Lastline Defender and Analyst Hosted Release Notes

Version 2018.8

New Features

  • IGB driver now defaults to using AF_PACKET
  • Monitor mail end-to-end processing delay
  • Support collecting DHCP logs
  • Sniffing support for GRE encapsulation
  • Support ICAP Blocking on sniffing events

IGB DRIVER NOW DEFAULTS TO USING AF_PACKET

AF_PACKET is now officially supported on Intel NICs based on igb driver (Intel I350). New sensor installs on appliances using this card will automatically default to using AF_PACKET as a packet acquisition strategy.

This change was tracked internally as FEAT-3465

MONITOR MAIL END-TO-END PROCESSING DELAY

The sensor now monitors the overall processing time for each mail message processed through the mail analysis pipeline. If any unforeseen circumstance causes the message to spend an unusually long time in the processing pipeline, the Email Analysis Service will go to warning state and, if the appliance is in MTA mode, the message will fail open. This default behavior can be customized.

This change was tracked internally as FEAT-3431

SUPPORT COLLECTING DHCP LOGS

Portal users now have the ability to configure their sensors to ingest DHCP logs from Windows Domain Controllers. With this feature, the DHCP logs produced on a Windows servers can be collected an used in the rest of the product, for example, to improve the identification of devices affected by security events.

This change was tracked internally as FEAT-3396

SNIFFING SUPPORT FOR GRE ENCAPSULATION

The sensor now supports sniffing of traffic encapsulated using the GRE protocol. This enables additional detection features in IAAS traffic analysis.

This change was tracked internally as FEAT-3393

SUPPORT ICAP BLOCKING ON SNIFFING EVENTS

The sensor brings major architectural changes that affect both explicit proxy and ICAP operation. The ICAP service on the sensor now acts upon blocking detections triggered by the sniffing component, allowing a sensor performing both ICAP blocking and sniffing to effectively block URLs that are associated to sniffing events. When running the sensor in explicit proxy mode, the traffic flowing through the proxy is now fully inspected in search for suspicious network interactions, including C&C and drive-by events.

This change was tracked internally as FEAT-1284

Detection Improvements

  • LLADOC-566 Improved detection of the target OS for dynamic analysis of documents.
  • LLADOC-612 Improved detection of macros accessing Microsoft Outlook account data.
  • LLADOC-658 More robust extraction of document contents from very large documents.
  • LLADOC-668 LLADOC-670 LLADOC-672 LLADOC-674 Improved extraction of OLE data from Microsoft Office documents.
  • LLADOC-669 More robust parsing of object metadata from RTF documents.
  • LLADOC-673 More robust classification of executables embedded in Microsoft Office documents.
  • LLADOC-680 LLADOC-681 Improved extraction of Equation Editor Ole data from RTF documents.
  • LLAM-3441 Improved analysis of Microsoft Windows DLLs with non-default entrypoints.
  • LLAM-4056 Improved dynamic analysis of SettingContent-ms files.
  • LLMAIL-475 Support for decoding email attachment encapsulated with Transport Neutral Encapsulation Format (TNEF) is now enabled by default.
  • MALS-2750 Improved dynamic analysis of MS Publisher documents.
  • SIGLOGSCAN-20 SIGLOGSCAN-21 SIGLOGSCAN-22 Improved detection of system fingerprinting for virtual environments.
  • SIGLOGSCAN-23 Improved detection of system fingerprinting for Winsock Packet Editor Pro.
  • SIGLOGSCAN-290 SIGLOGSCAN-329 Improved detection of shellcode.
  • SIGLOGSCAN-305 Improved detection of malware checking for the presence of a debugger.
  • SIGLOGSCAN-310 Improved detection of Mughthesec.
  • SIGLOGSCAN-326 Improved detection of PUA/Spigot.
  • SIGLOGSCAN-328 Improved detection of disabling kernel memory protection.
  • SIGLOGSCAN-330 Improved detection of PUA/InstallCore.
  • SIGLOGSCAN-331 Improved detection of Detecting PUA/Linkury.
  • SIGLOGSCAN-333 Improved detection scriptlet execution.
  • SIGREPSCAN-219 Improved detection of anomalous Powershell invocation.
  • SIGREPSCAN-230 Improved detection of banking trojans.
  • SIGREPSCAN-496 SIGREPSCAN-551 More robust classification of nested components in legitimate installer software.
  • SIGREPSCAN-520 Improved detection of malware fingerprinting browsers in headless mode.
  • SIGREPSCAN-546 More robust classification of code access IP addresses without prior DNS resolution.
  • SIGREPSCAN-6 SIGREPSCAN-545 Improved detection of modifying Windows autostart behavior.

Bug Fixes and Improvements

  • SENT-1001: Improvement to the mechanism used by the sensor to wait for analysis completion in ICAP/Explicit Proxy blocking mode.
  • MALS-2739: Remove duplicate tags from analysis reports.
  • LLAM-3451: More robust extraction of file-modification behavior during the dynamic analysis in Microsoft Windows.
  • FEAT-3569: The navigation header bar and main menu drawer have been modified to enable an improved user experience.
  • FEAT-3361: The intrusion details overview tab now includes an intrusion summary section.

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1040

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1040, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise must be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

2018.7 2019.1