Lastline Defender and Analyst Hosted Release Notes

Version 2018.2

New features

  • Show Message-ID header in email details
  • Allow users to restrict the IP address from which third-party flow records are accepted
  • Permalink for hunter graphs
  • Mail API for 3rd Party Integration
  • llmail: configure pop3/imap polling interval via web UI

Show Message-ID header in email details

Portal UI now shows the Message-ID header in emails listing.

This change was tracked internally as USER-2145

Allow users to restrict the IP address from which third-party flow records are accepted

Users can now specify and restrict the IP addresses from which third-party flow data is accepted by the sensor collector.

This change was tracked internally as FEAT-3091

Permalink for hunter graphs

It is now possible to generate a permalink for a Network Analysis graph. A permalink is a permanent link that references a particular Network Analysis graph. The permalink can be shared with other users of the portal so that they can view and work with the corresponding graph.

This change was tracked internally as FEAT-2755

Mail API for 3rd Party Integration

This release introduces a new API method push_mail, that can be used to submit meta-data for mail messages that were analyzed using the Lastline Analyst API. This information will then be processed and appear in the Lastline Portal just like mail messages analyzed by a Lastline mail sensor.

More information and a sample API client can be found in the API documentation.

This change was tracked internally as FEAT-2707

llmail: configure pop3/imap polling interval via web UI

In POP3/IMAP mode, an administrator can now configure the POP3/IMAP polling interval for email analysis from the portal UI.

This change was tracked internally as FEAT-1797

Detection Improvements

  • ANREV-4525, SIGREPSCAN-456: Better detection for building MSBuild projects from Microsoft Office.
  • ANREV-4616, SIGREPSCAN-478, SIGREPSCAN-475, SIGREPSCAN-476: More robust classification of system file mappings.
  • ANREV-4684, ANREV-4696, SIGREPSCAN-486: More robust classification of Winlogon modifications.
  • LLADOC-572: More aggressive classification of Microsoft Office documents containing references to external resources.
  • LLAM-3466: Better detection of websites dropping HTA files.
  • LLAM-3547: More aggressive classification of failed iframe requests pointing to files.
  • SIGLOGSCAN-238: Improved detection of point-of-sale device memory scanning.
  • SIGLOGSCAN-254: Improved detection of Demiguise malware.
  • SIGLOGSCAN-263: Improved detection of autostart registration via Windows Group Policy Objects.
  • SIGLOGSCAN-269: More aggressive classification of code stalling via IcmpSendEcho.
  • SIGLOGSCAN-270, SIGLOGSCAN-280: More robust detection of code module enumeration.
  • SIGLOGSCAN-275: Improved detection of OSX/LoseLose malware.
  • SIGLOGSCAN-277: Improved detection of b374k shells.
  • SIGLOGSCAN-278: Improved detection of malware with the ability to change access rights for Windows system objects.
  • SIGLOGSCAN-279: Improved detection of shellcode determining EIP via FPU registers.
  • SIGLOGSCAN-281: Improved detection of malware with the ability to download files.
  • SIGLOGSCAN-282: Improved detection of malware with the ability to simulate mouse events.
  • SIGLOGSCAN-284: Improved detection of malware checking Windows Firewall settings.
  • SIGLOGSCAN-286: Improved handling of evasions based on the presence of well-known video capture drivers.
  • SIGREPSCAN-363: More robust detection of dropping unsigned drivers in Microsoft Windows.
  • SIGREPSCAN-388: Improved detection of malware persistence via Microsoft Office add-on libraries.
  • SIGREPSCAN-447: Better detection of evasions via machine serial numbers.
  • SIGREPSCAN-448, SIGREPSCAN-449: Better detection of evasions via network information collected on macOS.
  • SIGREPSCAN-450: Better detection of evasions using log-on information of the current user.
  • SIGREPSCAN-452: Better detection of evasions via network information collected via scutil.
  • SIGREPSCAN-459: More robust detection of password brute forcing.
  • SIGREPSCAN-461: Better detection of files downloaded via certutil utility.
  • SIGREPSCAN-467: Improved detection of WMI-based Windows Event Log queries.
  • SIGREPSCAN-470, SIGREPSCAN-471: Improved detection of OSX/Proton malware.
  • SIGREPSCAN-473: Improved handling of evasions based on the presence of macOS security products.
  • SIGREPSCAN-474: Improved detection of process termination ability.
  • SIGREPSCAN-477: Improved detection of malware files pretending to be Microsoft Office documents.
  • SIGREPSCAN-479: Improved detection of retrieving CPU temperature via WMI.
  • SIGREPSCAN-481: More robust detection of ransomware.

Bug Fixes and Improvements

  • MALS-2606: Improve documentation of Analyst API method "get_analysis_tags".
  • MALS-2591: Better detection of exploits launched from infected websites.
  • MALS-2363: Expose server UTC timestamp in submission calls to Analyst API.
  • LLMAIL-441: Fix to an issue that would cause llmail to generate an unusual amount of segfaults. The segfaults were associated to parsing subprocesses that were designed to fail in case of excessive memory utilization, causing no impact on the product functionality. This fix minimizes the occurrence of such segfaults.
  • LLMAIL-436: Fix to a race condition that could potentially cause an MTA sensor to never recover from a downtime of the downstream server.
  • LLAM-3613: Better analysis of websites hosting exploits and using TLS1.1/TLS1.2.
  • FEAT-2962: Improve handling of sinkhole detections in postprocessing. When communication with a sinkholed IP address is detected, make sure that "sinkhole" is selected as the detected threat unless there is additional evidence pointing to specific malware types.
  • FEAT-2867: The Network IoCs tab after a search in the Intelligence portal now includes an additional 'age' reputation tag for domains. This tag helps the user to quickly identify domains that were registered recently from older domains, older domains being less likely to be harmful.
  • FEAT-2844: Disable X-Lastline Headers in processes email messages to obfuscate customers' internal infrastructure to external or internal recipients. This can now be done in the portal UI.
  • FEAT-2824: Fix to specify the logical subnet mask for HOME_NET config in the popup help text.
  • FEAT-2597: The analysis report overview for a file that was analyzed by Lastline now includes a link to search for that specific file being detected in the protected network.

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1001

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1001, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

2018.1 2018.3