Lastline Defender and Analyst Hosted Release Notes

Version 2020.5

New Features

  • Added indexing of detection data in Elasticsearch/Kibana
  • Added new sensor blocking options
  • Improved support for Silicom NIC adapters
  • Added visibility into the number of devices being protected by Lastline

ADDED INDEXING OF DETECTION DATA IN ELASTICSEARCH/KIBANA

The detection data generated in a Defender installation is now accessible and queryable in Kibana. A dashboard is provided to help with the initial exploration of the data.

This new feature was tracked internally as FEAT-5159

ADDED NEW SENSOR BLOCKING OPTIONS

The new blocking location functionality allows choosing where blocking should be performed: inbound; outbound; or within the home network. In addition, the following blocking options have been added: Block connections via ICMP port unreachable; Block connections via DNS sinkholing; Block connections via HTTP redirection; Blocking location settings

This new feature was tracked internally as FEAT-5870

IMPROVED SUPPORT FOR SILICOM NIC ADAPTERS

This release includes enhanced support for Silicom cards as inline interfaces. More specifically, whenever a Silicom card is detected the card will be set to fail-open mode before attempting any reconfiguration/upgrade, thus ensuring that also in case of issues during the process the forwarded traffic is not affected. Additionally, the appliance watchdog will restore fail-closed only if the reconfiguration was successful and if no further issues are identified on the appliance by 'lastline_test_appliance'.

This new feature was tracked internally as FEAT-5706

ADDED VISIBILITY INTO THE NUMBER OF DEVICES BEING PROTECTED BY LASTLINE

This release adds new UI elements that allow an administrator to see the number of devices on their network that Lastline is protecting. To view, navigate to Admin > Licenses and select a linked license key.

This new feature was tracked internally as FEAT-5717

Detection Improvements

  • TRES-1448: Improved detection of document files spawning Windows Host executable.
  • TRES-1147: Improved detection of Donvibs malware family.
  • TRES-1054: Improved detection of Cyber Agent client samples.
  • TRES-434: Improved detection of malformed zip archive file using byte order mark for detection bypass.
  • TRES-1521: Added detection of malicious Excel documents weaponized with XL4 macro with DConn records.

Bug Fixes and Improvements

  • FEAT-5107: A new API method (/llanta/graph/list_dhcp) is now available to query the DHCP records indexed in a Defender installation.
  • SENT-2813: Fixed a problem in the inline mode setup that was accidentally introduced by sensor 1180. Sensor 1180 accidentally removed a ufw rule that was essential for inline mode forwarding to operate correctly.
  • SENT-2812: Fixed a bug in the Suricata rust DHCP parser that was introduced in sensor 1180. An error in the parsing of DHCP option 43 would cause DHCP packets using that option to cause an exception in the parser, leading to Suricata restarts.
  • SENT-2785: Fixed an issue where a certain class of email local detections, acting, for instance, on the text content of an email, would incorrectly lead to a 'benign' classification in the 'X-Lastline' headers. Messages affected by high confidence email local detections now report a status of 'reputation-block' in the 'X-Lastline' headers.
  • SENT-2774: Fixed an issue with handling SMB filenames and mountpoints that are encoded in UTF-16. The sensor now has the capability to parse and display correctly in the UI such strings.
  • MALS-3249: Fixed a race condition that could cause submissions to the Analyst API to remain in an incomplete state for four hours after submission.
  • TRES-1384: Improved URL extraction from PDF documents.
  • TRES-1373: Fixed a problem in document application bundle analysis. When a document file is submitted with a password and incorrect extension, we allow renaming the extension to a proper one.
  • TRES-846: Fixed LHA archive extraction problem.
  • TRES-581: Fixed a bug in dynamic analysis when an unknown process "sample.exe" appeared in the report.
  • SENT-2763: Fixed a recently introduced issue that could cause the configuration of a sensor to fail in case no sniffing interface were configured (e.g. MTA sensor)
  • FEAT-5955: Customers are able to specify a password for downloaded artifacts from the Lastline portal.
  • FEAT-5880: A new API method (/llanta/graph/list_rdp) is now available to query the RDP records indexed in a Defender installation.
  • FEAT-5550: Host profile > Threats tab now displays the intrusion sidebar from the threat card intrusion link

Changes to the UI

  • We removed the Sensor blocking options, 'Inline deployment' and 'Block connections via iptables'.
  • We added a new blocking section, 'Blocking locations' with 3 new blocking options (see New Features for details)

End of support for TLS 1.1

With this release, all requests to the Lastline user portal and APIs must use HTTPS with support for TLS 1.2 or above. TLS 1.1 will no longer be supported. All client applications that send data to the Lastline portal or APIs will be required to support TLS 1.2 or above. More details are here.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

Lastline Sensor version 1190

End of Support For Dell R320 and Dell R420

Lastline is deprecating support for the Dell R320 and Dell R420 on June 30, 2020. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our hardware support page.

2020.4 2020.6