Lastline Defender and Analyst Hosted Release Notes

Version 7.31

New features

  • Support for testing notification configurations
  • Provide context from Lastline Intelligence for network detections
  • Improved file analysis
  • Email analysis improvements
  • Explicit proxy improvements

Support for testing notification configurations

When setting up a notification configuration, users are now able to send a test message to verify that the setup is correct.

This functionality is available for a number of integrations supported by Lastline:

  • Email notifications
  • Syslog notifications (SIEM)
  • Generic HTTP notifications
  • Streaming API notifications

This functionality can be triggered from the Lastline Portal by clicking on the "Send test notification" button when viewing a notification configuration. This allows users to verify end-to-end delivery of a notification to its intended recipient.

This feature was tracked internally as FEAT-945.

Provide context from Lastline Intelligence for network detections

The Lastline Portal now provides additional context for network detections, by providing additional information about potential indicators of compromise (IoCs) observed on the network. This functionality is provided for:

  • IP addresses
  • Host names resolved via DNS
  • Host names found in HTTP Host headers
  • User Agent strings

The context is provided by badges that can be clicked to display reputation information for the potential IoCs, as well as links for searching for those values in the Intelligence Page.

This functionality is avaialble for customers with a Lastline Knowledgebase license. This feature was tracked internally as FEAT-1047.

Improved file analysis

We have made enhancements to the detection of

  • LLAM-3248 Microsoft Office exploits targetting the equation editor,
  • SIGLOGSCAN-173 exploits evading ASLR in Microsoft Office,
  • LLADOC-454 LLADOC-482 LLADOC-483 LLADOC-488 LLADOC-507 LLADOC-517 obfuscated DDE commands embedded in Microsoft Office documents,
  • LLADOC-490 LLADOC-513 obfuscated or encoded URLs referring to external scripts embedded in Microsoft Office documents,
  • LLADOC-493 suspicious program invocations from VBA code embedded in Microsoft Office documents,
  • LLADOC-501 extracting binary data from Hangul documents,
  • LLADOC-515 suspicious JavaScript embedded in PDF documents,
  • LLADOC-498 VBA macro infections,
  • LLADOC-477 Flash files embedded in Microsoft Office documents,
  • SIGREPSCAN-353 code-compilation from Microsoft Office macros,
  • SIGREPSCAN-390 launching of anomalous shell commands from Microsoft Office,
  • SIGREPSCAN-382 SIGREPSCAN-385 SIGREPSCAN-386 invocation of remote script code from Microsoft Office,
  • SIGLOGSCAN-210 SIGREPSCAN-371 enumerating network shares,
  • SIGLOGSCAN-211 abnormal use of Crypto APIs,
  • LLAM-2375 SIGREPSCAN-377 file deletion activity,
  • ANREV-4263 ANREV-4280 SIGREPSCAN-376 ransom notes,
  • SIGREPSCAN-378 ransomware behavior,
  • SIGLOGSCAN-208 fileless payloads,
  • ANREV-4333 obfuscated access to process environment,
  • SIGLOGSCAN-229 Turla Carbon family,
  • ANREV-4294 open source XMRig miner,
  • ANREV-4213 EternalRomance exploit code,
  • ANREV-4223 abusing DiskCryptor driver,
  • ANREV-3981 Mimikatz utility,
  • ANREV-4167 SIGLOGSCAN-218 SIGLOGSCAN-228 ATM-specific malware,
  • SIGREPSCAN-354 drivers with embedded code,
  • SIGREPSCAN-314 violating Windows filename requirements,
  • SIGREPSCAN-358 anomalous access to user browser profile in Mac OS,
  • SIGREPSCAN-395 download-execute behavior of script code in Mac OS,

and extended anti-evasion techniques to detect abusing

  • LLAM-3214 low-level network adapter settings,
  • SIGLOGSCAN-212 LLAM-3219 excessive calls to timing API functions,
  • SIGLOGSCAN-213 SIGREPSCAN-264 known processor manufacturers,
  • SIGLOGSCAN-227 known sandbox usernames and hostnames,
  • SIGLOGSCAN-160 known Microsoft Windows registry values,
  • SIGREPSCAN-370 processes running inside the analysis sandbox,
  • LLAM-3205 hashing of process names,

