Lastline Defender and Analyst Hosted Release Notes

Version 7.22

New features

  • Support for changing the primary customer account
  • Improved management of reporting configurations
  • Improvements to custom dashboards
  • New search terms in the Knowledge Base interface
  • Update of supported browsers
  • Improved URL analysis
  • Improved file analysis
  • Improved analysis of password-protected content
  • Support for email analysis in Analyst API
  • Bug fixes and improvements

Support for changing the primary customer account

Before this release, changing the primary customer email, as displayed in the License Information View, required contacting Lastline support.

With this release, the primary customer email can be changed in the Portal by selecting an existing administrator account as the new primary one while editing the account under the All Accounts View.

This improvement is tracked internally as FEAT-1510.

Improved management of reporting configurations

Lastline Enterprise can be configured to periodically send reports about the protected networks by email in HTML or PDF formats. This existing feature can be accessed in the Reports View of the Lastline Enterprise portal.

With this release, management of report configurations has been revamped with a number of improvements:

  • Administrators can now view, update and delete all periodic report configurations, regardless of the user who set them up.
  • Changes to reporting configurations are now tracked in Audit Log.
  • Fix issue where timezone of reporting configuration was based on offset from UTC instead of timezone name, so it did not behave correctly across DST changes.

This improvement is tracked internally as FEAT-929.

Improvements to custom dashboards

With this release, we are making some improvements to the custom dashboards functionality that was introduced with release 7.20:

  • USER-2243: dashboard configuration UI now provides preview screenshots of widgets before they are added.
  • USER-2261: events map is now supported also in custom dashboard configuration.
  • FEAT-1556: change in terminology: UI now refers to "widgets" rather than "gadgets" that can be added to a custom dashboard configuration.

New search terms in the Knowledge Base interface

The Knowledge Base interface now supports two additional search terms, accessible through the Intelligence Page:

  • Users can now search for HTTP user-agents when dealing with malware using suspicious or masquerading user-agents.

  • Users can now search by TLS certificate fingerprints when dealing with malware using secured communications for their C&C.

Update of supported browsers

With this release, we are updating the list of supported browsers to the following:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Internet Explorer 11
  • Apple Safari

This removes support for Microsoft Internet Explorer versions 9 and 10, since Microsoft Windows Vista has reached end of extended support. Microsoft Vista was the last desktop OS on which Internet Explorer versions below 11 were still supported by Microsoft.

Email analysis improvements

  • LLMAIL-340: In case of POP3/IMAP errors, retry every 60 seconds instead of every 10, and allow the value to be configured.
  • FEAT-1656: Make sure the email subject tag is still used in suspicious emails when malicious emails are configured to be dropped.
  • USER-2348: Allow selecting the warning/blocking threshold for URLs and attachments even if the URL/attachment policy is set to "Do not add in-body warning".

Improved URL analysis

  • Improved detection of files dropped during drive-by exploit analysis.
  • Improved detection of shell script (cmd/Powershell) invocations.
  • Improved detection of hidden iframes.
  • Improved handling and reporting of evasions via browser history.

Improved file analysis

  • Improved extraction of embedded documents inside PDF files.
  • Improved detection of embedded content inside Microsoft Office files.
  • Improved detection of suspicious script arguments.
  • Improved emulation of "virtual user".
  • Improved handling of timing-based evasions.
  • Improved detection of malware that requires being run as system service.
  • Improved detection of code injection using ROP.
  • Improved handling of WMI-based system fingerprinting.
  • Improved extraction of PDF content.
  • Fix duplicate extraction of binary executables embedded in documents.
  • Improved detection of embedded EPS exploits.
  • Make file type detection of CDF-based document types more robust.
  • Make analysis of archives using unicode characters more robust.
  • Better handling/inflation of partially-corrupted GZIP archives.

Improved analysis of password-protected content

With this release, we are extending the support for password-protected content. The password provided as part of a file submission using the submit_file API function (previously used only for archive decryption) is now used for more file-types, including Microsoft Office documents.

Additionally, we have extended this function to accept more than one password using the "password_candidates" parameter. This is useful when the caller does not know the password but can narrow down the set of possible entries to a small list of candidates.

Support for email analysis in Analyst API

With this release, we are adding support for analyzing RFC-2822 encoded email files directly in the Analyst API. Submitted emails will be processed similar to how the Lastline Sensor would process emails: suspicious email attachments are marked for deeper analysis via child analysis tasks.

Bug fixes and improvements

  • USER-2348: Fix bug in sensor configuration UI that caused the threshold setting to disappear if the "Do not add inline warning" option was selected.
  • FEAT-1470: In UI for submitting files for analysis, clarify what analysis will be performed on submission of a PCAP file.
  • FEAT-1596: Add "Minimum impact" filter in monitoring logs view. Set it to 30 to view all Warning and Error messages only.
  • USER-2280: For customers making use of Lastline's Active Directory integration, show logged in users also in the host activity view.
  • USER-2351: Fix display of small numbers on hover in queued mails graph in Mail Metrics View
  • USER-2354: Correctly show "pending" status for downloaded files in File Download Logs View
  • USER-2253: Rename "detection" column of network events table to "contacted host". The name "detection" was not appropriate for all classes of events.
  • USER-2295: In intelligence tab, add a clear search icon to the search bar.
  • CC-1665: Improved diagnostic output in lastline_test_appliance for processing having and abnormally high CPU usage.
  • SURI-551: Improvements to compatibility with Bluecoat proxies in sniffing mode.
  • SENT-556: Fix improving the reliability of the ICAP service.
  • SENT-565: Fix erroneous "Inconsistent interfaces" notifications in the web UI's monitoring logs.
  • LLFILE-349: Improve support of LZMA archives.

Deprecation of API methods

No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 719

Deprecation of appliance versions

Sensor versions before 717 were deprecated in release 7.20. We will be dropping support for sensor versions before 717 with release 7.24. With that release, older sensor versions will no longer be able to perform detection, but it will remain possible to upgrade those sensors to the latest version to restore functionality.

7.21 7.23