Lastline Defender and Analyst Hosted Release Notes

Version 2021.3

Reminder to tag hosts that perform vulnerability scans

A previous release extended the host tagging feature with Lastline-defined host tags. Assigning these non-editable tags to known hosts in your environment will provide increased accuracy to threat correlations and also prevent potentially unwanted correlations. The next release (2021.4) will add a campaign correlation rule that makes use of the "ll:vulnerability scanner" host tag to distinguish between malicious attacker-initiated vulnerability scans and scheduled benign scans. We recommended that hosts that perform benign vulnerability scans are tagged with the appropriate tag to ensure only malicious scans are correlated. Lastline-defined tags can be assigned to hosts on the Hosts page. Further details about the tags can be found here: https://user.lastline.com/help/lastlinetags.html.

Detection Improvements

  • LLAM-7015: Added detection of the ability to overwrite firmware.
  • SIG-943: Improvement to the correlation pipeline when attempting to correlate malware downloads with activity that is known to be associated to the same malware class. The correlation now takes into account also external labelling data (e.g. AV labels) on top of internal sources.

Bug Fixes and Improvements

  • LLAM-6657: Adjusted proper filename for encrypted document files submitted with a wrong (or empty) extension.
  • USER-5249: Fixed an issue that prevented users from updating their password, or email address associated with their account, via the Account settings page.
  • SENT-3124: Fix to an issue where the ICAP daemon would not properly perform filetype pre-filtering when processing REQMOD requests. This would lead an ICAP installation submitting a large amount of bodies in HTTP requests to cause unreasonable load.
  • SENT-3082: Fix to an issue where the hash allowlist on a sensor appliance would not have effect on the sniffing file processing pipeline.
  • LLAM-7034: Improved file-type classification for encrypted workbooks in Excel 5.0/95 Binary file format.
  • USER-5223: Fix for submitting login form on enter.
  • SENT-3098: Fixed an issue where we would incorrectly report packet loss statistics on sniffing sensors processing limited throughput.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

  • Lastline Sensor version 1260
2021.2 2021.4