given organization. Detections for hosts not belonging to this range will not be taken into account by the sensor appliance, avoiding potential false positive caused by external scans. The value of the HOME_NET variable is now honored by all Lastline detectors.

This change was tracked internally as FEAT-1394

Provide context from Lastline Intelligence for network detections

The Lastline Portal now provides additional context for network detections, by providing additional information about potential indicators of compromise (IoCs) observed on the network. This functionality is provided for:

  • IP addresses
  • Host names resolved via DNS
  • Host names found in HTTP Host headers
  • User Agent strings The context is provided by badges that can be clicked to display reputation information for the potential IoCs, as well as links for searching for those values in the Intelligence Page.

This functionality is available for customers with a Lastline Knowledgebase license.

This change was tracked internally as FEAT-1047

Support for testing notification configurations

When setting up a notification configuration, users are now able to send a test message to verify that the setup is correct.

This functionality is available for a number of integrations supported by Lastline:

  • Email notifications
  • Syslog notifications (SIEM)
  • Generic HTTP notifications
  • Streaming API notifications

This functionality can be triggered from the Lastline Portal by clicking on the "Send test notification" button when viewing a notification configuration. This allows users to verify end-to-end delivery of a notification to its intended recipient.

This change was tracked internally as FEAT-945

Bug Fixes and Improvements

  • USER-2713: Updated favicon for a cosmetic fix
  • USER-2702: Fix bug that could result in failed login attempts being inaccurately displayed in audit log as originating from local IP address 127.0.0.1.
  • USER-2699: Clarify in Lastline Portal text that an administrator can change another account's password without knowing its current password. The password that is requested to confirm this action is the administrator account's own password.
  • USER-2598: fix issue where appliance upgrade dialog would suggest enabling auto-update even though it was already on
  • SENT-754: the upgrade of sensor appliances to trusty introduced issues in our support for Silicom NICs. The Silicom NIC driver has been updated to address the issues.
  • SENT-726: experimental support for AF_PACKET for NICs based on igb driver.
  • SENT-707: fix to race condition in lastline_test_appliance
  • SENT-696: fix to a bug in the explicit proxy implementation that could cause failures when dealing with large chunk-encoded files
  • PLTF-71: Stop reporting unhelpful, generic errors such as "Error(s) occurred while running lastline_test_appliance". The individual errors that occurred are already reported separately.
  • PLTF-56: Fixed a bug that could rarely lead processing of appliance monitoring logs to get stuck due to an invalid message.
  • PLTF-28: Fix issue that could cause lastline test appliance utility to report error because there is "Not enough free space in the LVM", just because backup is currently running.
  • LLUPL-545: fix issue where report generation could leave files in /tmp
  • LLMAIL-420: More robust handling of email URL extraction (better handling of non-lowercase schemas)
  • LLMAIL-365: Email analysis in-line: support routing of emails to different nexthop servers based on destination domain
  • LLAM-3063: fix bug when executing different entry points during a Microsoft Windows DLL analysis.
  • FEAT-2550: Tool for analyzing the local analysis data-usage: analyst_scheduler_data_usage.py
  • FEAT-2507: table in appliance selection modal to remember table view settings such as column visibility and width.
  • FEAT-2475: fix typo in portal when deleting an account.
  • FEAT-2457: More accurate and reliable emulation of recent hardware platforms in the analysis sandbox.
  • FEAT-2448: fix multiple issues with y-axis of metric graphs and other graphs in the Lastline Portal.
  • FEAT-2446: change file downloads tab to make all downloads the default view.
  • FEAT-2342: disable Cipher Block Chaining (CBC) algorithms in the SSH server.
  • FEAT-2330: support for searching by file's imports hash in intelligence tab.
  • FEAT-2293: mail tab of UI now consistently supports filtering by minimum impact/score
  • FEAT-2134: the downloads and manuals pages of the Lastline Portal have been updated. The downloads page now displays ISO downloads that are relevant for a user's available licenses.
  • FEAT-1862: This release improves the process used by the sensor to identify malicious URLs in email messages. More file extensions are recognized as interesting from a security standpoint and are selected for analysis.
  • ENG-2300: fix to bug causing SSH daemon to crash if a monitoring account is set up.
  • CC-2104: fix timeout when running lastline_register for customer with extremely high number of licenses.
  • CC-1670: lastline_test_appliance: avoid false positive error about CPU

Deprecation of API methods

All methods of the legacy API (/ll_api/ll_api) have been deprecated.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 830.1
  • Lastline Engine version 830.1
  • Lastline Sensor version 729.1
  • Lastline All-in-one (Pinbox) version 830.1

Released sandbox images versions

The sandbox images version remains at 2017-07-17-01.

Distribution Upgrade

As of version 7.16, support for Ubuntu Precise as the underlying operating

system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

7.16.4 7.17.1