Lastline Defender and Analyst Hosted Release Notes

Version 7.28

New features

  • AF_PACKET v3 packet acquisition support on sensor
  • Improved appliance selection
  • Improved visual consistency of Lastline Portal
  • Flexible export of blacklisted IoCs in intelligence tab
  • Improved file analysis
  • Improvements to ICAP/Explicit proxy

AF_PACKET v3 packet acquisition support on sensor

This release includes experimental support for a new packet acquisition technology on sensors meant to replace PF_RING in the long term. While tested at length on a number of supported hardware configurations, AF_PACKET support is less mature than PF_RING and should at this stage be considered experimental. It is our plan to phase out the use of PF_RING in favor of AF_PACKET: future sensor releases will default to using AF_PACKET upon first install.

Main improvements associated with AF_PACKET:

  • Better performance at multi-gigabit packet rates (on 10g appliances)
  • Possibility to enable AF_PACKET on any NIC driver. This should lead to performance benefits on NIC drivers not supported by PF_RING (e.g. virtual sensors).
  • Support for recent NICs. The current release includes support for Intel X550 NICs, additional NICs will be supported in future releases exclusively via AF_PACKET.

To enable AF_PACKET on a sensor appliance, a new option is available in the sensor configuration page. The option can be used to either directly switch from PF_RING to AF_PACKET on appliances currently configured to use PF_RING, or to enable AF_PACKET on appliances that do not support PF_RING. The switch to AF_PACKET requires a NIC driver reload, but in the majority of cases should not require a reboot.

This feature was tracked internally as FEAT-2155.

Improved appliance selection

This release improves the modal dialog that is used when selecting multiple appliances in the Appliance monitoring logs and Appliance metrics views. The existing selection dialog could be cumbersome to use for customers with many appliances. The appliance selection dialog now includes options to clear the selection, as well as select all appliances of a given type.

This improvement was tracked internally as USER-2568.

Improved visual consistency of Lastline Portal

In this release we have made a number of small changes that improve the visual consistency of the Lastline Portal, by improving conformance with our visual style guide. These improvements include:

  • more consistent use of icons for remove vs delete operations
  • fix missing titles for links that open in new tab
  • more consistent display of icons within links
  • more consistent options for closing modal dialogs

This improvement was tracked internally as USER-2502.

Flexible export of blacklisted IoCs in intelligence tab

When accessing the domains and IPs resulting from a search in the Intelligence Page, the Network IoCs tab now offers users the choice to select the entries to be exported for blacklisting. Recommended entries to be exported are selected by default.

This feature was tracked as FEAT-2030

Improved file analysis

We have made enhancements to the detection of

  • LLADOC-458 exploits using SOAP Moniker in Microsoft Office documents
  • LLADOC-457 LNK files embedded in Microsoft Office documents
  • LLADOC-450 LLADOC-451 LLADOC-454 exploits using external commands, external OLE data, or DDE Links in Microsoft Office documents
  • LLADOC-443 LLADOC-448 JAR archives embedded in Microsoft Office documents
  • LLAM-3010 evasions requiring user input in Microsoft Office
  • SIGREPSCAN-264 evasions via WMI/BIOS information
  • SIGREPSCAN-274 autostart modifications and scheduling of delayed tasks
  • SIGREPSCAN-332 retrieval of unavailable remote resources via HTTPS

Improvements to ICAP/Explicit proxy

We have made enhancement to the sensor detection capabilities when operating in ICAP or explicit proxy mode.

  • FEAT-2153 ability to analyze scripts. It is now possible to analyze and block malicious scripts. Blocking mode for scripts can be configured from the sensor configuration UI (scripts belong to the file category "other" in the ICAP blocking configuration). Support includes files with the following extensions: .bat, .ps1, .psm1, psd1, .vba, .vbs, .js, .jse, .hta
  • SURI-593 improved support for network detections (explicit proxy only). When configured to run in explicit proxy, the sensor will inspect the decrypted traffic with capabilities that are similar to those used when sniffing traffic.

Bug fixes and improvements

  • LLUPL-525: Improve scoring of network events associated with UDP traffic. UDP events were previously downgraded in impact if there was no response from server. This logic has now been disabled because for many UDP events no server response is expected.
  • LLAM-2978 LLAM-2981 LLAM-2997: Improve extraction of process snapshot metadata to cover more memory regions.
  • LLADOC-440 LLFILE-344: Make parsing of Microsoft Office document OLE data more robust when document uses invalid byte-order header.
  • MALS-2280 MALS-2309: Improve handling of queries for completion information in the Analyst API using long time windows.
  • MALS-1947: Better validation of report_uuid in calls to Analyst API function get_results.
  • MALS-2308: API client documentation improvements for Analyst API function get_completed.
  • MALS-2306: API documentation fix for Analyst API authentication function login.
  • LLWEB-1777: Improve whitelisting of newly spawned benign processes observed during a URL analysis
  • LLPSV-117: The llpsv service now runs with reduced privileges.
  • SURI-507: Support for blocking network events based on network signature detections.
  • LLMAIL-375: Improved error checking and handling when fetching emails from an IMAP inbox.
  • LLMAIL-371: In the X-Lastline header (in-line email analysis), indicate when analysis failed because of too many upload errors.

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 725

Deprecation of appliance versions

  • With this version, we are dropping support for Sensor versions before 720, which were deprecated with release 7.23.

  • Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 725, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded. A distribution upgrade can be performed with the "lastline_distribution_upgrade" command-line utility. These updates are not done automatically to prevent unexpected downtime. Please contact support@lastline.com for help with the upgrade process.

7.27 7.29