Version 2022.4
New Features
- Windows 10 becomes the primary environment for MS Office document analysis
WINDOWS 10 BECOMES THE PRIMARY ENVIRONMENT FOR MS OFFICE DOCUMENT ANALYSIS
The anti-malware sandbox will use Windows 10 as the primary environment for MS Office document analysis. The environment was optimized to significantly reduce analysis time and improve efficiency.
This new feature was tracked internally as FEAT-7760
Detection Improvements
- LLAM-9210: Detection improved of DynamicLoader, ChromeLoader, YTStealer and TrojanMiner
- LLAM-9654: Improved detection of Bladabindi malwares
- LLAM-9583: Improved detection of Ryuk Ransomware
- LLAM-9367: Improved detection of Meterpreter malware family
- LLAM-9688: Improved detection of Qakbot malware
- LLAM-9580: Improved detection of Dridex malware family
- LLAM-9368: Improved detection of Mimikatz
- LLAM-9369: Improved detection of Powersploit
- LLAM-9334: Improved detection of Sliver
- LLAM-9318: Improved detection of GwisinLocker ransomware
- LLAM-9622: Improved detection of VIRTUALPITA malware
- LLAM-9424: Improved detection of Luna Ransomware
- LLAM-9258: Improved detection of Cobalt Strike and Lazagne malware families
- LLAM-9386: Improved detection of Luna ransomware
- LLAM-9384: Improved detection of Babuk ransomware
- LLAM-9387: Improved detection of HelloKitty ransomware
- LLAM-9259: Improved detection of Lazagne, Meterpreter and Powersploit
- LLAM-9811: Improved detection of Armadillo packer
- LLAM-9401: Improved detection of RedlineStealer Krypter
- LLAM-9325: Improved detection of Dreambot and Darkutilities malware
- LLAM-9525: Improved detection of kkrunchy packer
- LLAM-9373: Improved detection of an anti-analysis technique leveraged by various malware families
- LLAM-8872: Improved detection of Guloader malware
- LLAM-9186: Improved detection of ScareCrow loader
- LLAM-9187: Improved detection of Bladabindi
Bug Fixes and Improvements
- PLTF-3144: Non-ascii URL characters are now properly escaped in email notifications
- LLAM-9839: Reduce false positives from orphan processes
- SENT-3499: Fix to an issue where sensor appliances generating unusually large amounts of HTTP NTA events could lead to excessive load in the backend processing
- FEAT-7536: Improved compatibility for running sensors in ESXi environments
- FEAT-7696: The sensor appliance now ships with a new IDS architecture. The new architecture mostly preserves feature parity with the previous implementation, but should lead to more reliable and consistent reporting of flow logs and DNS events in NTA
Deprecation of API Methods
The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:
Lastline Sensor version 1340
Distribution Upgrade
Sensor version 1220 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 1340, you must be running Bionic as the operating system distribution. You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded. For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.