Version 8.2
New Features
- Widget to display new network detections in dashboard
- Support for filtering by intrusion/not in an intrusion in hosts and incidents listing
- Ability to permanently delete decommissioned appliances from overview in UI
- Support ICAPS
- Improve filtering of URLs using threat intelligence cache
WIDGET TO DISPLAY NEW NETWORK DETECTIONS IN DASHBOARD
The Lastline Portal dashboards now support a new widget for displaying the top new detections in your network. This can help you spot new threats in your network that may need to be prioritized for further investigation. These threats might otherwise have been hidden among other, less interesting detections.
This widget will display the top detections by impact that were seen for the first time ever during the selected interval. A detection is treated as new if it is the first time a specific network IoC or detection logic was triggered in a specific network.
For each new detection, the widget provides a link to a reference network event that provides a sample instance of the detection.
The newly introduced widget is displayed in the built-in Overview dashboard, and is also available for use in custom, user-defined dashboards.
This New feature was tracked internally as FEAT-3285
SUPPORT FOR FILTERING BY INTRUSION/NOT IN AN INTRUSION IN HOSTS AND INCIDENTS LISTING
The incidents console and infected hosts pages now support an additional filter for selecting detections that are part of specific intrusions, or detections that are not part of any intrusion.
Filtering out detections that are part of an intrusion can allow an analyst to view "what else was detected" after completing triage of detected intrusions.
Furthermore, if an incident is part of an intrusion, the incident details page now includes a link to the intrusion details page for that intrusion.
This New feature was tracked internally as FEAT-3281
ABILITY TO PERMANENTLY DELETE DECOMMISSIONED APPLIANCES FROM OVERVIEW IN UI
This feature enables you to remove decommissioned appliances from the appliance overview tab in the UI. The appliances will be removed from the Show Offline Appliances list as well.
This New feature was tracked internally as FEAT-1821
SUPPORT ICAPS
This feature enables you to inspect artifacts sent from a web proxy using Secure ICAP, also known as SICAP or ICAPS. A new toggle button is available in the appliance configuration UI which when enabled, will allow the Secure ICAP server to listen on TCP port 11344.
This change was tracked internally as SENT-956
IMPROVE FILTERING OF URLS USING THREAT INTELLIGENCE CACHE
This feature uses Lastline Threat Intelligence cache to improve the filtering of URLs such that if a URL is hosted on a low reputation domain, the URL is submitted for analysis.
This change was tracked internally as FEAT-412
Detection Improvements
- LLMAIL-452: Deeper inspection of unreadable archives.
- LLADOC-581 Improved detection of suspicious XSL scripts.
- LLADOC-600 LLADOC-601 LLADOC-621 LLADOC-624 LLADOC-626 More robust parsing of data streams in Microsoft Office documents.
- LLADOC-604 Improved extraction of OLE2.0 streams from Microsoft Office documents.
- LLADOC-611 Improved detection of script code with the capability to communicate using web-services.
- LLADOC-614 Improved extraction of orphan streams in Microsoft Office OLE streams.
- LLADOC-622 More robust classification of Microsoft Office documents accessing remote OLE resources.
- LLADOC-633 Improved detection of very large XML files embedded in Microsoft Office documents.
- LLADOC-644 LLADOC-308 LLFILE-326 More robust detection of Microsoft Support Diagnostic cab files.
- LLADOC-645 Improved extraction of zlib-compressed objects embedded in Microsoft Office documents.
- LLADOC-650 Improved extraction of objects/metadata from RTF documents.
- LLADOC-651 Improved extraction of email body text using RTF encoding.
- LLADOC-653 More robust detection of embedded remote OLE objects in Microsoft Office documents.
- LLAM-3080 LLAM-3806 Improved interception of stalling code in user and kernel space.
- LLAM-3803 Improved hooking of direct system call invocations.
- LLFILE-296 More robust detection of Microsoft Batch scripts.
- LLFILE-419 More robust content-based file-type detection of Mach-O files.
- LLFILE-421 More robust type detection for XPS documents.
- LLFILE-422 More robust detection of Microsoft HTA files.
- LLFILE-424 More robust inflation of archives containing very large files.
- LLMAIL-452 Deeper inspection of unreadable archives.
- MALS-2343 Fixed the extraction of network connection metadata (e.g., missing TCP port data) in the sandbox analysis reports.
- MALS-2667 LLADOC-607 LLADOC-608 LLADOC-609 Improved detection for malformed archives.
- MALS-2670 More robust inflation of archives that contain large files when submitted to the analysis system.
