Lastline Defender and Analyst Hosted Release Notes

Version 7.32

New features

  • Support script analysis on Mac OS
  • Display labels for the classification of samples in analysis overview
  • New permissions for viewing email information
  • Basic jumbo frame support in sensor

Support script analysis on Mac OS

This release introduces: - support analysis of Python scripts in Mac OS - support analysis of Bash scripts in Mac OS - support analysis of Perl scripts in Mac OS

This change was tracked internally as FEAT-2645

Display labels for the classification of samples in analysis overview

When displaying the analysis overview for the analysis of a file or URL, the Lastline Portal will now display additional information on the classification of the sample. Specifically, the following three fields will be displayed, if information is available for each of them for the sample:

  • Antivirus class. This is the general classification of this sample according to antivirus technology, and has values such as "trojan", "ransomware", "adware".
  • Antivirus faimily: this is the more specific classification of the sample according to antivirus technology, and has values such as "locky", "bundleinstaller", "virut".
  • Malware: this is the Lastline malware name attributed to this sample based on the network traffic that was observed during analysis.

This change was tracked internally as FEAT-2483

New permissions for viewing email information

This release introduces more granular permissions for controlling access to email information collected by Lastline Enterprise. For this, it introduces two new permissions: "Can view emails" and "Can view benign emails".

  • can view emails: This permission is required to view any information about emails in the Mail tab. It only allows viewing information (mail messages, attachments, or urls in emails) that is suspicious (score of 30 or above). This permission can be granted globally, or limited to specific licenses or subkeys.

  • can view benign emails: This permission can be granted in addition to can view emails. It allows access also to mail information that is not suspicious (score below 30).

To minimize the impact of this change on existing installations and user workflows, this release also grants the "can view emails" permission to all accounts that have the corresponding "can access alerts" permission. Existing non-administrator accounts will therefore continue to have visibility into mail messages that are at least suspicious. To view information about benign email messages, however, they will need to request the new "can view benign email" permission from their administrator.

This change was tracked internally as FEAT-2300

Basic jumbo frame support in sensor

Sensor 729 includes support for sniffing packets on interfaces with MTU larger than the default size for ethernet links, the so-called jumbo frames. If the network being monitored uses jumbo frames, it is possible to reflect this in the sensor configuration by modifying the MTU of the associated sniffing interface. By running "lastline_apply_config" after the MTU reconfiguration the sensor will become aware of the custom MTU setting and configure the sniffing service accordingly.

This change was tracked internally as FEAT-2756

Detection Improvements

We have made enhancements to the detection of

  • LLADOC-500 Microsoft Word document template infections,
  • LLADOC-517 obfuscated DDE commands,
  • LLADOC-523 remote OLE embedded in Microsoft Office document footer/header sections,
  • SIGLOGSCAN-208 fileless payloads,
  • SIGLOGSCAN-236 Sofacy variants,
  • SIGREPSCAN-359 payloads targetting Mac OS hosts,
  • SIGREPSCAN-365 corrupted Microsoft Office documents,
  • SIGREPSCAN-385 scriptlets embedded in RTF files,

and extended anti-evasion techniques to detect abusing

  • ANREV-4368 known sandbox host or usernames,
  • LLAM-3287 hooking LdrGetProcedureAddress,

and improved the reliability of

  • LLADOC-491 LLADOC-516 classifying Microsoft Office macro code accessing the host file system,
  • LLADOC-524 finding suspicious, embedded objects in RTF files,
  • LLAM-3324 extracting system Network Adapter information,
  • SIGREPSCAN-392 classifying behavior of Microsoft Internet Explorer triggered during the analysis of documents,
  • SIGREPSCAN-402 classifying suspicious use of unreachable hosts on the internet from Microsoft Batch files.

Bug Fixes and Improvements

  • USER-2760: Fix bug that could lead to sensor selection modal not working in some views of the Lastline Portal.
  • USER-2713: Updated favicon for a cosmetic fix
  • USER-2699: Clarify in Lastline Portal text that an administrator can change another account's password without knowing its current password. The password that is requested to confirm this action is the administrator account's own password.
  • PLTF-55: Any appliance that has been offline for more than 3 months will be disabled and removed from the UI. This does not affect detection data. Please re-register or do a fresh install to access it again.
  • PLTF-56: Fixed a bug that could rarely lead processing of appliance monitoring logs to get stuck due to an invalid message.
  • FEAT-2457: More accurate and reliable emulation of recent hardware platforms in the analysis sandbox.
  • PLTF-71: Stop reporting unhelpful, generic errors such as "Error(s) occurred while running lastline_test_appliance". The individual errors that occurred are already reported separately.
  • FEAT-1862: This release improves the process used by the sensor to identify malicious URLs in email messages. More file extensions are recognized as interesting from a security standpoint and are selected for analysis.

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 729

Deprecation of appliance versions

Support for sensor versions before 720 was discontinued with release 7.28.

Support for sensor versions before 717 was discontinued with release 7.24.

Distribution Upgrade

Sensor version 729, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base

7.31 7.33