Lastline Defender and Analyst Hosted Release Notes

Version 7.24

New features

  • New timeline tab in Intelligence search results
  • Improved example queries in Intelligence search page
  • Portal is now a one-page-app
  • Portal support for configuring IDS Rule Variables
  • Improved file analysis
  • Email analysis improvements
  • Run appliance test utility periodically

New timeline tab in Intelligence search results

The results of a search in the Intelligence tab now include an additional "Timeline" tab. This displays the timeline of analysis runs where specific search terms were encountered. This is applicable for search terms that are:

  • domains
  • IP addresses
  • file hashes
  • threat names

This improvement was tracked internally as FEAT-1742.

Improved example queries in Intelligence search page

With this release, we are improving the query examples provided in the Intelligence search page:

  • Example queries can now be frequently updated by Lastline to reflect new malware trends.

  • Example queries are now easier to find, rather than hidden under "Advanced Search".

  • The expanded list of example queries now includes a description of each example which provides some information on why it can be an interesting query.

This improvement was tracked internally as FEAT-1816.

Portal support for configuring IDS Rule Variables

The Lastline Enterprise Portal now provides a first piece of support for displaying and configuring custom intelligence, which was previously only available through the Lastline API.

In this version, this is limited only to configuring address group IDS rule variables used by custom IDS rules. These configruation options are available through the Custom Intelligence dropdown in the Admin tab. This improvement was tracked internally as FEAT-1393.

Portal is now a one-page-app

The Lastline Portal UI is now a single-page web application. What this means for users is faster load times when switching between tabs that were previously separate applications. This improvement was tracked internally as FEAT-1677.

Improved file analysis

We have made enhancements to the detection of

  • ANREV-3845 JavaScript embedded in PDF files.
  • ANREV-3899 SIGREPSCAN-157 ransomware behavior.
  • ANREV-3901 ANREV-3902 SMB exploit code.
  • LLADOC-355 LLADOC-378 LLADOC-387 LLADOC-402 ROP shellcode.
  • LLADOC-374 LLADOC-393 environment specific Microsoft Office macro code.
  • LLADOC-388 LLADOC-403 embedded script code in Microsoft Office documents.
  • LLADOC-407 anomalous macros using system utilities.
  • LLADOC-408 LLADOC-411 obfuscated, embedded EPS images.
  • SIGLOGSCAN-173 SIGLOGSCAN-187 document exploits via harmful CLSIDs.
  • SIGLOGSCAN-183 SIGLOGSCAN-184 code/thread injection.
  • SIGLOGSCAN-185 installing hooks.
  • SIGLOGSCAN-186 VM fingerprinting behavior.
  • SIGLOGSCAN-190 extraction of email addresses from Microsoft Outlook.
  • SIGLOGSCAN-193 network scanning behavior.
  • SIGLOG-40 searching for AV products.
  • SIGREPSCAN-159 SIGREPSCAN-284 anomalous script invocations.
  • SIGREPSCAN-252 SIGREPSCAN-272 SIGREPSCAN-308 UAC Bypass.
  • SIGREPSCAN-255 document exploits via non-ASLR libraries.
  • SIGREPSCAN-264 enumeration of security products via WMI.
  • SIGREPSCAN-271 disabling Microsoft Word recovery features.
  • SIGREPSCAN-276 SIGREPSCAN-277 abuse of system utilities (such as waitfor.exe and bitsadmin.exe).
  • SIGREPSCAN-301 using GEO location services.

and improved the reliability of

  • LLADOC-391 extracting OLE streams from Microsoft Office documents.
  • LLADOC-392 LLADOC-395 LLADOC-401 extracting URLs from Microsoft Office documents.
  • LLADOC-404 LLADOC-414 MALS-375 Ole10Native stream analysis.
  • LLADOC-413 WordProcessingML handling.
  • LLAM-2806 MALS-2162 MALS-2137 generating program bundles from archives.

Email analysis improvements

  • FEAT-1265: Expose in the Sensor/Pinbox settings web UI the ability to enable a workaround for Microsoft Outlook Web Mail. Without such workaround Microsoft Outlook Web Mail would display the body of blocked emails as an attachment.
  • LLMAIL-352: Time-limit HTML analysis, to prevent it from stalling the email pipeline.

Run appliance test utility periodically

The existing lastline_test_appliance utility is now configured to run periodically on sensors to check the appliance's status. Any issues detected by that utility are then reported to our backend so they are visibile in the appliance monitoring logs view of the portal, and are included as appropriate into appliance status notifications that user has configured.

This can help to proactively detect a wide variety of error conditions on an installation. This improvement was tracked internally as FEAT-500.

Bug fixes and improvements

  • Improvement to the stability of the sensor sniffing capabilities.
  • ICAP stability and performance improvements.
  • LLFILE-366 MALS-2222 Analyze files embeddded in ISO containers in the Analyst API.
  • LLAM-2176 LLAM-2232 Extract static properties on PE overlay.
  • LLAM-2176 LLAM-2232 Extract static properties on resources embedded in PE files.
  • MALS-2199 LLFILE-363 Improved reliability of archive inflation.

Deprecation of API methods

With this release, all methods of the legacy API (/ll_api/ll_api) are now deprecated. The following final API methods of the legacy API are being deprecated in this version:

  • add_host_label
  • delete_host_label
  • query_host_labels
  • set_incident_read_status
  • set_incident_archived_status
  • set_source_cleaned_status
  • set_source_threat_ignored_status

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 721

Deprecation of appliance versions

With this version, we are dropping support for Sensor versions before 717, which were deprecated in release 7.20. With this release, older sensor versions will no longer be able to perform detection, but it will remain possible to upgrade those sensors to the latest version to restore functionality.

Sensor versions before 720 were deprecated with release 7.23. These deprecated sensor versions however will remain supported at least until hosted release 7.26.

7.23 7.25