Version 2023.1
New Features
- Support for analysis of OneNote documents
SUPPORT FOR ANALYSIS OF ONENOTE DOCUMENTS
NSX NDR supports analysis of OneNote documents: OneNote file (mime-type: application/onenote) and OneNote package (mime-type: application/vnd.ms-onepkg-compressed).
This new feature was tracked internally as FEAT-8013
Detection Improvements
- LLAM-10033: Improved detection accuracy for CheatEngine
- LLAM-10013: Improved accuracy of detection of suspected shellcode instructions
- LLAM-9820: Improved detection of Brute Ratel
- LLAM-9885: Improved detection of Nighthawk implants
- LLAM-10054: Improved detection of Royal ransomware
- LLAM-10043: Improved detection of Netsupport Rat
- LLAM-9972: Improved detection of Coinminer
- LLAM-9970: Improved accuracy of detection for ELF files
- LLAM-9951: Improved detection of XMRigMiner
- LLAM-9989: Improved detection of Merlin Agent
- LLAM-10067: Improved detection of ESXiArgs ransomware
- LLAM-10036: Improved detection of LNKRunner
- LLAM-10032: Improved accuracy of detection for obfuscated applications
- LLAM-10034: Improved accuracy of detection of ransomware
- LLAM-9940: Improved detection of Jumplump
- LLAM-9216: Improved detection of KNOTWEED malware
- LLAM-9941: Improved detection of Jumplump dropper
- LLAM-9837: Improved detection of Blackbasta
- LLAM-8450: Improved detection of Sysjoker Backdoor
- LLAM-9915: Improved detection of Sysjoker
- LLAM-9803: Improved detection of Manuscript Downloader
- LLAM-9802: Improved detection of malicious Krypter
- LLAM-9443: Improved detection of Autorun worm
- LLAM-9944: Improved detection for payload samples of Redline stealer
- LLAM-9850: Improved detection of Brute Ratel
- LLAM-9847: Improved detection of CobaltStrike
- LLAM-9814: Improved detection of Qakbot
- LLAM-9584: Improve detection of access to Chrome configuration files
- LLAM-9577: Improved detection of Conti ransomware
- LLAM-9952: Improved detection of P2P-Worm
Bug Fixes and Improvements
- SENT-3603: Sensor 1340 introduced a performance issue with IDS reputation lookups that could lead to low performance and high disk utilization due to backlogs in updating the reputation cache. This problem is now resolved.
- SENT-3617: Fix a bug that would cause the sensor sniffing service to not apply data retention to the drop directory for the extracted files, causing disk utilization to increase to unusually high values
- PLTF-3491: Updated the Active Directory integration to accommodate the Microsoft security patch (KB5004442), which hardens the DCOM protocol utilized for connecting to Windows Domain Controllers
- LLDOC-540: Updated the Active Directory Integration Guide to state that the newly created Domain Controller account must belong to the "Event Log Readers" group to associate events in the monitored network.
- FEAT-7955: The version of Kibana and Elasticsearch used for the Network Explorer feature has been upgraded to version 7.17.8.
- FEAT-7957: The sensor blocking capabilities have been improved by integrating them more deeply with the IDS engine.
Deprecation of API Methods
The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:
Lastline Sensor version 1350
Distribution Upgrade
Sensor version 1220 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 1350, you must be running Bionic as the operating system distribution. You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded. For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.