- MALS-2687 Fixed a bug that misinterprets filenames containing domains as Microsoft COM executables.
- MALS-2696 More robust inflation of archives containing unknown filename encodings.
- MALS-2730 Fixed a bug to enable robust parsing of Microsoft Windows command lines.
- SIGLOGSCAN-143 Improved detection of anomalous interactions with critical system processes.
- SIGLOGSCAN-175 SIGLOGSCAN-176 Improved detection of malware checking user privileges.
- SIGLOGSCAN-179 Improved detection of InviZzzible evasion tools.
- SIGLOGSCAN-191 Improved detection of Fuzzbunch payloads.
- SIGLOGSCAN-194 Improved detection of Sougu PUA.
- SIGLOGSCAN-215 Improved detection of malware retrieving hardware information.
- SIGLOGSCAN-229 Improved detection of Turla Carbon.
- SIGLOGSCAN-238 Improved detection of anomalous reading of foreign process memory.
- SIGLOGSCAN-288 More robust detection of documents containing suspicious URLs.
- SIGLOGSCAN-298 Improved detection of malware with the ability to change parent process attributes.
- SIGLOGSCAN-307 Improved detection of code evading code-emulation via GetSystemMetrics API.
- SIGLOGSCAN-313 Improved detection of accessing CPU information via the Microsoft Windows Registry.
- SIGLOGSCAN-314 Improved detection of system fingerprinting for presence of a hypervisor.
- SIGLOGSCAN-318 Improved detection of ASProtect.
- SIGLOGSCAN-320 Improved detection of Windows task scheduler LPE vulnerability.
- SIGLOGSCAN-321 SIGLOGSCAN-322 Improved detection of stealing browser credentials (and add support for Flock browser).
- SIGLOGSCAN-323 Improved detection of Mimikatz.
- SIGREPSCAN-138 SIGREPSCAN-502 SIGREPSCAN-512 SIGREPSCAN-522 SIGREPSCAN-523 SIGREPSCAN-524 SIGREPSCAN-525 SIGREPSCAN-526 SIGREPSCAN-527 SIGREPSCAN-528 SIGREPSCAN-529 SIGREPSCAN-532 SIGREPSCAN-533 SIGREPSCAN-536 SIGREPSCAN-537 Better hooking of WMI queries.
- SIGREPSCAN-159 SIGREPSCAN-284 More aggressive detection of anomalous use of HTA script code.
- SIGREPSCAN-177 SIGREPSCAN-178 More aggressive detection of evasions abusing Zone.Identifier information.
- SIGREPSCAN-190 More robust classification of Microsoft Office accessing online resources that are unavailable.
- SIGREPSCAN-213 Better detection of logoff activity.
- SIGREPSCAN-246 SIGREPSCAN-550 Improved detection of file decoding using system binaries (e.g., certutil).
- SIGREPSCAN-252 SIGREPSCAN-272 SIGREPSCAN-308 SIGREPSCAN-225 Improved detection of attempted Microsoft Windows UAC bypassing.
- SIGREPSCAN-334 More robust classification of file type confusion attacks.
- SIGREPSCAN-355 Improved detection of raw access to physical drive.
- SIGREPSCAN-356 Clarify description of driver-loading activities.
- SIGREPSCAN-361 SIGREPSCAN-421 SIGREPSCAN-493 SIGREPSCAN-515 More robust detection of code failing at communicating with a remote server.
- SIGREPSCAN-391 SIGREPSCAN-507 More aggressive detection of anomalous invocations of script code from Microsoft Office.
- SIGREPSCAN-488 Improved detection of anomalous use of system utilities.
- SIGREPSCAN-495 Improved detection of macOS migration tool bypass.
- SIGREPSCAN-499 Improved detection of code disabling the Microsoft Windows Control Panel.
- SIGREPSCAN-500 Improved detection of sandbox fingerprinting via VMware DLLs.
- SIGREPSCAN-501 SIGREPSCAN-503 SIGREPSCAN-505 SIGREPSCAN-264 Improved detection of hardware fingerprinting via WMI.
- SIGREPSCAN-504 More robust detection of ransomware.
- SIGREPSCAN-506 Improved detection of VMProtect packers.
- SIGREPSCAN-508 Improved detection of exploits using ASLR bypass.
- SIGREPSCAN-509 More robust classification of communication with private IP addresses.
- SIGREPSCAN-511 Improved extraction of activities using of relative paths.
- SIGREPSCAN-513 Improved detection of hijacking of Microsoft Outlook COM objects.
- SIGREPSCAN-518 More robust detection of suspicious modification of system files.
