Lastline Defender and Analyst Hosted Release Notes

Version 7.27

New features

  • Integration with McAfee TIE using OpenDXL
  • Display DNS resolution timeline in intelligence tab
  • New ICAP and explicit proxy blocking capabilities
  • ICAP and explicit proxy availability improvements
  • Explicit proxy performance improvements
  • Support shifting the selected time range with one click
  • Email analysis improvements
  • Improved file analysis
  • Improved URL analysis

Integration with McAfee TIE using OpenDXL

Lastline Enterprise now supports integrating with McAfee's Threat Intelligence Exchange (TIE) server using the Open Data Exchange Layer (OpenDXL). When configured for this integration, Lastline Enterprise will push to the TIE server information on files captured in the protected network. This includes downloaded files as well as files attached to emails.

To configure this integration, refer to the dedicated integration guide that is available for download from the Manuals page.

This feature was tracked as FEAT-1355

Display DNS resolution timeline in intelligence tab

When performing a search for IPs or domains contacted during analysis in the Intelligence Page, the DNS tab will now display a timeline of the DNS resolutions related to the query terms that Lastline observed during analysis. This timeline also provides some additional information about the IPs and domains involved. This feature was tracked as FEAT-1740

New ICAP and explicit proxy blocking capabilities

New blocking modes are available to customers leveraging ICAP or explicit proxy for HTTP monitoring. The different blocking modes allow a trade-off between security and delay in serving potentially suspicious content.

  • passive: content is extracted from analysis, but no blocking is ever attempted.
  • sensor-known: blocking decisions are taken by leveraging exclusively a cache local to the specific sensor appliance. Only artifacts that have already been downloaded by the specific sensor appliance will be blocked.
  • manager-known: the currently default blocking mode, it leverages scoring information collected by the hosted backend or by the manager to perform blocking decisions. If a file is observed for the very first time (patient zero), the file will not be blocked.
  • full: provide protection against patient zero by stalling a file download for a file that is deemed suspicious by the prefilter and that is not yet known by Lastline. The file transfer will be stalled until its analysis will be completed by the backend. This blocking mode can lead to delay of several minutes when attempting to download suspicious unknown files.
  • full with feedback: particularly indicated for usage in the explicit proxy implementation, this blocking mode provides feedback to the user about the fact that a given file is currently being held for analysis.

The different blocking modes can be activated from the sensor appliance configuration in the user website. Different blocking modes can be enabled for different filetypes.

ICAP and explicit proxy availability improvements

This release improves sensor reliability when running the ICAP or the explicit proxy service. More specifically, the sensor continuously monitors the state of the ICAP service and its responsiveness. In case the ICAP service was affected by any issue affecting its availability, the appliance status is updated to reflect the issue and an attempt is made to automatically recover from the issue by triggering a restart of the relevant services.

When the ICAP service is active, statistics are also shown in the monitoring logs on the number of parallel connections currently handled by the service and the number of currently active workers.

This improvement was tracked as FEAT-1692.

Support shifting the selected time range with one click

The time range selection widget used throughout the Lastline Portal now supports shifting to the previous or following interval with a single click on the < and > buttons. Using these buttons shifts the selected interval while preserving the number of days that are selected. This feature was tracked as FEAT-2083.

Email analysis improvements

  • LLMAIL-374: in IMAP mode, use CLOSE instead of EXPUNGE
  • LLMAIL-369: in inline MTA mode, add analysis-incomplete=attachment-too-large in the X-Lastline header if the attachment was too large to be analyzed.

Improved file analysis

We have made enhancements to the detection of

  • LLWEB-1771 exploits triggered via PDF OpenAction
  • LLWEB-1770 evasions via PDF reader fingerprinting
  • LLADOC-442 LLADOC-449 Python scripts embedded in Microsoft Office documents
  • LLADOC-432 LLADOC-435 LLADOC-437 LLADOC-438 suspicious data embedded in OleCF streams in RTF documents
  • LLADOC-434 EPS files embedded in Microsoft Office documents
  • LLADOC-424 LLADOC-425 suspicious links in Microsoft PowerPoint slide shows
  • FEAT-2165 LLAM-2983 executable code embedded in Microsoft Office documents

Improved URL analysis

We have made enhancements to the detection of

  • LLWEB-1764 scripts dropped in web attacks
  • LLWEB-1755 dropped files requiring user-interaction for the download

Bug fixes and improvements

  • LLUPL-507: fix issue that caused incidents in periodic reports to no longer be correctly sorted by impact score
  • LLUPL-538: no longer incorrectly refer to "Internal Host" in notification emails
  • USER-2448: fix issue where built-in dashboard configurations were not added to history of recently used dashboards
  • USER-2476: allow non-administrator accounts with the "can view appliances" permission to view appliance configuration
  • USER-2517/USER-2520: fix issue that caused link to child tasks to not be shown in some analysis reports
  • USER-2529: fix incorrect link to "view traffic capture in new tab"
  • USER-2530: fix bugs in "Label/Whitelist Hosts" dialog
  • USER-2539/USER-2541: fix bug that prevented deleting a home network configuration
  • CC-1970/CC-2015: improve error reporting during appliance installation
  • CC-2026: diagnostic checks: support case where multiple virtual drives are defined on an LSI RAID controller
  • LLAM-2901 extract more information from Microsoft Windows networking APIs
  • MALS-2307 accept Nuget archives in Analyst API
  • MALS-2254 MALS-2273 improved analysis environment selection for XPS submissions
  • MALS-2299 more robust handling of hash-lookups with MD5 collisions
  • MALS-2280 improved handling of Analyst API get_completed for returning completion information for partially completed seconds
  • MALS-2298 more robust handling of corrupted archives
  • MALS-2204 LLFILE-376 more robust handling of archives containing anomalous filenames
  • LLADOC-414 more robust parsing of Ole10Native "compact" mode streams
  • LLADOC-429 more robust type-detection of data embedded in OLE streams
  • LLFILE-379 more robust handling of Svgz images
  • LLFILE-37 MALS-2207 more robust type-detection for script files
  • MALS-2283 improve Lastline Application Bundle support for launching DLLs
  • MALS-2214 unify command-line and configuration options across Lastline API clients
  • MALS-2277 improved documentation of Lastline Application Bundles
  • MALS-2264 MALS-2267 LLWEB-1749 improved documentation of Analyst API report format
  • MALS-2212 MALS-2265 improved documentation of submit_file metadata parameters in Analyst API
  • MALS-2220 MALS-2187 MALS-2194 MALS-2295 improved documentation of Lastline Analyst API client (client shell / analyze_binaries)
  • SENT-620 significant performance improvements to explicit proxy implementation, and fix to an ICAP bug caused by large numbers of parallel connections
  • ENG-2063 explicit proxy update to squid 3.5.23
  • ENG-2064 tcpreplay update to 4.2.6

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 724.1

Deprecation of appliance versions

No additional appliance versions are being deprecated or discontinued with this release.

  • Sensor versions before 720 were deprecated with release 7.23. Support for these sensor versions will be dropped in the upcoming release 7.28.

  • Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 724.1, which is being made available as part of this release, no longer supports Ubuntu Precise as the underlying operating system distribution. Before upgrading to Sensor version 724.1, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded. A distribution upgrade can be performed with the "lastline_distribution_upgrade" command-line utility. These updates are not done automatically to prevent unexpected downtime. Please contact support@lastline.com for help with the upgrade process.

7.26 7.28