Lastline Defender and Analyst Hosted Release Notes

Version 2018.5

New features

  • Support ICAPS
  • Support for filtering by intrusion/not in an intrusion in hosts and incidents listing
  • Search by analysis tags integration
  • Ability to permanently delete decommissioned appliances from overview in UI
  • Improve filtering of URLs using threat intelligence cache

Support ICAPS

This feature enables you to inspect artifacts sent from a web proxy using Secure ICAP, also known as SICAP or ICAPS. A new toggle button is available in the appliance configuration UI which when enabled, will allow the Secure ICAP server to listen on TCP port 11344.

This change was tracked internally as SENT-956

Support for filtering by intrusion/not in an intrusion in hosts and incidents listing

The incidents console and infected hosts pages now support an additional filter for selecting detections that are part of specific intrusions, or detections that are not part of any intrusion.

Filtering out detections that are part of an intrusion can allow an analyst to view "what else was detected" after completing triage of detected intrusions.

Furthermore, if an incident is part of an intrusion, the incident details page now includes a link to the intrusion details page for that intrusion.

This change was tracked internally as FEAT-3281

Search by analysis tags integration

The analysis report overview page now includes contextual direct search buttons to the Intelligence portal for analysis tags such as antivirus class, antivirus family, detected behaviors, as well as file hashes such as md5, sha1, and sha256.

This change was tracked internally as FEAT-2788

Ability to permanently delete decommissioned appliances from overview in UI

This feature enables you to remove decommissioned appliances from the appliance overview tab in the UI. The appliances will be removed from the Show Offline Appliances list as well.

This change was tracked internally as FEAT-1821

Improve filtering of URLs using threat intelligence cache

This feature uses Lastline Threat Intelligence cache to improve the filtering of URLs such that if a URL is hosted on a low reputation domain, the URL is submitted for analysis.

This change was tracked internally as FEAT-412

Detection Improvements

  • ANREV-4803: Improved detection of InstallCore PUA.
  • FEAT-3147: Improved extraction, analysis, and detection of ContentSetting-ms files.
  • LLADOC-585: Improved detection of Equation Editor COM objects.
  • LLADOC-596: More robust classification of suspicious, but disabled, macro code in Microsoft Office documents.
  • LLADOC-600 LLADOC-601 LLADOC-621 LLADOC-624 LLADOC-626: More robust parsing of data streams in Microsoft Office documents.
  • LLADOC-611: Improved detection of script code with the capability to communicate using web-services.
  • LLADOC-614: Improved extraction of orphan streams in Microsoft Office OLE streams.
  • LLADOC-622: More robust classification of Microsoft Office documents accessing remote OLE resources.
  • LLAM-3849: More robust classification of wscript interacting with adodb.stream objects.
  • MALS-2667 LLADOC-607 LLADOC-608 LLADOC-609: Improved detection for malformed archives.
  • SIGLOGSCAN-289: More robust classification of kernel-to-user code injection.
  • SIGLOGSCAN-290: Improved detection of shellcode/packer code.
  • SIGLOGSCAN-291: Improved detection of "Zip Slip" vulnerability.
  • SIGLOGSCAN-294: Improved detection of malware checking for presence of macOS AVs.
  • SIGLOGSCAN-298: Improved detection of malware with the ability to change parent process attributes.
  • SIGLOGSCAN-307: Improved detection of code evading code-emulation via GetSystemMetrics API.
  • SIGLOGSCAN-312: Improved detection of Mimikatz tools.
  • SIGLOGSCAN-313: Improved detection of accessing CPU information via the Microsoft Windows Registry.
  • SIGLOGSCAN-314: Improved detection of detecting the presence of a hypervisor.
  • SIGLOGSCAN-315: Improved detection of self-modifying code.
  • SIGREPSCAN-421 SIGREPSCAN-493 SIGREPSCAN-515: More robust detection of code failing at communicating with a remote server.
  • SIGREPSCAN-425: More robust detection of memory hollowing.
  • SIGREPSCAN-484: Improved detection of code using the Bitcoin network infrastructure.
  • SIGREPSCAN-499: Improved detection of code disabling the Microsoft Windows Control Panel.
  • SIGREPSCAN-500: Improved detection of sandbox fingerprinting via VMware DLLs.
  • SIGREPSCAN-501 SIGREPSCAN-503 SIGREPSCAN-505 SIGREPSCAN-264: Improved detection of hardware fingerprinting via WMI.
  • SIGREPSCAN-504: More robust detection of ransomware.
  • SIGREPSCAN-506: Improved detection of VMProtect packers.
  • SIGREPSCAN-508: Improved detection of exploits using ASLR bypass.
  • SIGREPSCAN-509: More robust classification of communication with private IP addresses.

Bug Fixes and Improvements

  • USER-2972: Fixed a bug that showed variables on URL Analysis page instead of displaying the URLs.
  • USER-2924: Fixed a bug that caused analyst customers to view the links to global search in analysis overview page, leading to 404 pages.
  • SURI-718: Fixed a bug that reported timestamps incorrectly, if sensor timezone is not in UTC.
  • MALS-2651: More robust handling of invalid Lastline application bundles.
  • MALS-2479: More robust handling of invalid Lastline application bundles using non-ASCII filenames.
  • LLFILE-422: More robust detection of Microsoft HTA files.
  • LLFILE-296: More robust detection of Microsoft Batch scripts.
  • FEAT-3267: Include extended version of "analyze_files" utility (formerly "analyze_binaries") in the Analyst API documentation. The new version contains various improvements allowing which files to select for analysis as well as improved error handling.
  • FEAT-3049: It is now possible to configure a mail sensor to fail open in case of problems at analyzing messages. In the default behavior, a mail sensor affected by analysis issues would start rejecting incoming emails. This behavior can now be changed to instruct the appliance to forward the messages unmodified to the next hop.
  • FEAT-2979: Fixed a bug that truncated output in the PDF report as compared to the content in the UI.
  • FEAT-2918: Include Content Security Policy HTTP header in responses from Lastline portal.

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1020

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1020, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise must be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

2018.4 2018.6