Lastline Defender and Analyst Hosted Release Notes

Version 7.30

New features

  • Improved appliance configuration page
  • HOME_NET awareness on sensor appliances
  • Support for interface bonding on sniffing interfaces
  • Download blocking events
  • Route mail messages based on destination domain
  • ICAP/explicit proxy branding configuration
  • Increased visibility in Mac OS analysis framework
  • Improved file analysis
  • URL analysis improvements

Improved appliance configuration page

The appliance configuration page of the Lastline Portal has been redesigned and improved. The available configuration options are now organized into tabs by category.

This feature was tracked internally as FEAT-2172.

HOME_NET awareness on sensor appliances

The Custom Intelligence page in the Admin tab already allows the definition of custom IDS variables to be applied to all or to specific sensors. The definition of the HOME_NET variable allows to define one or more CIDR prefixes that should be considered as internal to a given organization. Detections for hosts not belonging to this range will not be taken into account by the sensor appliance, avoiding potential false positive caused by external scans. The value of the HOME_NET variable is now honored by all Lastline detectors.

This feature was tracked internally as FEAT-1394.

Support for interface bonding on sniffing interfaces

The sensor now fully support the use of interface bonding to aggregate the two traffic directions when operating with TAP devices. The sensor will detect the presence of a bonded interface in the list of sniffing interfaces and correctly configure the NIC for best performance.

This feature was tracked internally as FEAT-1573.

Route email messages based on destination domain

It is now possible to customize the MTA next hop used by the Lastline sensor based on the destination domain. Multiple next hop tables can now be defined, and associated to either exact destination domains (e.g. "@domain.com") or subdomains of a given prefix (e.g. ".domain.com" matching "@sub1.domain.com"). Within each next hop table, multiple next hop endpoints can be defined and can be associated to different priorities.

This feature was tracked internally as FEAT-2298.

Download blocking events

Starting from this release, the sensor reports information on blocking actions performed on file downloads that have been processed by ICAP or by explicit proxy. Depending on the blocking mode configured for a given filetype, the sensor applies different strategies to block the transfer of known malicious files. If the file transfer was blocked by the appliance, the information will be reported in the UI with the tag "blocking attempted".

This feature was tracked internally as FEAT-2157.

ICAP/explicit proxy branding configuration

It is now possible to customize the blocking behavior of the sensor when operating in ICAP or explicit proxy mode. The following customizations are possible:

  • Modify the message reported to the user when an HTTP transfer was blocked by Lastline for security reasons.
  • Remove the Lastline logo from the blocking pages.
  • Remove Lastline-specific details from the blocking pages: if a URI is blocked by Lastline, additional information is included in the page such as the internal UUID of the analysis that led to the blocking decision. This information can now be hidden.
  • Disable X-Lastline-* headers: the sensor usually adds Lastline-specific headers to the headers of the transactions that have been inspected. These headers are useful to understand the reason that led to a blocking decision and diagnose problems. It is now possible to disable the inclusion of these headers to the inspected transactions.

This feature was tracked internally as FEAT-2432.

Increased visibility in Mac OS analysis framework

This release marks the general availability of an improved analysis for threats targeting Mac OS. These improvements have been phased in pieces over recent months.

The new system improves deep inspection of any application started in the Lastline Mac OS sandbox, increases visibility in activities performed, allows more flexible anti-evasion techniques, supports additional file-types, and more.

This improvement was tracked internally as

  • FEAT-1161 FEAT-1744: improved visibility into behaviors and anti-evasion techniques,
  • FEAT-1328: improved inspection of Unix syscalls,
  • FEAT-1750: improved analysis of DMG, Mac OS Application bundles, as well as Mac Universal Binaries, and
  • FEAT-1633: more flexible tracking of behaviors and detection of suspicious activities.

Improved file analysis

We have made enhancements to the detection of

  • LLADOC-463 suspicious OLE objects embedded in RTF documents,
  • LLADOC-469 LLAM-3199 malicious DDE commands embedded in Microsoft Office documents,
  • MALS-2407 MALS-2409 document exploits targeting Microsoft Office 2013,

and improved the reliability of

  • LLADOC-467 extracting non-ASCII code snippets from PDF documents.

URL analysis improvements

  • LLWEB-1777 LLAM-3096: improve whitelisting of newly spawned benign processes observed during a URL analysis.

Bug fixes and improvements

  • FEAT-2134 the downloads and manuals pages of the Lastline Portal have been updated. The downloads page now displays ISO downloads that are relevant for a user's available licenses.
  • CC-2104 fix timeout when running lastline_register for customer with extremely high number of licenses.
  • LLUPL-545 fix issue where report generation could leave files in /tmp
  • FEAT-2293 mail tab of UI now consistently supports filtering by minimum impact/score
  • USER-2598 fix issue where appliance upgrade dialog would suggest enabling auto-update even though it was already on
  • LLMAIL-365 Email analysis in-line: support routing of emails to different nexthop servers based on destination domain
  • CC-1670 lastline_test_appliance: avoid false positive error about CPU
  • CC-2104 Improve filtering of valid licenses during appliance registration to avoid timeouts
  • SENT-707 fix to race condition in lastline_test_appliance
  • SENT-696 fix to a bug in the explicit proxy implementation that could cause failures when dealing with large chunk-encoded files
  • SENT-394 fix to Silicom support bug on trusty appliances
  • ENG-2300 fix to bug causing SSH daemon to crash if a monitoring account is set up.

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 727.1

Deprecation of appliance versions

  • Support for sensor versions before 720 was discontinued with release 7.28.

  • Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 727, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base

7.29 7.31