Lastline Enterprise On-Premises Release Notes

Version 9.3

End of Support for Lastline Enterprise

This is the final release in which Lastline Enterprise will be supported. Once you have upgraded, your enterprise license will need to be upgraded to Lastline Defender Limited (at no charge). As malicious attacks keep evolving, from email and perimeter based attacks to attacks deeper inside your network, Lastline Defender Limited is an evolution from Lastline Enterprise to address these attacks. Lastline Defender Limited significantly improves your security response by providing a broader network detection platform that incorporates network traffic analysis to provide better context and situational awareness for security alerts. Lastline Defender Limited is built on the same core architecture as our flagship product - Lastline Defender. If you have not yet installed a Lastline Data Node, there may be missing data and information in the portal the Data Node provides. Once the Data Node is configured, the data will appear.

New Features

  • Added new swap memory in/out graphs added to Appliance metrics
  • Added support for extra windows sandbox environment with custom localization
  • Added support for analysis of spreadsheetML files
  • Added new blocking pipeline on sensor
  • Added support for pushing image-based phishing detection updates
  • Introduced "can search knowledgebase" permission

ADDED NEW SWAP MEMORY IN/OUT GRAPHS ADDED TO APPLIANCE METRICS

Two new graphs showing swap memory in / out have been added to the Appliance metrics (load) tab. The graphs display the number of bytes in MB/s that have been swapped in or out of memory for the deployed appliances.

This new feature was tracked internally as FEAT-5401

ADDED SUPPORT FOR EXTRA WINDOWS SANDBOX ENVIRONMENT WITH CUSTOM LOCALIZATION

By default, Lastline Windows sandbox performs analysis using the English (en-US) version of the guest operating systems. Lastline now supports the ability to specify a second language version when running lastline_register. The available guest operating systems (Windows 7 and Windows 10) to select from are:

  • Chinese (zh-CN)
  • French (fr-FR)
  • German (de-DE)
  • Italian (it-IT)
  • Japanese (ja-JP)
  • Spanish (es-ES)

Enabling an additional language increases the load on the hardware provided for analysis as every sample will be sent to both the default English guest operating system and the guest operating system running with the selected second language. Each additional operating system is estimated to place on average another 50% load on the hardware for each O/S selected. However, the amount of extra load depends directly on type of files observed in your environment. In some cases, the load might be up to 100%. It is likely you will need additional hardware to support the extra load. Please contact support if you have any concerns before enabling this feature.

This new feature was tracked internally as FEAT-5210

ADDED SUPPORT FOR ANALYSIS OF SPREADSHEETML FILES

Lastline now supports the analysis of SpreadsheetML files.

This new feature was tracked internally as TRES-537

ADDED NEW BLOCKING PIPELINE ON SENSOR

Sensor 1181 includes significant changes to the pipeline used by the sensor to perform blocking, both inline and in passive sniffing. These changes should significantly improve the reliability of blocking actions, and enable additional blocking modes in future releases.

  • Blocking based on iptables rules in inline mode is now deprecated. When using a sensor in inline mode, we recommend enabling other blocking capabilities by means of the UI (e.g. RST injection for TCP flows).
  • Inline mode and passive sniffing now support and implement the same blocking strategies. Their use in inline mode on a sensor will be more reliable.
  • All blocking interaction is logged on sensors in a new logfile, /var/log/llpsv_blocking.log. Events where blocking was attempted will also appear accordingly in the UI.

This new feature was tracked internally as FEAT-5298

ADDED SUPPORT FOR PUSHING IMAGE-BASED PHISHING DETECTION UPDATES

Lastline now supports the ability to push new image-based phishing signature updates to all customers in a matter of minutes without the need to upgrade to a newer package version.

This new feature was tracked internally as FEAT-4776

INTRODUCED "CAN SEARCH KNOWLEDGEBASE" PERMISSION

A new permission "can search knowledgebase" has been introduced that controls access to the intelligence tab of the Lastline Portal and the ability to search using Lastline's knowledgebase API.

Non-administrator accounts will need to be granted this permission by their administrators to maintain access to this functionality.

This new feature was tracked internally as PLTF-1308

Detection Improvements

  • TRES-1161: Improved detection of binaries that are built using AutoIt.
  • TRES-1341: Ursnif Gen13 now properly detected.
  • TRES-1438: Improved detection of Ursnif family.
  • TRES-1432: Fixed false positive on benign files caused by protection remover tool.
  • TRES-1423: Improved detection of viruses, searching for EXE files.
  • TRES-1362: Improved detection of phishing PDF files.
  • TRES-1321: Improved detection of Sytro malware family.
  • TRES-1273: Improved detection of Service and Driver components of Turla malware.
  • TRES-1272: Improved detection of Darkshell rootkit drivers.
  • TRES-1243: Improved detection of Ursnif macro based samples.
  • TRES-1200: Improved detection of End of game malware.
  • TRES-1169: Added detection of C# compiler being invoked from non-powershell processes.
  • TRES-1149: Improved detection of Regasm/Regsvcs Abuse - Mitre ID: T1121.
  • TRES-1147: Improved detection of Donvibs malware family.
  • TRES-1137: Improved detection of XL4 macros in Office documents.
  • TRES-1096: Improved detection on ransomware using stealth technique to move files.
  • TRES-1054: Improved detection of Cyber Agent client samples.
  • TRES-1051: Improved detection of third-party files that claim Microsoft authorship.
  • TRES-1046: Improved detection of scripts, executing themselves multiple times.
  • TRES-1029: Implemented detection of signed binary proxy execution (MITRE T1218).
  • TRES-434: Improved detection of malformed zip archive file using byte order mark for detection bypass.
  • SENT-2773: Fixed a problem in the file extraction rules for POSIX tar files in sniffing sensors. Transfers of such files are now consistently extracted by the appliance.
  • TRES-1483: Improved detection of CMSTP - Mitre ID T1191.
  • TRES-1448: Improved detection of document files spawning Windows Host executable.
  • TRES-1396: Improved detection of Ursnif.
  • TRES-1293: Identify Qemu Detection by Visual Basic 6 malware.

