Lastline Defender and Analyst Hosted Release Notes

Version 2019.1

New Features

  • Extract stages of Powershell script execution
  • Display and filter on malware tags in mail messages view
  • Display new intrusion impact score
  • Extend wave detection rules to cover more types of threats
  • New dynamic analysis framework for web attacks
  • Add new permissions for viewing and managing custom intelligence

EXTRACT STAGES OF POWERSHELL SCRIPT EXECUTION

The analysis sandbox now monitors more internals of the Microsoft Powershell framework. This allows extraction of all stages of the Powershell script, including packed or encrypted stages. The script code is used for more precise detection of anomalous behavior and is made available for download, just like files stored to disk.

This new feature was tracked internally as FEAT-3758

DISPLAY AND FILTER ON MALWARE TAGS IN MAIL MESSAGES VIEW

The mail threats table under the mail messages page now includes malware tags in the new Antivirus class and Malware columns. Additionally, support for filtering by analysis tags was added to the filters section.

This new feature was tracked internally as FEAT-3650

DISPLAY NEW INTRUSION IMPACT SCORE

A new impact score was introduced for intrusions. The score is now available for each intrusion under the Intrusions list and in the header of intrusion details page.

This new feature was tracked internally as FEAT-3593

EXTEND WAVE DETECTION RULES TO COVER MORE TYPES OF THREATS

This release improves our detection of attack "waves", where the same attack is observed on one or more hosts in the customer's network, indicating that those hosts might be infected and compromised.

This extension includes the generation of an intrusion for:

  • high confidence events where multiple hosts in the same network contacted remote sinkholed hosts related to the same threat
  • high confidence events where traffic matching fake-av activity related to the same threat from multiple hosts in the same network to the same remote host was detected
  • detections of multiple hosts in the same network generating traffic matching crypto mining activity related to the same threat

This new feature was tracked internally as FEAT-3521

NEW DYNAMIC ANALYSIS FRAMEWORK FOR WEB ATTACKS

This release adds a new dynamic analysis sandbox for detecting web-based attacks. The framework supports scanning URLs as well as file-based attacks, and it adds to the existing sandboxes used for scanning submissions. The new framework - improves extraction of Javascript executed by the browser, - extracts screenshots of visited web pages, and - allows significantly faster scanning of benign sites.

This new feature was tracked internally as FEAT-3398

ADD NEW PERMISSIONS FOR VIEWING AND MANAGING CUSTOM INTELLIGENCE

This release introduces two new permissions related to customer-provided intelligence:

  • can_manage_custom_intel: Ability to manage custom intelligence entries (add, edit, delete)
  • can_view_custom_intel: Ability to get a listing of all custom threat intelligence entries and full information on individual entries

These permissions apply to all customer-provided intelligence that the product supports, such as custom IP and domain blacklists, custom IDS signatures, and custom NTA rules.

This new feature was tracked internally as FEAT-3211

Detection Improvements

  • MALS-2761 Better detection of suspicious web sites hosted on known-bad IPs.
  • LLADOC-566: Better detection of scripts targeting Microsoft Office on mac OS.
  • LLADOC-652 LLADOC-680 LLADOC-681: Improved detection of exploits against Equation Editor.
  • LLADOC-673: More robust classification of executables embedded in Microsoft Office documents.
  • LLADOC-674 LLADOC-689 LLADOC-690: Better extraction of OLE resources embedded in Microsoft Office documents.
  • LLADOC-699: Improved detection of invocation of shell functions from VBA code.
  • SIGLOGSCAN-305: Improved detection of evasions using the presence of a debugger via NtYieldExecution.
  • SIGLOGSCAN-326: Better detection of PUA/Spigot.
  • SIGLOGSCAN-329 SIGLOGSCAN-339: Better detection of shellcode patterns.
  • SIGLOGSCAN-330: Better detection of PUA/InstallCore.
  • SIGLOGSCAN-332: Improved detection of anomalous accesses to the Microsoft Windows Protected Storage.
  • SIGLOGSCAN-333: Improved detection of anomalous invocations of scriptlet files.
  • SIGLOGSCAN-334: Better detection of PUA/WizzMonetize.
  • SIGLOGSCAN-335: Better detection of VirLock ransomware.
  • SIGLOGSCAN-337: Better detection of Nymaim trojan.
  • SIGREPSCAN-190: Improved detection of connections to unavailable C&C servers.
  • SIGREPSCAN-219: More aggressive classification of suspicious use of Powershell.
  • SIGREPSCAN-230: Better detection of banking trojans targeting Swiss banks.
  • SIGREPSCAN-496 SIGREPSCAN-551: More robust classification of anomalous system modifications for installer software.
  • SIGREPSCAN-544 SIGREPSCAN-545: Improved detection of achieving system persistence.
  • SIGREPSCAN-560: More robust detection of anomalous code injection.
  • SIGREPSCAN-563: Improved detection of anomalous use of the bitsadmin system utility.

Bug Fixes and Improvements

  • USER-3153: Metric graphs across the portal have been improved to show the maximum Y-axis value in the correct format.
  • SURI-745: Fixed an SMB parsing bug that would cause sniffing sensors to fail when handling SMB file transfers and leading to an instability in the sniffing service.
  • SENT-1030: Fixed a problem that causes the sensor to throw a warning message "service disabled but running" when the sensor lacks an Email Defender license.
  • SENT-1027: Fixed an ICAP bug that caused an unreasonable analysis load when processing HTTP POST requests.
  • LLWEB-1814: More robust extraction of URLs from PDF files for subsequent analysis.
  • LLFILE-429: Improved file type classification for appx files.
  • LLADOC-682: More robust extraction of script attachments from email messages for subsequent dynamic analysis.
  • FEAT-3638: The New detections widget on the Overview dashboard has been improved to better communicate the unique nature and context of listed detections and to provide more supporting evidence. The widget now also displays the threat associated with each listed detection.

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1041

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1041, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise must be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

2018.8 2019.2