Lastline Defender and Analyst Hosted Release Notes

Version 2021.6

New Features

  • Permalink Option for Interactive Analysis Reports

Permalink Option for Interactive Analysis Reports

The permalink features allows for a link to an interactive Malware Analysis report to be made available to others within the organization without the need to log in to the NSX Defender Portal to view the details. To create a shareable report permalink, click on the "Share Report" button when viewing an Analysis Report. This feature is being tracked by FEAT-6081.

Bug Fixes and Improvements

  • FEAT-7075 - Fix issue that could cause some detections with verification outcome "failed" or "blocked" to have unexpectedly high impact score.
  • LLAM-7837 - Improving content extraction from XLSB document files with a single macro sheet.
  • PLTF-1636 - The permalink features allows for a link to an interactive Lastline Analysis report to be made available to others within the organization without the need to log in to the Lastline UI to view the details.
  • LLAM-7642 - Reduced false positive rate of documents with security warnings in content.
  • FEAT-7075 - Fix issue that could cause some detections with verification outcome "failed" or "blocked" to have unexpectedly high impact score.
  • PLTF-2670 - Make sure last modified time for custom rules is displayed in user time zone.
  • SENT-3265 - Fix to an issue where the third party netflow ingestion would not be automatically started at boot when the integration is enabled.
  • SENT-3261 - Improved performance in the reverse resolution of NTA records during sensor data processing.
  • SENT-3250 - Fix to a bug introduced in the previous release where the IDS service would fail to start in under spec'd appliances.
  • USER-5498 - This fix displays the flag next to the host IP in the events list view.

Detection Improvements

  • LLAM-7575 - Improved detection of XLSB document downloaders.
  • LLAM-7513 - Improved detection of Darkside Ransomware.
  • LLAM-7407 - Improved detection of malicious document targeting Italian users.
  • LLAM-7225 - Improved detection of APT29 PolyGlot Duke malware.
  • LLAM-7169 - Improved extraction of macro code from ZLIB-compressed streams embedded in PowerPoint binary file format.
  • LLAM-7033 - Updated third-party libraries (oletools and pyxlsb2) for better parsing of document files.
  • LLAM-7606 - Improved detection for malware samples trying to evade analysis in emulated environment.
  • LLAM-7607 - Improved detection for malware samples that evade sandbox by checking characteristic CPU vendor information.
  • LLAM-7769 - Improved detection of lure document files that use social engineering attempts to enable macro code execution.
  • LLAM-7661 - Improved detection of DarkSide ransomware.
  • LLAM-7660 - Improved detection of Defray777 ransomware.
  • LLAM-7664 - Improved detection of documents with shellcode patterns in streams.
  • LLAM-7804 - Improved detection of VMProtect hypervisor evasion technique.
  • LLAM-7803 - Improved detection for XLSB document downloaders.
  • LLAM-7662 - Improved detection of Wildfire Palo Alto test file.
  • LLAM-7172 - Improved detection of Bazar Loader.
  • LLAM-7405 - Improved detection of .NET injector applications.
  • LLAM-6941 - Improved detection of Emotet malware family.
  • LLAM-7837 - Improving content extraction from XLSB document files with a single macro sheet.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

  • Lastline Sensor version 1290
2021.5 2021.7