Lastline Defender and Analyst Hosted Release Notes

Version 24.2

New Features

  • Sensor appliance performance improvements
  • Deprecation of Knowledgebase alerting
  • New sniffing MTU setting


The release ships with a number of architectural improvements aiming at reducing lock contention across multiple sniffing threads in sensor appliances. This practically results in significant performance improvements, leading up to 1Gbps HTTP throughput per IDS engine thread. On current recommended hardware for 10Gbps appliances, this can lead to the ability to monitor up to two links at 10Gbps throughput.

This new feature was tracked internally as SENT-3933


The KnowledgeBase alerting feature allowing users to write their own rule for proactive search is now deprecated, both continue.

Version 24.1.1

Bug Fixes and Improvements

  • FEAT-8107: The maximum file size limit able to be configured for files uploaded from a sensor appliance in Hosted NSX Lastline Defender deployments has been increased from 64MB to 200MB.
  • SENT-3889: Fix to an issue that was preventing the sniffing pipeline to submit for analysis any file larger than 8MB.
  • SENT-3892: Fix to an issue where the upgrade of an appliance with a bonded interface configured would fail. Starting with this release, there is no more need to configure bonded interfaces to ingest traffic from TAP deployments.
  • SENT-3896: Fix to an issue where an appliance using Silicom NICs may never continue.

Version 24.1

New Features

  • Sensor performance improvements


  • Deprecate explicit proxy
  • PCAPS retention changed to 30 days


This release ships a major architectural change to the sensor appliance aiming at improving sniffing performance. Previous reliance on AF_PACKET for packet acquisition is being replaced by the adoption of DPDK. The change should be mostly transparent to the end users, exception made for the naming schema used for sniffing interfaces: once an interface is managed by DPDK, it will be reported in appliance-setup with its PCI ID rather than with the Linux naming schema.

When upgrading a pre-existing continue.

Version 2023.2.1

Feature Depreciation

  • Explicit proxy feature with TLS encapsulation will cease by 2023.3 release.
  • To ensure a satisfactory level of security, it is not advisable to use Windows 7. As a consequence, testing the maliciousness of files in this environment is no longer deemed relevant. Therefore, we have decided to gradually phase out the analysis of files on Windows 7. With this latest release, file analysis on Windows 7 will become optional. All analysis on Windows 7 will cease by January 2024.

Bug Fixes and Improvements

  • SENT-3787: Fix to a bug in the lastline_test_appliance codebase where certain tests would fail due to unexpected decoding issues.

Deprecation continue.

Version 2023.2

New Features

  • Due to a change in our email hosting service, we will be changing the sender address for emails sent to customers from to Customers should make appropriate adjustments to spam filters and tools to accept emails from this new address. The exact date of the change will be announced in advance on our status page:
  • To ensure a satisfactory level of security, it is not advisable to use Windows 7. As a consequence, testing the maliciousness of files in this environment is no longer deemed relevant. Therefore, we have decided to gradually phase out the analysis of continue.

Version 2023.1.2

Bug Fixes and Improvements

  • SENT-3700: Fix to an issue where the sensor would incorrectly estimate the number of flows that are being inspected in parallel on an appliance, causing the estimate to continue to grow monotonically. The information is reported in the metrics section of the appliances tab in the UI.
  • SENT-3723: Fix to an issue in the sensor IDS engine where attempting to extract emails from SMTP flows containing multiple separate message deliveries could lead to crashes.
  • SENT-3715: Fix to an IDS issue that could cause an IP reputation match to cause the engine to crash.
  • SENT-3718: Fix to an IDS issue that continue.

Version 2023.1.1

New Features

Detection Improvements

  • LLAM-9973: Improved detection of IcedID malware
  • LLAM-10022: Improved detection of PoshC2 Implants
  • LLAM-10048: Improved detection of DDoS Agent
  • LLAM-10049: Improved detection of a Shellcode Loader
  • LLAM-10099: Improved detection of PlugX malware
  • LLAM-10294: Detection of silent command execution from a LNK file (informational)
  • LLAM-10295: Improved detection of JuicyPotato hacktool
  • LLAM-10296: Improved detection of FScan hacktool
  • LLAM-10297: Improved detection of Goon hacktool
  • LLAM-10318: Improved detection of a Webshell used by Dalbit APT group
  • LLAM-10324: Improved detection of 3CS Supply Chain Attack malware

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods continue.

Version 2023.1

New Features

  • Support for analysis of OneNote documents


NSX NDR supports analysis of OneNote documents: OneNote file (mime-type: application/onenote) and OneNote package (mime-type: application/

This new feature was tracked internally as FEAT-8013

Detection Improvements

  • LLAM-10033: Improved detection accuracy for CheatEngine
  • LLAM-10013: Improved accuracy of detection of suspected shellcode instructions
  • LLAM-9820: Improved detection of Brute Ratel
  • LLAM-9885: Improved detection of Nighthawk implants
  • LLAM-10054: Improved detection of Royal ransomware
  • LLAM-10043: Improved detection of Netsupport Rat
  • LLAM-9972: Improved detection of Coinminer
  • LLAM-9970: Improved accuracy of detection for ELF files
  • LLAM-9951: Improved detection of XMRigMiner
  • LLAM-9989: Improved detection of Merlin Agent
  • LLAM-10067: Improved detection of ESXiArgs ransomware
  • LLAM-10036: Improved detection of LNKRunner
  • LLAM-10032: Improved accuracy of continue.

Version 2022.4

New Features

  • Windows 10 becomes the primary environment for MS Office document analysis


The anti-malware sandbox will use Windows 10 as the primary environment for MS Office document analysis. The environment was optimized to significantly reduce analysis time and improve efficiency.

This new feature was tracked internally as FEAT-7760

Detection Improvements

  • LLAM-9210: Detection improved of DynamicLoader, ChromeLoader, YTStealer and TrojanMiner
  • LLAM-9654: Improved detection of Bladabindi malwares
  • LLAM-9583: Improved detection of Ryuk Ransomware
  • LLAM-9367: Improved detection of Meterpreter malware family
  • LLAM-9688: Improved detection of Qakbot malware
  • LLAM-9580: Improved detection of Dridex malware family
  • LLAM-9368: Improved detection of Mimikatz
  • LLAM-9369: Improved detection of Powersploit
  • LLAM-9334: continue.

Version 2022.3

New Features

  • New AI-based classifier for Windows PE files
  • Malware Analysis pipeline throughput optimization
  • Intelligent Anti-Malware Signatures for Windows PE files


The new AI-based scoring component was introduced into Anti-Malware static analysis to increase the quality of the detection. The component classifies PE files, and its result is visible in the report overview as "Anomaly: AI detected potential threat".

This new feature was tracked internally as FEAT-7677


To utilize resources more efficiently, we introduce an optimization of the malware analysis pipeline by prefiltering Windows PE files. The PE files will be analyzed by our cutting-edge static analysis and ML-based components continue.