- SIGREPSCAN-538 SIGREPSCAN-534 More aggressive detection of exploits using ASLR bypass.
Bug Fixes and Improvements
- USER-3030: Fixed the issue where the user was not able to enter a sensor name within the scope of allowed characters.
- USER-3017: Fixed a bug that could prevent authorized portal users from seeing the analysis subject download button and downloading the analysis subject.
- USER-2990: Fixed a bug that removed "Allow network traffic" option in the UI. It now appears in the Analyst tab.
- USER-2972: Fixed a bug that showed variables on URL Analysis page instead of displaying the URLs.
- USER-2914: This feature now enables a quick search and sort functionality for intrusions in the timeline of the "Intrusion details" view.
- USER-2902: The Hosts page of the Lastline Portal now display malware and malware class information for each host.
- MALS-2728: The default behavior of APK analysis has changed to query global intelligence using MD5, SHA1, and APK package name (instead of the APK content). This makes APK cloud-analysis consistent with the default behavior of the other file types.
- MALS-2719: More robust processing of analysis results and handling of temporary out-of-memory issues.
- MALS-2696: More robust inflation of archives containing unknown filename encodings.
- MALS-2687: Fixed a bug that misinterprets filenames containing domains as Microsoft COM executables.
- MALS-2670: More robust inflation of archives that contain large files when submitted to the analysis system.
- MALS-2661: More robust processing of archives containing very long filenames.
- MALS-2651: More robust handling of invalid Lastline application bundles.
- MALS-2479: More robust handling of invalid Lastline application bundles using non-ASCII filenames.
- LLMAIL-468: Fixed a bug in the llmail communication logic where the Sensor would not recover correctly from communication problems with the Manager.
- LLMAIL-466: Fixed a bug that could cause a mail message to get stuck in the processing pipeline if unexpected serialization issues occurred.
- LLMAIL-462: Fixed a bug parsing emails containing an empty base tag in their SGML content.
- LLFILE-424: More robust inflation of archives containing very large files.
- LLFILE-421: More robust content-based file-type detection of XPS files.
- LLFILE-419: More robust content-base file-type detection of Mach-O files.
- LLFILE-296: More robust detection of Microsoft Batch scripts.
- FEAT-3268: The submission helper for bulk submissions to the Analyst API has been rewritten to better handle file-upload selection and errors.
- FEAT-3267: Include extended version of "analyze_files" utility (formerly "analyze_binaries") in the Analyst API documentation. The new version contains various improvements allowing which files to select for analysis as well as improved error handling.
- FEAT-3049: It is now possible to configure a mail sensor to fail open in case of problems at analyzing messages. In the default behavior, a mail sensor affected by analysis issues would start rejecting incoming emails. This behavior can now be changed to instruct the appliance to forward the messages unmodified to the next hop.
- FEAT-3197: Support for Windows Server 2016 domain controller in Lastline Active Directory integration.
- FEAT-2979: Fixed a bug that truncated output in the PDF report as compared to the content in the UI.
- FEAT-2918: Include Content Security Policy HTTP header in responses from Lastline portal.
- FEAT-1681: Lastline's integration for logging in to the portal via RADIUS now officially supports Windows Server 2016 as a RADIUS server.
- FEAT-3050: Improved integration with ICAP clients that do not declare support for ICAP preview (such as ipswitch DLPs).
- SQUID-26: The explicit proxy component by default now strips the content of X-Forwarded-For headers before sending requests to the next hop. This default behavior is customizable by means of a sensor override.
- SENT-991: Significant performance improvements to explicit proxy HTTP and HTTPS handling. ICAP integration with external proxies should also benefit from some of these improvements.
- SENT-986: Sensor architectural change to better prioritize service requests on heavily loaded sensors.
- SENT-982: Fixed a bug that caused sensors to create a large number of temporary directories in /tmp/llfile and /tmp/llmail.
- SENT-980: Whenever a whitelist entry is added to the sensor (/etc/lastline/customer_*) re-applying the configuration via lastline_apply_config will restart the appropriate services to apply the change.
- SURI-718: Fixed a bug that reported timestamps incorrectly, if sensor timezone is not in UTC.
Deprecation of API methods
No additional API methods are being deprecated or discontinued in this release.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:
- Lastline Manager version 1000
- Lastline Engine version 1000
- Lastline Sensor version 1030
- Lastline All-in-one (Pinbox) version 1000
Released sandbox images versions
The sandbox images version is updated to 2018-10-16-01. Note that the update of OS image may imply longer download times compared to previous updates.
Distribution Upgrade
As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.
For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.