Bug Fixes and Improvements

  • FEAT-4940: Lastline now supports the submission of ELF (Linux) executables for static analysis.
  • SENT-2813: Fixed a problem in the inline mode setup from an earlier release. Sensor 1180 accidentally removed a ufw rule that was essential for inline mode forwarding to operate correctly.
  • USER-4422: Fixed an issue with password verification when editing an account.
  • SENT-2812: Fixed a bug in the Suricata rust DHCP parser that was introduced in sensor 1180. An error in the parsing of DHCP option 43 would cause DHCP packets using that option to cause an exception in the parser, leading to suricata restarts.
  • SENT-2764: Fixed a bug in the mail processing pipeline that could cause us to miss information on completion of dynamic analysis of attachments. This would cause MTA mail sensors to sporadically timeout waiting for dynamic analysis reports that had actually been generated.
  • FEAT-5645: Customers are now able to specify the duration that application logs are retained.
  • USER-4320: Fixed an issue that was preventing the display of logged in user records in the details section of an event.
  • TRES-1435: Fixed a bug involving the proper invocation of EQNEDT32.exe.
  • SENT-2785: Fixed an issue where a certain class of email local detections, acting, for instance, on the text content of an email, would incorrectly lead to a 'benign' classification in the 'X-Lastline' headers. Messages affected by high confidence email local detections now report a status of 'reputation-block' in the 'X-Lastline' headers.
  • SENT-2713: Fixed a problem in the suricata reassembler that would prevent the extraction of files in certain corner cases.
  • PLTF-1566: Fixed an issue that could cause the upgrade to version 9.2 to fail on standby manager appliances
  • FEAT-5763: The sensor implements further DHCP logging capabilities, including the ability to log DHCP fingerprints and vendor-specific fields.
  • FEAT-5243: The sensor now takes into account global reputation information in making decisions on the reputation of extracted files by factoring in the download location.
  • FEAT-5235: Fixed an issue where the network traces associated to IDS alerts triggering on the same flow and close in time (within the same second) would not be exposed correctly by the UI.
  • ANST-484: Improved data retention for analysis results: remove empty results directories to improve backup speed.
  • TRES-1384: Improved URL extraction from PDF documents.
  • TRES-846: Fixed LHA archive extraction problem.
  • SENT-2763: Fixed a recently introduced issue that could cause the configuration of a sensor to fail when no sniffing interface was configured (e.g. MTA sensor)
  • SENT-2758: Improved the process required to setup inline monitoring. You can now configure inline interfaces with the 'lastline_setup' command. You no longer need to enable the configuration in the UI.
  • SENT-2757: Fixed a minor configuration issue where the lljsd daemon would log a large amount of warnings in the appliance syslog. The problem did not affect the detection capabilities.
  • SENT-1149: Fixed an issue in the way suricata computes protocol stats that would cause us to incorrectly reports statistics on the amount of UDP traffic processed by the appliance.
  • MALS-3019: The Lastline Analyst API will no longer support mmh3 hashing. As a result, calling query_file_hash with a mmh3 hash will no longer return any results.
  • FEAT-5955: Customers are able to specify a password for downloaded artifacts from the Lastline portal.
  • FEAT-5741: Dynamic analysis of Flash files is no longer performed. This file type is less prevalent in most environments and static analysis covers these cases.
  • FEAT-5318: If the contents of an archive submitted for analysis is only able to be partially analyzed due to an error in unpacking, then the Lastline analyst API will now return an error describing the unpacking error.

End of support for TLS 1.1

Starting with this release, all requests to the Lastline user portal and APIs must use HTTPS with support for TLS 1.2 or above. TLS 1.1 is no longer be supported. All client applications that send data to the Lastline portal or APIs will be required to support TLS 1.2 or above. More details are here.

Knowledgebase Feature Deprecation

The following KnowledgeBase feature is being deprecated with this release:

  • Industries information remain available and displayed under the summary returned by searches in the Intelligence page. However, this information can no longer be used as a filter to refine your search. Filtering by detection severity, antivirus label or file type remain available.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 1100
  • Lastline Engine version 1100
  • Lastline Sensor version 1181
  • Lastline All-in-one (Pinbox) version 1100

Released Sandbox Images Versions

This release includes an update of sandbox images to version 2020-03-13-01, which may have an impact on the length of time the upgrade/installation takes. In order to minimize the potential impact, you can download the sandbox images before you perform the upgrade or install by following the instructions here.

End of Support For Dell R320 and Dell R420

With this release, Lastline is ending support for the Dell R320 and Dell R420. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our hardware support page. End of Support For Dell R320 and Dell R420

With this release, Lastline is ending support for the Dell R320 and Dell R420. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our hardware support page.

9.2.1 9.3.1