Version 6.5
New features
- In-depth Windows Kernel Analysis
- Support for triggering blocking of malicious traffic with custom IDS rules
- Notification of broken customer-provided IDS rules
In-depth Windows Kernel Analysis
We greatly improved support for in-depth dynamic analysis of Windows kernel rootkits. This provides unprecedented insights into this pernicious type of malware hidden in the kernel of Microsoft Windows operating systems and helps better detect and respond to kernel-based threats with enhanced, in-depth analysis. This kernel-mode analysis capability adds to existing network-based detection of kernel components in the platform.
Support for triggering blocking of malicious traffic with custom IDS rules
We now support blocking of malicious flows based on customer-provided IDS rules with the "reject" action (i.e., rules starting with the "reject" keyword, as opposed to the more common "alert" action). When blocking is enabled for the Sensor and such rules match on observed network traffic, the Sensor now injects RST packets into the offending flows to terminate them.
Notification of broken customer-provided IDS rules
We now notify customers who use our Custom Intelligence API when any custom IDS rules they provide fail to install correctly on the Sensor. The list of any such rules is visible in the Monitoring Logs section of a given appliance in the Appliances pane of the web UI. The notifications include the signature and group ID as provided in the rules when passed to the Custom Intelligence API. We currently do no include the reason why rule installation failed, but plan to do so in a future release.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances:
- Lastline Sensor version 605