Lastline Defender and Analyst Hosted Release Notes

Version 2019.2

New Features

  • Extend sensor configuration UI with NTA data switch
  • Sensor to support Ubuntu Xenial
  • Remove PF_RING from Xenial
  • Extract URLs from executed scripts during sandbox analysis
  • Scan every stage of executed PowerShell script with YARA rules
  • New portal sitemap and navigation structure
  • Support analysis of URLs that are rewritten by third party products in mail

EXTEND SENSOR CONFIGURATION UI WITH NTA DATA SWITCH

A new toggle has been introduced enabling the appliance admin to disable the upload of NTA records for a specific sensor. It is found under Admin > Appliances > Configuration > Detection and Blocking > Data Upload

This new feature was tracked internally as USER-3038

SENSOR TO SUPPORT UBUNTU XENIAL

Lastline Sensor 1050.1, which is being made available as part of this release, introduces support for the Ubuntu Xenial distribution:

  • New sensors installed from a 1050.1 ISO are already based on Ubuntu Xenial
  • Existing sensors upgraded to 1050.1 from a previous version are not automatically upgraded but remain on Ubuntu Trusty. Version 1050.1 supports performing a distribution upgrade to Ubuntu Xenial.

A distribution upgrade can be performed by ensuring the sensor is on version 1050.1 and following these instructions for help with the upgrade process. This update is not done automatically to prevent unexpected downtime.

This new feature was tracked internally as FEAT-3969

REMOVE PF_RING FROM XENIAL

With the switch to Ubuntu Xenial, we are deprecating the use of PF_RING as a packet acquisition strategy in sensor appliances. All sensor appliances, even in the case in which they are still configured to use PF_RING in the appliance configuration, will automatically switch to AF_PACKET during the Xenial upgrade.

This new feature was tracked internally as SENT-1042

EXTRACT URLS FROM EXECUTED SCRIPTS DURING SANDBOX ANALYSIS

The sandbox performs a deeper analysis of the Microsoft PowerShell framework and extracts URLs from the executed scripts, even if the URLs were not used by the script to perform network activity.

This new feature was tracked internally as FEAT-3812

SCAN EVERY STAGE OF EXECUTED POWERSHELL SCRIPT WITH YARA RULES

The sandbox performs a deeper analysis of the Microsoft PowerShell framework and scans all stages of executed scripts with YARA signatures.

This new feature was tracked internally as FEAT-3759

NEW PORTAL SITEMAP AND NAVIGATION STRUCTURE

The portal sitemap and navigation structure have been upgraded, resulting in improved workflows and user experience. Some highlights include:

  • Intrusions, Hosts, Events, Incidents, Downloads and Network Analysis sections are now found under the new Network tab
  • Appliances section is now found under the Admin tab
  • multiple new and updated navigation elements have been introduced
  • redirects have been implemented to preserve most existing direct links into the portal from notifications and otherwise.

This new feature was tracked internally as FEAT-3748

SUPPORT ANALYSIS OF URLS THAT ARE REWRITTEN BY THIRD PARTY PRODUCTS IN MAIL

Certain mail security products have the capability to rewrite URLs identified in emails to perform the analysis of the URL whenever it is visited by the user. This URL rewriting would impact our sensor capability to perform analyses on the URL structure and make decisions on the maliciousness of the original URL. The sensor has now the capability to detect and correctly handle URL rewriting techniques applied by common vendors.