and improved the reliability of

  • LLADOC-489 LLADOC-503 LLADOC-504 parsing RTF documents,
  • LLADOC-508 parsing unnamed VBA functions,
  • LLAM-3063 simulating user input in Microsoft Office,
  • LLAM-3112 extracting data from Microsoft Windows registry,
  • LLAM-3211 LLAM-3268 tracking of analysis processes inside the Mac OS sandbox,
  • LLFILE-389 type detection of HTML files,
  • MALS-2459 extracting information on Microsoft Windows driver files.

Email analysis improvements

  • FEAT-2627: As part of a planned set of improvements to the analysis of URLs in email bodies by the sensor appliances, we have improved the ability of the Sensor to better identify URL hosted on known malicious domains or known to be compromised as part of an ongoing campaign.
  • FEAT-2178: Allow configuring a list of destination domains that llmail is willing to accept in MTA mode. The API setting is currently called llmail::acceptable_recipient_domains_json. It it exposed in the API but not (yet) in the web UI. The setting is a JSON list of regular expression. If this setting is non-empty, llmail will accept only emails that have a RCPT TO with a domain matching one of the regexp.
  • LLMAIL-392: In some cases, incoming SSL/TLS SMTP connections that were not cleanly closed by the upstream SMTP server, were not cleaned up correctly by llmail, leading to an increasing number of incoming stale connections, until the maximum number of incoming connections was reached, and new connections rejected with an temporary SMTP error. This issue is now fixed.
  • LLMAIL-394: The X-Lastline header will now include the tag "analysis-incomplete=analysis-timed-out" (instead of "benign") in case waiting for the analysis result times out and the email is forwarded.
  • LLMAIL-395: In the email tracing log, when a bounce is generated, include a line that links the uuid of the original email with the uuid of the generated bounce email.

Explicit proxy improvements

The explicit proxy now fully validates SSL certificates being inspected. Invalid certificates will be rejected and interaction with the page will be blocked. Additional functinality has been introduced on top of this default behavior:

  • FEAT-2468: it is now possible to instruct the proxy to never perform SSL inspection of specific destinations. This can be configured on the sensor appliance itself by adding hosts to the whitelist file located at the following path:

    /etc/lastline/customer_whitelist_domains_ssl_noinspection.txt

Notice: lastline_apply_config must be run after performing modifications to the whitelist file.

  • FEAT-2469: while the default behavior of the proxy will be to block access to domains offering invalid certificates, it is still possible to instruct the proxy to disable certificate validation on specific destinations. This is also configurable by acting on a file on the sensor appliance:

    /etc/lastline/customer_whitelist_domains_ssl_invalid_cert.txt

Notice: lastline_apply_config must be run after performing modifications to the whitelist file.

  • SQUID-18: the list of ciphers supported by the SSL proxy has been hardened, and support for ciphers associated to known vulnerabilities has been blocked.

Bug fixes and improvements

  • LLAM-3063: fix bug when executing different entry points during a Microsoft Windows DLL analysis.
  • SENT-754: the upgrade of sensor appliances to trusty introduced issues in our support for Silicom NICs. The Silicom NIC driver has been updated to address the issues.
  • FEAT-2342: disable Cipher Block Chaining (CBC) algorithms in the SSH server.
  • SENT-726: experimental support for AF_PACKET for NICs based on igb driver.
  • FEAT-2448 USER-2651: fix multiple issues with y-axis of metric graphs and other graphs in the Lastline Portal.
  • FEAT-2446: change file downloads tab to make all downloads the default view.
  • FEAT-2475: fix typo in portal when deleting an account.
  • FEAT-2507: table in appliance selection modal to remember table view settings such as column visibility and width.
  • FEAT-2330: support for searching by file's imports hash in intelligence tab.

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 728

Deprecation of appliance versions

  • Support for sensor versions before 720 was discontinued with release 7.28.

  • Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 728, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base

7.30 7.32