Lastline Defender and Analyst Hosted Release Notes

Version 2020.7

Distribution Upgrade

With the next release, Lastline Sensor version 1220 will be the final version that supports Ubuntu Xenial as the operating system distribution. In all future releases, Ubuntu Bionic will be required. To support this distribution upgrade, Sensor 1210 and Sensor 1220 will support both Ubuntu Xenial and Ubuntu Bionic. Before upgrading to any future Sensor version, appliances on Ubuntu Xenial must be upgraded to Ubuntu Bionic while running either Sensor 1210 or Sensor 1220. The upgrade of the distribution will require a reboot and may take up to an hour to complete.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.

For instructions and support regarding the upgrade, please refer here. The distribution upgrade is not done automatically to prevent unexpected downtime.

New Features

  • Added ability to download executed scripts from analysis reports
  • Improved support for sniffing on virtual appliances
  • Added support for AWS IAM Role credentials for sensors in AWS
  • Added event evidence and event URLs to the event sidebar
  • Added support to see RDP protocol information in captured traffic
  • Added new file processing pipeline on sensor
  • Added ability to export analysis result bundle

ADDED ABILITY TO DOWNLOAD EXECUTED SCRIPTS FROM ANALYSIS REPORTS

An executed script can now be downloaded by clicking on the file icon next to the script name in the file analysis report.

This new feature was tracked internally as FEAT-5835

IMPROVED SUPPORT FOR SNIFFING ON VIRTUAL APPLIANCES

Improved sniffing compatibility with virtual appliances. When installing a new sensor, the AF_PACKET acquisition driver is now recommended for all NIC types, and enabled by default. For existing appliances installed before this change, you can enable AF_PACKET from the Admin -> Appliances -> Configuration page in the UI.

This new feature was tracked internally as FEAT-6100

ADDED SUPPORT FOR AWS IAM ROLE CREDENTIALS FOR SENSORS IN AWS

The AWS data source credentials tab in the UI now allows for 'IAM Role' credentials as well as 'Access and Secret Key' credentials.

This new feature was tracked internally as FEAT-6102

ADDED EVENT EVIDENCE AND EVENT URLS TO THE EVENT SIDEBAR

Event evidence and event URLs have been added to the event sidebar as additional analyst information. For events involving file downloads, malware identification from the analysis report is displayed on the sidebar.

This new feature was tracked internally as FEAT-6012

ADDED SUPPORT TO SEE RDP PROTOCOL INFORMATION IN CAPTURED TRAFFIC

A new tab for RDP protocol information is available in the captured traffic pcap view for an event. It displays ConnectionRequest, ConnectionResponse and ClientInfo data.

This new feature was tracked internally as FEAT-5989

ADDED NEW FILE PROCESSING PIPELINE ON SENSOR

The sensor now enables by default the new file processing pipeline based on RAPID (Rapid API for Detection) for the sniffing and mail analysis pipelines. RAPID is a static analysis module that integrates a variety of fast techniques to produce verdicts on analysed files without relying on dynamic analysis in the manager or cloud. In this first release, the RAPID capabilities are mostly equivalent to the previous standalone Lastline prefilter.

This new feature was tracked internally as FEAT-5985

ADDED ABILITY TO EXPORT ANALYSIS RESULT BUNDLE

Analyst API now supports exporting full analysis PDF reports for previously submitted tasks asynchronously. A full analysis report includes all reports for a task, including any subtasks (child tasks). The new API call export_report is used to trigger generation of the report, while get_completed_exported_reports will return which reports have been rendered and get_exported_report will return a specific rendered report. Please refer to Analyst API documentation for details on these new API calls.

This new feature was tracked internally as FEAT-5856

Detection Improvements

  • TRES-1176: Improved detection for malware that uses conditional command-line execution.
  • TRES-1684: Improved detection of VBA macros and documents that abuse regsvr32.
  • TRES-1586: Improved detection for malware built in Python detecting virtual environment.

Bug Fixes and Improvements

  • FEAT-5829: Unpacking errors will be displayed in the file analysis report when archive unpacking was only partially successful.
  • SENT-2885: Fixed a bug where the registration of a sensor with no sniffing interfaces defined (e.g. MTA, ICAP) would lead to a failure.
  • USER-4777: Fixed a bug where the Intrusion Timeline's "Sort by [earliest / most recent]" options were a) not handling messages correctly, and b) displaying dates and times incongruent with the underlying sorting.
  • USER-4687: Fixed an issue where inappropriate permissions were being set while creating multiple user accounts.
  • USER-4722: Fixed the issue for selecting an absolute date range in the Notification's Reports download view.
  • USER-4689: Fixed a bug where having a large number of sensors would cause the appliance metric graph legends to compress and obscure the graphs themselves.
  • USER-4634: Fixed a bug where editing notification of proxy sensor (inactive) shows could not find key alert.
  • USER-4620: Fixed a bug where Quarantine configuration was not visible if DROP EMAILS WITH MALICIOUS ATTACHMENTS is disabled
  • USER-4517: Fixed a bug where changing the time units of min interval in syslog trigger was not working as expected.
  • SENT-2918: Fixed a long-standing issue where the installation of a sensor using a Silicom adapter would require additional steps such as disabling the support before performing the registration. Installing a new sensor using a Silicom adapter now does not require any special additional step and no content is required in /etc/appliance-config/override.yaml. It is now sufficient to proceed with the registration, and once the sensor is correctly registered execute lastline_setup to define the inline interface pairs.
  • SENT-2883: Fixed an issue on the sensor where defining an unusually high number of sniffing interfaces could cause the IDS service to fail to initialise.
  • SENT-2843: Fixed a problem where attempting to limit the IPs allowed to interact with an MTA sensor from the UI would not have the desired effect, allowing any host capable to interact with the sensor.
  • FEAT-6046: Improved the event list Detected Threat graph to show threats in class on hover and also filters list on threat.
  • USER-3220: Fixed a bug where global search icon in analysis report view redirects user to 404 error.
  • SENT-2921: Fixed an issue where reputation events would be reported by the sensor as successful even in case in which a firewall had blocked the 3WH by injecting a RST/ACK.
  • SENT-2919: Fixed a problem where inline sensors may incorrectly add more delay than the expected 10ms in the forwarding plane.
  • SENT-2856: Improved the handling of timeouts in the MTA processing in conjunction with the integration with RAPID. If a message analysis times out while waiting for a verdict from dynamic analysis a warning will be reported in the monitoring logs.
  • SENT-2809: Improved the memory utilization of some components of the mail processing pipeline.
  • FEAT-5992: The ICAP service now has the capability to analyze EML files being transferred on top of the HTTP protocol.
  • FEAT-5961: Network analysis records now include the name of the NIC where the network activity associated to a record was observed.

End of Support for McAfee Threat Intel Exchange

Starting with the next release, 2020.8, support for the McAfee Threat Intel Exchange integration will be removed from the product offering. Additional details will be provided on alternative methods for exchanging data with McAfee Threat Exchange at that time.

Changes to MacOS Support

With the next release, 2020.8, we will be making changes to the way in which we analyze macOS files. We will still continue to analyze the macOS files that are likely to compromise systems, as well as PDF and word documents that can impact both macOS and Windows operating systems, however some macOS file types will no longer be analyzed. Additional details on this will be available via the Lastline support web site.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

Lastline Sensor version 1210

2020.6 2020.8