Lastline Defender and Analyst Hosted Release Notes

Version 7.26

New features

  • Show warning when downloading analyzed file
  • Improved file analysis
  • Improved URL analysis
  • Improvements to ICAP and explicit proxy
  • Improvements to Active Directory integration

Show warning when downloading analyzed file

Portal will now show a warning the first time a user attempts to download a file that was submitted from analysis. The warning will advise the user that file is potentially malicious and should be handled with care.

This improvement was tracked as FEAT-2022.

Improved file analysis

We have made enhancements to the detection of

  • ANREV-3901: network exploits
  • ANREV-3909: x64 .Net Protector
  • ANREV-3981: memory scraper tools
  • LLADOC-355: ROP exploits using non-ASLR libraries
  • LLAM-2848 LLAM-2556: evasion via process/system affinity mask
  • SIGLOGSCAN-193: network scans for SMB and NBT protocol vulnerabilities
  • SIGREPSCAN-303: remote code execution via regsvr32 utility
  • SIGREPSCAN-313: anomalous execution of PEs for Microsoft Office

Improved URL analysis

LLWEB-1745: Improved detection of supicious SCF file downloads

Improvements to ICAP and explicit proxy

  • FEAT-1601, FEAT-1602: revamped analysis pipeline for ICAP and explicit proxy blocking. This includes the ability to block on threat intelligence data, and the ability to analyze artifacts being uploaded in POST messages. For ICAP deployments, the additional features require the configuration to be set to send also REQMOD requests. Both REQMOD and RESPMOD can be configured at the same time if supported by the proxy appliance.
  • SQUID-13: support for the installation of custom CA certificates in explicit proxy mode. It is now possible to place a custom CA certificate in /etc/puppet/private/squid/certificate.pem, to be used for signing during TLS inspection.
  • SQUID-14: if an upstream proxy is configured to set the X-Forwarded-For header, the header information will be taken into account. It should be noted however that this is possible exclusively for HTTP exchanges, as HTTPS ones will not contain that information.
  • SENT-585: experimental support C&C detection and drive-by download detection in explicit proxy mode. This release introduces experimental signature matching and on-the-wire webpage inspection on the traffic analyzed by the explicit proxy, including analysis of the content of encrypted TLS flows.

Improvements to Active Directory integration

The Active Directory integration has seen a number of improvements in this release.

  • Support for explicitly specifying a domain name when configuring the user credentials to be used for fetching login events from a domain controller. This can be done by providing a username in the form DOMAINNAME\USERNAME

  • Official support for domain controllers running Windows Server 2016

  • Enforce use of NTLMv2 for authentication to domain controller, instead of weaker authentication such as NTLMv1

These improvements were tracked as FEAT-1962.

Bug fixes and improvements

  • USER-2507: fix for portal walk-through with Firefox browser
  • ENG-2169: downgrade impact of lack of pf ring support in lastline_test_appliance This is now a warning similar to other issues with hardware requirements.
  • USER-2486: fix excessive memory usage in browser when viewing analysis reports for certain flash files
  • LLADOC-423: more robust parsing of OleCF streams from Microsoft Office documents
  • LLADOC-428: improved extraction of remote OLE object links from Microsoft Office documents
  • LLAM-2805 LLAM-2849: fix for extracting process snapshots during dynamic analysis
  • LLAM-2843: fix launching HTA scripts in Windows 10
  • LLAM-2875 LLAM-2848: improved user interaction with Microsoft PowerPoint SlideShow and dialog windows
  • LLAM-2892: fix for extracting network traffic during dynamic analysis
  • LLFILE-327 LLFILE-363 LLFILE-373 MALS-2199: more robust handling of various archive formats
  • LLFILE-366: support ISO-9660 and UDF containers in Analyst API
  • LLFILE-369: support for Microsoft XPS/OpenXPS in Analyst API
  • LLWEB-1739: improved handling of ActiveX/VBScript code from restricted IE browser zones
  • LLWEB-1741: improved robustness of PDF analysis
  • LLWEB-1751: better handling of anchor elements with "download" attribute and base64-encoded data URLs
  • MALS-2204: more robust handling of archives containing non-Unicode filenames
  • MALS-2263: more robust handling of large archives
  • SENT-637: fixes to an irqbalance bug in trusty appliances
  • SURI-591: performance improvements to sniffing performance in trusty appliances
  • SENT-638: robustness improvements to on-the-wire webpage inspection
  • LLMAIL-372: allow customization of hostname presented when receiving emails in in-line MTA mode
  • LLMAIL-368: Tolerate (without reporting) one-time transient IMAP/POP3 connection errors
  • LLMAIL-367: for SSL/TLS SMTP receiver, load all certificates in user-provided certificate, instead of only the first one.
  • CC-1953: lastline_register/lastline_test_appliances: no longer use OPTIONS method for testing connectivity to a proxy server

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 723.1

Deprecation of appliance versions

No additional appliance versions are being deprecated or discontinued with this release.

  • Sensor versions before 720 were deprecated with release 7.23. Support for these sensor versions may be dropped in the upcoming release 7.27.

  • Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 723, which is being made available as part of this release, no longer supports Ubuntu Precise as the underlying operating system distribution. Before upgrading to Sensor version 723, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded. A distribution upgrade can be performed with the "lastline_distribution_upgrade" command-line utility. These updates are not done automatically to prevent unexpected downtime. Please contact support@lastline.com for help with the upgrade process.

7.25 7.27