Lastline Defender and Analyst Hosted Release Notes

Version 2022.3

New Features

  • New AI-based classifier for Windows PE files
  • Malware Analysis pipeline throughput optimization
  • Intelligent Anti-Malware Signatures for Windows PE files

NEW AI-BASED CLASSIFIER FOR WINDOWS PE FILES

The new AI-based scoring component was introduced into Anti-Malware static analysis to increase the quality of the detection. The component classifies PE files, and its result is visible in the report overview as "Anomaly: AI detected potential threat".

This new feature was tracked internally as FEAT-7677

MALWARE ANALYSIS PIPELINE THROUGHPUT OPTIMIZATION

To utilize resources more efficiently, we introduce an optimization of the malware analysis pipeline by prefiltering Windows PE files. The PE files will be analyzed by our cutting-edge static analysis and ML-based components first. If a file is recognized as benign with high confidence by static analysis and ML-based components, it won't be submitted to the dynamic analysis sandbox. This optimization will decrease the waiting time for benign file analysis, and increase the overall system performance.

This new feature was tracked internally as FEAT-7655

INTELLIGENT ANTI-MALWARE SIGNATURES FOR WINDOWS PE FILES

NSX NDR introduces the new signature-based scoring component into Anti-Malware static analysis to increase the quality of the detection. The signatures are automatically generated by our threat intelligence system using malicious code reuse data. The signatures cover malicious samples belonging to the same malware family and generated to be resilient to evasion. The new component only supports Windows PE files at the moment.

This new feature was tracked internally as FEAT-7689

Detection Improvements

  • LLAM-8988: Improved detection for Win64EmotetDropperDecryptionRoutine malware.
  • LLAM-8847: Improved detection for document files downloading an external payload
  • LLAM-8911: Improved detection for AvosLocker family Linux-variant.
  • LLAM-8918: Improved detection of Mimikatz and SharpHound malware families
  • LLAM-9006: Improving detection of CVE-2022-30190
  • LLAM-8676: Improved detection for obfuscated HTML page
  • LLAM-9056: Detection improvement for DroperX
  • LLAM-9185: Improved detection for Scarecrow dropper JS malware.
  • LLAM-8923: Improving detection of Emotet
  • LLAM-8974: Improved detection for EmotetEncryptedRsrcId
  • LLAM-8663: Improved detection of Cyclops Blink ELF trojan.
  • LLAM-8976: Improved detection for EmotetDropper using decryption routine
  • LLAM-8975: Improved detection for EmotetEncryptedRsrcId
  • FEAT-7490: A new network anomaly detector has been introduced to alert the user of traffic using known, sensitive protocols, observed over unusual ports, meaning that the protocol and port pairing are typically not associated according to network standards provided by authorities such as the IANA. These anomalous events potentially indicate either poor security practices or, in the worst cases, adversaries trying to bypass network protections such as firewall policies.
  • LLAM-9140: Improved detection of RedAlert ransomware
  • LLAM-9126: Improved detection for SessionManager backdoor.
  • FEAT-7458: A new network anomaly detector has been introduced to alert the user of anomalies in the parameters of HTTP requests directed to internal web applications for which the behavior can be learnt automatically. Anomalous parameters may indicate attempts from an attacker to discover or exploit vulnerabilities in the web application such directory traversal or SQL injections.
  • LLAM-8682: Improved detection for ExcelAddIn
  • LLAM-9118: Improved detection for Injector malware family
  • LLAM-8876: Improved detection for the following potentially unwanted applications
  • AskToolbar
  • Babylon
  • Ad2345
  • RelevantKnowledge
  • LLAM-8875: Improved detection for Kingsoft potentially unwanted applications.
  • LLAM-9001: Improved detection for Deadringer malware and its dropper.
  • LLAM-8787: Improved detection for Nsis based Injector malware.
  • LLAM-9017: Improved detection for the following malware and adware families
  • AVUpdatekiller malware
  • Injector malware
  • EmotetDropper malware
  • Linkury Adware
  • LLAM-8990: Improved detection for Korplug malware
  • LLAM-9090: Improved detection for malware that exploits CVE_2022_30190 vulnerability.
  • LLAM-8992: Improved detection for VBA trojan dropper

Bug Fixes and Improvements

  • PLTF-3163: Fixed an issue that caused the API call for getting breach evidence to sometimes time out.
  • FEAT-7515: The logic in charge of allocating memory to the sensor IDS component as a function of the available appliance memory has been improved. As with prior improvements, configuring a sniffing interface receiving no traffic is strongly discouraged as it will lead to a waste of resources. Please ensure the configured sniffing interfaces contain only interfaces that are indeed expected to receive traffic.
  • SENT-3458: Fixed an issue where the RAPID malscape completion worker could be stuck in an endless loop degrading file analysis capabilities on sensor appliances.
  • PLTF-3130: Fixed an issue where sensor group functionality was not taken into account for custom postprocessing rules.
  • PLTF-3124: Introduced a new "can_view_users" permission that provides read-only access to information on accounts, permissions and roles.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

  • Lastline Sensor version 1330
2022.2 2022.4