Lastline Defender and Analyst Hosted Release Notes

Version 7.29

New features

  • Support for streaming system logs from Lastline appliances
  • New Active Directory tab in UI to view login activity
  • Mail sensor can be configured to restrict IPs that can connect via SMTP
  • Improvements to NIC support on sensor
  • Better diagnosis of sniffing problems on sensor
  • Improved file analysis
  • Email analysis improvements

Support for streaming system logs from Lastline appliances

Lastline appliances can now be configured to stream system logs to one or more target servers using the syslog protocol over UDP or TCP. Among other things, these logs will include

  • logs about authentication attempts to the appliance over ssh
  • log of all shell commands executed with "sudo"

This setting can be configured from an appliance's appliance configuration UI.

This feature was tracked internally as FEAT-2087.

New Active Directory view in UI to view login activity

Lastline Enterprise supports integrating with Windows Active Directory to obtain information on which accounts are logged into which hosts in the protected network.

With this release, a new Active Directory view becomes available, which allows viewing all events obtained from active directory, with support for filtering by time, IP ranges and usernames.

This feature was tracked internally as FEAT-2133.

Mail sensor can be configured to restrict IPs that can connect via SMTP

When Lastline mail sensors are configured in MTA mode, they accept SMTP(S) connections. With this release, users can now configure a whitelist of IP ranges from which clients are allowed to connect to the mail sensor over SMTP(s). This setting is specified as a list of network ranges in CIDR notation, such as "192.168.1.1/24", and can be configured from a sensor's appliance configuration UI.

This feature was tracked internally as FEAT-2266.

Improvements to NIC support on sensor

The sensor ships with updated support for a number of Intel NICs based on i40e and e1000e drivers. This includes the Intel X720 and the Intel I219. Support for the new NICs is available only by selecting AF_PACKET as packet acquisition strategy.

Additionally, detailed information on the configured NICs is now visible in the appliance status details for sensor appliances. This includes model information, as well as driver details and name of the physical interfaces mapped to each NIC.

Better diagnosis of sniffing problems on sensor

More tools are now available to monitor the state of sniffing interfaces on sensor appliances.

  • Interface checks: the sensor monitors the state of sniffing interfaces and reacts to sudden changes by issuing warnings. Warnings are triggered when the uplink status of an interface changes (e.g. the cable is disconnected) or when an interface previously receiving traffic suddenly stops receiving any data.
  • Improved sniffing checks in lastline_test_appliance: when running the lastline_test_appliance tool from the command line, the tool will collect a traffic sample from each sniffing interface and will perform a number of analyses to detect common network misconfiguration.

This feature was tracked internally as FEAT-1653.

Improved file analysis

We have made enhancements to the detection of

  • LLADOC-463 suspicious OLE objects embedded in RTF documents
  • LLADOC-453 encrypted documents embedded in documents or emails
  • LLADOC-464 encoded commands embedded in PowerPoint presentations
  • LLADOC-462 position independent shellcode
  • LLADOC-336 compressed streams embedded in Hangul documents
  • LLADOC-451 SIGREPSCAN-335 accessing of external resources as part of a document exploit
  • LLADOC-459 evasive code using mouse movement
  • SIGLOGSCAN-205 x86 shellcode embedded in legitimate tools
  • SIGLOGSCAN-185 installation of window hooks
  • SIGREPSCAN-347 invocation of commands via Microsoft Office
  • SIGREPSCAN-301 abusing GeoIP services
  • LLAM-3046 sleep-based evasions

Email analysis improvements

  • FEAT-2178: Allow configuring a list of destination domains that the sensor will accept in MTA mode.
  • LLMAIL-377: Alert with an error message if the email analysis queue utilization reaches 95% (instead of 100%) in order to reduce flapping between warning and error state.
  • FEAT-1625: Major improvements in the delivery logic in MTA in-line mode, specifically in handling of failures when delivering emails to the nexthop. Also, it is now possible to configure how many concurrent connections to use for delivery of emails to the nexthop.

Bug fixes and improvements

  • FEAT-1344: users who are not administrators can now view their own account's activity in the audit log
  • LLAM-3030: track of behavior spawned from MSI packages more accurately
  • LLAM-3062: more realistic user-behavior mimicking
  • MALS-2338: support optimized API call for retrieving UTC timestamp
  • LLADOC-461: better extraction of long strings in Analyst API results (e.g., subject command line or Microsoft Office macro code)
  • LLFILE-367: support PCAP-ng file format in Analyst API
  • CC-2089: Options "-s" has been removed from lastline_register. "--skip-hardware-tests" should be used instead, and only if necessary.
  • CC-1871: Improve the NTP diagnostic checks in order to reduce false alerts.
  • CC-2108: Add diagnostic check that will alert if too many files are present in /tmp.

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 726

Deprecation of appliance versions

  • Support for sensor versions before 720 was discontinued with release 7.28.

  • Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 726, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base

7.28 7.30