Lastline Defender and Analyst Hosted Release Notes

Version 2018.6

New features

  • Widget to display new network detections in dashboard
  • Lifecycle management of mails

Widget to display new network detections in dashboard

The Lastline Portal dashboards now support a new widget for displaying the top new detections in your network. This can help you spot new threats in your network that may need to be prioritized for further investigation. These threats might otherwise have been hidden among other, less interesting detections.

This widget will display the top detections by impact that were seen for the first time ever during the selected interval. A detection is treated as new if it is the first time a specific network IoC or detection logic was triggered in a specific network.

For each new detection, the widget provides a link to a reference network event that provides a sample instance of the detection.

The newly introduced widget is displayed in the built-in Overview dashboard, and is also available for use in custom, user-defined dashboards.

This change was tracked internally as FEAT-3285

Lifecycle management of mails

The Lastline Portal Mail Messages view now supports lifecycle management of emails. You can view and modify:

  • the state of an email. Emails start in the "open" state, and can be moved to "in progress" and "done".
  • the assignee of an email. Email starts unassigned, and can be assigned to an individual user account. For this, the assignee account needs to have the permission "Can be workflow assignee".

Managing the state and assignee of emails can be done on individual emails, or in bulk by using the multi-select functionality that has been added to the mail messages table to select the set of rows to update.

This change was tracked internally as FEAT-3195

Detection Improvements

  • LLMAIL-452: Deeper inspection of unreadable archives.
  • LLADOC-581: Improved detection of suspicious XSL scripts.
  • LLADOC-633: Improved detection of very large XML files embedded in Microsoft Office documents.
  • LLAM-3080, LLAM-3806: Improved interception of stalling code in user and kernel space.
  • LLAM-3803: Improved hooking of direct system call invocations.
  • LLAM-3942: Improved extraction and patching of WMI APIs on latest Windows 10 versions.
  • SIGLOGSCAN-143: Improved detection of anomalous interactions with critial system processes.
  • SIGLOGSCAN-175, SIGLOGSCAN-176: Improved detection of malware checking user privileges.
  • SIGLOGSCAN-179: Improved detection of InviZzzible evasion tools.
  • SIGLOGSCAN-191: Improved detection of Fuzzbunch payloads.
  • SIGLOGSCAN-194: Improved detection of Sougu PUA.
  • SIGLOGSCAN-215: Improved detection of malware retrieving hardware information.
  • SIGLOGSCAN-238: Improved detection of anomalous reading of foreign process memory.
  • SIGLOGSCAN-318: Improved detection of ASProtect.
  • SIGLOGSCAN-320: Improved detection of Windows task scheduler LPE vulnerability.
  • SIGLOGSCAN-321, SIGLOGSCAN-322: Improved detection of stealing browser credentials (and add support for Flock browser).
  • SIGREPSCAN-138, SIGREPSCAN-502, SIGREPSCAN-512, SIGREPSCAN-522, SIGREPSCAN-523, SIGREPSCAN-524, SIGREPSCAN-525, SIGREPSCAN-526, SIGREPSCAN-527, SIGREPSCAN-528, SIGREPSCAN-529, SIGREPSCAN-532, SIGREPSCAN-533, SIGREPSCAN-536, SIGREPSCAN-537: Better hooking of WMI queries.
  • SIGREPSCAN-177, SIGREPSCAN-178: More aggressive detection of evasions abusing Zone.Identifier information.
  • SIGREPSCAN-213: Better detection of logoff activity.
  • SIGREPSCAN-246: Improved detection of file decoding using system binaries (for example, certutil).
  • SIGREPSCAN-284: More aggressive detection of anomalous use of HTA script code.
  • SIGREPSCAN-308, SIGREPSCAN-225: Improved detection of attempted Microsoft Windows UAC bypassing.
  • SIGREPSCAN-356: Clarify description of driver-loading activities.
  • SIGREPSCAN-361, SIGREPSCAN-421: More robust classification of anomalous connections to IPs without prior DNS query.
  • SIGREPSCAN-391, SIGREPSCAN-507: More aggressive detection of anomalous invocations of script code from Microsoft Office.
  • SIGREPSCAN-488: Improved detection of anomalous use of system utilities.
  • SIGREPSCAN-495: Improved detection of macOS migration tool bypass.
  • SIGREPSCAN-511: Improved extraction of activities using of relative paths.
  • SIGREPSCAN-513: Improved detection of hijacking of Microsoft Outlook COM objects.
  • SIGREPSCAN-518: More robust detection of suspicious modification of system files.
  • SIGREPSCAN-538, SIGREPSCAN-534: More aggressive detection of exploits using ASLR bypass.
  • FEAT-3250: Improved dynamic analysis and detection of ContentSetting-ms files.
  • FEAT-3236: This feature enables Network Defender to raise an alert when a managed device receives anomalous error responses to HTTP requests.
  • FEAT-3045: This feature raises an alert if a managed device accesses a newly registered domain.
  • FEAT-3044: This feature raises an alert when a managed device displays beaconing behavior (i.e., it contacts a malicious service at regular intervals).
  • FEAT-3043: This feature raises an alert when a managed device issues DNS requests, which could be caused by a malware using DGA techniques.

Bug Fixes and Improvements

  • USER-2990: Fixed a bug that removed "Allow network traffic" option in the UI. It now appears in the Analyst tab.
  • USER-2914: This feature now enables a quick search and sort functionality for intrusions in the timeline of the "Intrusion details" view.
  • SQUID-26: The explicit proxy component by default now strips the content of X-Forwarded-For headers before sending requests to the next hop. This default behavior is customizable by means of a sensor override.
  • SENT-991: Significant performance improvements to explicit proxy HTTP and HTTPS handling. ICAP integration with external proxies should also benefit from some of these improvements.
  • SENT-986: Sensor architectural change to better prioritize service requests on heavily loaded sensors.
  • SENT-982: Fixed a bug that caused sensors to create a large number of temporary directories in /tmp/llfile and /tmp/llmail.
  • SENT-980: Whenever a whitelist entry is added to the sensor (/etc/lastline/customer_*) re-applying the configuration via lastline_apply_config will restart the appropriate services to apply the change.
  • MALS-2696: More robust inflation of archives containing unknown filename encodings.
  • MALS-2687: Fixed a bug that misinterprets filenames containing domains as Microsoft COM executables.
  • MALS-2670: More robust inflation of archives that contain large files when submitted to the analysis system.
  • LLMAIL-468: Fixed a bug in the llmail communication logic where the Sensor would not recover correctly from communication problems with the Manager.
  • LLMAIL-466: Fixed a bug that could cause a mail message to get stuck in the processing pipeline if unexpected serialization issues occurred.
  • LLMAIL-462: Fixed a bug parsing emails containing an empty base tag in their SGML content.
  • LLFILE-424: More robust inflation of archives containing very large files.
  • LLFILE-419: More robust content-base file-type detection of Mach-O files.
  • FEAT-3248: The Network Analysis tab in the UI now exports and displays the HTTP request and response headers for each webrequest record.
  • FEAT-3050: Improved integration with ICAP clients that do not declare support for ICAP preview (such as ipswitch DLPs).

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1030

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1030, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise must be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

2018.5 2018.7