This new feature was tracked internally as FEAT-3570

Detection Improvements

  • LLAM-3603: Improved handling of evasive/stalling code using operating system timers.
  • LLAM-2763: Improved handling of evasive/stalling code using operating system task scheduling.
  • LLAM-2402: Improved handling of evasive code fingerprinting operating system network configuration.
  • SIGLOGSCAN-195: Improved classification of suspicious memory allocations in Microsoft Office.
  • SIGLOGSCAN-336: Better detection of anomalous violations of Windows file and directory naming conventions.
  • LLAM-4396: Improved handling of Microsoft Office security warnings preventing execution of distrusted content.
  • LLAM-2577: Better user-emulation of Windows background processes.
  • LLAM-4358: Improved handling of Microsoft Office documents requiring specific user environment.
  • LLADOC-685: More robust classification of Microsoft Office macros with the ability to download files.
  • LLADOC-699: Improved detection of invoking shell commands from Microsoft Office macros.
  • SIGREPSCAN-571 LLADOC-652: Improved detection of exploits against Equation Editor.
  • SIGREPSCAN-566 SIGREPSCAN-562: Improved detection of using system utilities for downloading malware payload.
  • SIGREPSCAN-561: Improved detection of anomalous process restarts.
  • SIGREPSCAN-565: Improved detection of Vflooder Trojan.
  • SIGREPSCAN-553: Improved detection of online games password stealers.
  • SIGREPSCAN-557: Improved detection of credentials theft.
  • SIGLOGSCAN-347: Improved detection of CosmicDuke.
  • SIGLOGSCAN-342: Improved detection of Eldos RawDisk drivers.
  • SIGLOGSCAN-338: Improved detection of Carberp.
  • SIGLOGSCAN-339: Improved detection of CVE-2018-15982.

Bug Fixes and Improvements

  • USER-3156: Fix bug that could cause the time range selection to not persist as expected when switching between different sections of the Portal.
  • SENT-1038: Past sensor releases would cause lastline_test_appliance to misleadingly report some expected sensor functionality as a problem. More specifically, mail sensors may often report segfaults associated to the python_llmail process even though the segfaults were an expected side-effect of the sensor functionality. This problem has now been fixed, and lastline_test_appliances does not report the errors any longer.
  • SENT-1033: If a customer-defined IP whitelist is defined on the sensor (/etc/lastline/customer_whitelist_ips.txt) it will be consistently honored by all sniffing components on both involved endpoints. Previous releases incorrectly failed to apply the whitelist to clients involved in file uploads.
  • PLTF-604: Fix bug that could lead to HTTP 500 errors when loading the emails view in the Lastline Portal.
  • LLPSV-145: Fixed byte computations for netflow data generated by the Lastline sensor sniffer, where the byte counters would incorrectly include exclusively the TCP payload length and not TCP/IP headers. The problem did not affect netflows imported from third party integrations.
  • LLMAIL-480: Correctly report the number of delivery failure notifications generated by the sensor in the appliance monitoring pages.
  • LLFILE-435: Improved file type detection of ISO files
  • LLFILE-432: Improved file-type detection for password protected RAR5 files
  • LLFILE-431: More robust file-type detection for Microsoft Office CSV files
  • FEAT-3769: Improved extraction of document content from Microsoft Office OpenXML, XPS, and PDF file types.
  • FEAT-3768: Fix API performance issue that could cause display of intrusion details to be very slow for certain customers.
  • FEAT-3751: Display additional DNS response information in sandbox analysis reports.
  • FEAT-3745: The display of summary information about a network event has been improved to clarify the roles of client and server in the network event.
  • FEAT-3737: Improved Analyst API documentation for handling of tar-gz archives and Microsoft Office document templates
  • FEAT-3712: Correctly report the real filename in the captured malware tab when a content disposition header is detected.
  • FEAT-3696: Propagate more malware network IOC information into the user portal

Deprecation of API methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1050.1

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor 1050.1, which is being made available as part of this release, will be the last sensor version to support Ubuntu Trusty as the underlying operating system distribution. Before upgrading to the following Sensor release, sensors that are still on Ubuntu Trusty will need to be upgraded to Ubuntu Xenial.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", the appliance distribution needs to be upgraded. A distribution upgrade can be performed by ensuring the sensor is on version 1050.1 and following these instructions for help with the upgrade process. This update is not done automatically to prevent unexpected downtime.

2019.1 2019.3