Lastline Defender and Analyst Hosted Release Notes

Version 2018.4

New features

  • Disable SHA-1 for SSH daemon appliances

Disable SHA-1 for SSH daemon appliances

This feature disables SHA-1 family of hashing algorithms on Lastline appliances. It would ensure that ssh communications to the appliances use more secure hashing algorithms such as SHA-2 or SHA-3.

This change was tracked internally as FEAT-2759

Detection Improvements

  • SENT-949: Fixes to the sensor capability to extract and inspect XZ archive out of the wire and in ICAP/explicit proxy mode.

Bug Fixes and Improvements

  • USER-2903: When viewing the details about a host in the Hosts Page of the Lastline Portal, additional information about the host is now visible, if available, such as the operating system and applications we have detected running on that host..
  • USER-2902: The Hosts page of the Lastline Portal now display malware and malware class information for each host.
  • USER-2834: Improve user interaction with some popovers, that can now be closed by clicking anywhere outside of the popover.
  • SURI-717: Fix to a sensor issue that may cause prevent us from correctly extracting files out of SMB2 interactions.
  • SQUID-23: Prevent the explicit proxy from performing SSL inspection on benign SSL locations that are known to be disrupted by the operation. For instance, several applications and operating systems components perform certificate pinning and do not operate correctly when performing SSL inspection. Additional locations can always be added to the sensor by acting on /etc/lastline/customer_whitelist_domains_ssl_noinspection.txt .
  • SENT-947: Fix to a rare race condition in the sensor threat intelligence daemon where the expiration of an entry could cause unexpected crashes.
  • SENT-946: Allow components to recover from issues related to access to threat intelligence information.
  • PLTF-174: Active Directory integration improvement: Limit WMI queries to remove unnecessary load (and timeouts) when there are no recent login events to retrieve
  • MALS-2652: More robust identification of script analysis subject type in Lastline application bundles.
  • LLFILE-415: More robust handling of non-ascii characters uses as filenames in archives.
  • FEAT-3197: Support for Windows Server 2016 domain controller in Lastline Active Directory integration.
  • FEAT-3193: The Network IoCs tab after a search in the Intelligence portal (https://user.lastline.com/portal#/intelligence) now includes additional network ownership information for known ranges of IP addresses. The portal also provides two new types of suspicious tags for IPs and domains: one tag for privacy services used during registration, one tag for bulletproof/offshore/anonymous hosting. These tags help the user in their investigation and triage of suspicious IP ranges/domains. This reputation data is also made available in events pages through the Intelligence integration.

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1012

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1012, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise must be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

2018.3.1 2018.5