Lastline Defender and Analyst Hosted Release Notes

Version 2020.9

Distribution Upgrade

Lastline Sensor version 1220 was the final version that supported Ubuntu Xenial as the operating system distribution. For the successful upgrade to 1230, Ubuntu Bionic is required.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded while still running sensor 1220 then upgrade the sensor version to 1230.

The upgrade of the distribution will require a reboot and may take up to an hour to complete. The distribution upgrade is not done automatically to prevent unexpected downtime. For instructions and support regarding the upgrade, please refer here.

New Features

  • Added intrusion links in Host profile overview

INTRUSION LINKS IN HOST PROFILE OVERVIEW

Added direct links to any associated intrusions to the Host profile overview tab.

This new feature was tracked internally as FEAT-5547

Detection Improvements

  • FEAT-5882: A new anomaly detector for RDP records has been added. The detector learns the normal values of various fields in RDP connections and raises an alert when it observed an unexpected value.
  • TRES-1855: Improved detection of Abracadabra malware family.
  • TRES-1529: Improved detection of documents executing rundll32.
  • TRES-1683: Improved detection of documents that leverage Document_Close to trigger their malicious behavior.

Bug Fixes and Improvements

  • SENT-2941: Sensor appliance monitoring logs now include packet processing statistics collected from the IDS service. The statistics include average bandwidth, percentage of packet loss encountered, TCP reassembly anomalies (reassembly gaps) and cases of unexpectedly long flows (stream length reached). If any of the statistics reach abnormally high levels that may be indicative of a problem on the sniffing interface, the IDS component will be switched to warning state.
  • TRES-1915: Fixed a bug related to process creation through WMI.
  • FEAT-6254: License tracking switched from host count to socket count.
  • FEAT-6152: Sensor appliances now allow configuring the maximum size of an extracted artifact via lastline_setup. It is now possible to customise this value using the "sensor_max_upload_filesize_mb" setting, with a default value of 20MB. This setting cannot exceed the maximum upload size allowed by the backend which is 64MB.

Remove McAfee DXL integration

We are announcing the removal of the existing integration with McAfee Threat Intelligence Exchange.

Changes to MacOS and Android Support

In the next release, 2020.10, we will be changing the way in which we analyze macOS and android files. We still continue to analyze the macOS files that are likely to compromise systems, as well as PDF and Word documents that can impact both macOS and Windows operating systems, however android and some macOS file types are will no longer analyzed. For additional details please contact Lastline Support.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

  • Lastline Sensor version 1230
2020.8 2020.10