Lastline Defender and Analyst Hosted Release Notes

Version 7.14

New features

  • Fixes to Mail tab of portal
  • No default inclusion of VLAN IDs in flow hashing
  • Email analysis improvements
  • Time-range selection and filtering in Analysis History UI
  • Whois links in portal for IPs and domains
  • Bugfixes and improvements

Fixes to Mail tab of portal

  • Fix bug that could lead to empty mail messages view if no notifications are configured

  • Fix bug with minimum score filter in mail attachments view

  • In mail messages view, replace terms "Infected"/"Watchlist"/"Nuisance", which are not correct in this context, with "Malicious"/"Suspicious"/"Benign"

No default inclusion of VLAN IDs in flow hashing

The Sensor no longer automatically includes the VLAN ID(s) of any VLAN-borne flows in its flow hashing. This means that setups in which one direction of a flow travels on one VLAN while the other direction resides on another (or isn't VLAN'd) now automatically work correctly. This approach more adequately fits the scenarios we commonly encounter in our customer base. The inclusion of VLAN IDs can still be altered persistently for individual Sensors with the help of a Lastline engineer.

Email analysis improvements

The email analysis component on the sensor was improved by adding a timeout for incoming SMTP connections.

Additionally, the following improvements were added to the in-line (MTA) deployment mode:

  • Save emails with blocked content into into a local temporary storage for system administrator inspection.
  • Support email analysis shutdown with request to complete all en-route email analysis and delivery before terminating.
  • Degrade analysis and keep forwarding emails if the analysis backend is not reachable.
  • Allow completely disabling email analysis and acting as a simple email forwarder.
  • Fix rare cases where the sensor would break the DKIM signature for benign emails.

Time-range selection and filtering in Analysis History UI

The Analysis History page of the Lastline Portal now supports selecting the time range of submissions to display, as well as a number of filters:

  • Submission type: File or URL
  • MD5 hash of submitted file
  • SHA1 hash of submitted file
  • File name: this searches for this substring in submitted file names
  • Analyst UUID: search for submissions with this unique identifier
  • URL: search for submissions of this URL

Note: analysis submission and analysis history is not exposed to all customers. Contact your Lastline representative or Lastline sales (sales@lastline.com) for additional information.

Whois links in portal for IPs and domains

The Lastline Portal now includes links to WHOIS information for IP addresses and domain names. These links are included for convenience and lead to WHOIS information publicly available on third-party websites.

Bugfixes and improvements

  • New option in appliance configuration, "Install daily OS security updates automatically". Disabling automated installation of OS security updates is only recommended in environments where a custom process is in place for keeping appliance up to date with security updates.

  • Improved display in report UI of processes spawned during analysis of a URL.

  • Support for searching by SHA-256 hash in Intelligence tab.

Deprecation of API methods

No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 711
7.13 7.15