Lastline Defender and Analyst Hosted Release Notes

Version 24.1

New Features

  • Sensor performance improvements
  • NSX NDR END-OF-LIFE (EOL) ANNOUNCEMENT FOR FILE ANALYSIS ON WINDOWS 7

Changes

  • Deprecate explicit proxy
  • PCAPS retention changed to 30 days

SENSOR PERFORMANCE IMPROVEMENTS

This release ships a major architectural change to the sensor appliance aiming at improving sniffing performance. Previous reliance on AF_PACKET for packet acquisition is being replaced by the adoption of DPDK. The change should be mostly transparent to the end users, exception made for the naming schema used for sniffing interfaces: once an interface is managed by DPDK, it will be reported in appliance-setup with its PCI ID rather than with the Linux naming schema.

When upgrading a pre-existing appliance to sensor version 1380 and later, we will automatically attempt to enable native DPDK support but may fail due to lack of IOMMU support. In that case appliance will still be functional, but will operate at degraded performance. We will configure the kernel to attempt to use IOMMU at the next reboot, but in some appliances (e.g. virtual appliances) IOMMU may need to be explicitly enabled in the appliance configuration.

Please refer to the lastline_test_appliance tool to check the status of an appliance and identify common issues with the new sensor architecture.

This new feature was tracked internally as FEAT-8138

NSX NDR END-OF-LIFE (EOL) ANNOUNCEMENT FOR FILE ANALYSIS ON WINDOWS 7

To ensure a satisfactory level of security, it is not advisable to use Windows 7. As a consequence, testing the maliciousness of files in this environment is no longer deemed relevant. Therefore, with this release, the files will not be analyzed in a Windows 7 environment anymore.

This new feature was tracked internally as FEAT-8200

DEPRECATE EXPLICIT PROXY

Hosted 2023.2 was the last major release to support the use of the sensor explicit proxy capabilities. The sensor explicit proxy functionality allowed to run a squid proxy on the appliance with basic TLS decapsulation functionality. This feature will no longer be available in the current release. Support for ICAP integrations will not be affected by this deprecation.

This change was tracked internally as FEAT-8229

PCAPS retention changed to 30 days

Previously, packet capture (PCAP) data stored on the VMware hosted backend was retained for 180 days. This data retention period has been reduced to 30 days.

This change was tracked internally as FEAT-8332

Detection Improvements

  • LLAM-10543: Improved detection for Mirai Botnet
  • LLAM-10617: Improved detection for Boxter Runner
  • LLAM-10660: Improved detection for Perl Shellbot
  • LLAM-10742: Improved detection of Rootkits
  • LLAM-10743: Improved detection of persistence techniques used by malwares in MEME#4CHAN attack
  • LLAM-10744: Improved detection of XWorm
  • LLAM-10745: Improved detection of a Downloader
  • LLAM-10747: Improved detection of Prikormka malware
  • LLAM-10771: Improved detection of malware files in MEME#4CHAN attack
  • LLAM-10775: Improved detection of Qakbot
  • LLAM-10774: Improved detection for Linpeas Hacktool
  • LLAM-10787: Improved detection of Mallox ransomware
  • LLAM-10813: Improved detection of Mirai
  • LLAM-10825: Improved detection of Malform RTF
  • LLAM-10826: Improved detection for Nitrogen Installer
  • LLAM-10838: Improved detection for HookAMSI has been found in Raccoon Stealer.
  • LLAM-10842: Improved detection for Shellscript miner
  • LLAM-10848: Improved detection for Logcleaner Hacktool
  • LLAM-10849: Improved detection of Qbot
  • LLAM-10852: Improved detection for DreamBus Botnet
  • LLAM-10856: Improved detection for elevation of UIAccess applications
  • LLAM-10859: Improved detection of Sapphire Stealer
  • LLAM-10893: Improved detection for MathTypeObfs exploit
  • LLAM-10894: Improved detection of a Powershell Loader
  • LLAM-10895: Improved detection of Shellcode Runner
  • LLAM-10902: Improved detection for Whirlpool Linux Backdoor
  • LLAM-10915: Improved detection of Shellcode Runner
  • LLAM-10919: Improved detection of Webshell
  • LLAM-10920: Improved detection of Blueshell malware
  • LLAM-10922: Improved detection of Kryptik
  • LLAM-10957: Improved detection for Veeam Dumper
  • LLAM-10961: Detection improvement for OilRig Trojan
  • LLAM-10975: Improved detection for MSIL Exploit CVE-2022-22718
  • LLAM-10989: Improved detection for Lumma Stealer
  • LLAM-10990: Improved detection for Bunny Loader
  • LLAM-11046: Improved detection for Poverty Stealer
  • LLAM-11011: Improved detection for dotRunpeX Injector
  • LLAM-11018: Detection improvement for Stealer Loader
  • LLAM-11095: Improved detection for Darkgate
  • LLAM-11117: Improved detection for Knight Ransom Loader
  • LLAM-11120: Improved detection of RunPE Loader
  • LLAM-11121: Improved detection of BATLoaders
  • LLAM-11128: Improved detection of QiLin ransomware
  • LLAM-11129: Improved detection for Stealer Downloader
  • LLAM-11130: Improved detection for Mirai Botnet
  • LLAM-11131: Improved detection for Info Stealer
  • LLAM-11032: Improved detection of Akira ransomware
  • LLAM-11137: Improved detection of Kinsing malware
  • LLAM-11139: Improved detection for MSIL Shellcode Downloader
  • LLAM-11159: Improved detection for Ddostf Botnet
  • LLAM-11166: Improved detection of BeaverTail malware
  • LLAM-11172: Improved detection of a VBS Downloader

Bug Fixes and Improvements

  • LLAM-11105: Correctly validate URLs when they contain incomplete HTTP Authentication Credentials.
  • SENT-3816: Performance optimisation to the sensor IDPS file extraction pipeline.
  • SENT-3853: Fix to an issue where certain files could stall the analysis pipeline for a long time when analysed by the sensor, as the analysis completion was not being properly picked up. The problem could happen both in sniffing and in email analysis scenarios.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1380

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

Distribution Upgrade

Sensor 1380 supports Ubuntu 20.04 (Focal) as the underlying operating systems on new installations. When upgrading a pre-existing appliance using the previous Ubuntu release (bionic) the distribution will not be upgraded to Focal at this stage. We will offer tooling for upgrading the distribution of pre-existing appliances in a later release. Sensor version 1220 was the final version to support Ubuntu Xenial as our operating system distribution. In order to upgrade to 1380, you must be running Bionic as the operating system distribution. You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.

2023.2.1 24.1.1