Lastline Defender and Analyst Hosted Release Notes

This page includes release notes for the following Lastline products:

• Lastline Enterprise Hosted
• Lastline Analyst Hosted

Release notes for our On-Premises products are available separately:

• Lastline Analyst and Detonator On-Premises release notes
• Lastline Network and Email Defender On-Premises release notes
• Lastline Enterprise On-Premises release notes (Legacy)

New Features

• Prefilter for Scripts

PREFILTER FOR SCRIPTS

A new script pre-filtering component reduces the load on customer's infrastructure by filtering out clearly benign scripts from the sandbox analysis.

This new feature was tracked internally as FEAT-6141.

Detection Improvements

• LLAM-8565: Improved detection for modified UPX PE samples and .NET-based SharePoint user profile sync PUA PE samples.
• LLAM-8482: Improved detection for ELF samples with malformed ELF headers.
• LLAM-8551: Improved detection for truncated ELF samples.
• LLAM-8554: Improve detection of Linux Roothelper exploit.
• LLAM-8530: Improved detection of Ryucurrency miners.
• FEAT-6978: A new detector raises alerts upon observing anomalous spikes in the number of SMB logon failures. SMB logon events occur when users authenticate prior to …continue.

Bug Fixes and Improvements

• LLCC-2748: Extended expiration date of GPG key used for signing appliance actions.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

• Lastline Sensor version 1310.1

New Features

• Suricata 6 IDS Engine

SURICATA 6 IDS ENGINE

The sensor ships with an updated version of the Suricata IDS Engine, updated to version 6.0.4. This leads to a number of performance and stability improvements as well as new security functionalities that may be leveraged in future releases.

This new feature was tracked internally as FEAT-7343

Detection Improvements

• TRES-2598: Improved detection of the XMR miner.
• FEAT-7287: Improved correlation of lateral movement activity into campaigns. In particular, various types of server-side lateral movement are now better supported.
• TRES-2563: Improved detection of the Meterpreter payload.
• TRES-2614: Improved detection of the Valyria malware.
• LLAM-8033: Improved detection of CVE-2021-40444.
• LLAM-8037: Reduced false positives on …continue.

New Features

• Support for Broadcom NICs in sniffing appliances

SUPPORT FOR BROADCOM NICS IN SNIFFING APPLIANCES

This release adds official support to Broadcom NIC cards based on the bnxt_en driver. While sniffing appliances using such NICs were supported in standard "compatibility mode" with reduced performance, starting with this release sniffing appliances will be able to leverage hardware acceleration to achieve better throughputs.

This new feature was tracked internally as FEAT-7205

Detection Improvements

• LLAM-8033 - Improved detection of CVE-2021-40444.
• LLAM-8037 - Reduced false positives on documents analysis.

Bug Fixes and Improvements

• SENT-3296 - Fix to an issue where a sniffing appliance with a large number of CPU threads or a large number of …continue.

New Features

• Permalink Option for Interactive Analysis Reports

Permalink Option for Interactive Analysis Reports

The permalink features allows for a link to an interactive Malware Analysis report to be made available to others within the organization without the need to log in to the NSX Defender Portal to view the details. To create a shareable report permalink, click on the "Share Report" button when viewing an Analysis Report. This feature is being tracked by FEAT-6081.

Bug Fixes and Improvements

• FEAT-7075 - Fix issue that could cause some detections with verification outcome "failed" or "blocked" to have unexpectedly high impact score.
• LLAM-7837 - Improving content extraction from XLSB document files …continue.

Bug Fixes and Improvements

• SENT-3224 - Fixed incorrect handling of HTTP encoding headers in the ICAP daemon. The issue would cause analysis requests encoded in gzip encoding to be incorrectly treated as archives (and thus fully analysed) in cases in which the proxy submitting the request does not support the ICAP preview mechanism.
• SENT-3219 - Performance improvement for the sensor IDS component.
• SENT-3210 - Fixed a bug in the ICAP daemon where enabling Secure ICAP would cause the daemon to crash.
• SENT-3220 - Fixed an issue in the sensor netflow collector codebase where the presence of a large number of independent collector instances could cause the system …continue.

New Features

• Home network to default to RFC-1918 private IP ranges if not configured.
• Report source of flows in collector mode

Home network to default to RFC-1918 private IP ranges if not configured.

The home network setting has become increasingly important to Defender functionality. Home network information is taken into account throughout the detection and correlation pipeline, and is important to ensure accurate detection, classification and correlation of relevant threats.

For this reason, if a user has not configured a home network setting for a sensor group, we now default to setting its home network to the standard RFC1918 private IP ranges:

• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 …continue.

Reminder to tag hosts that perform vulnerability scans

A previous release extended the host tagging feature with Lastline-defined host tags. Assigning these non-editable tags to known hosts in your environment will provide increased accuracy to threat correlations and also prevent potentially unwanted correlations. The next release (2021.4) will add a campaign correlation rule that makes use of the "ll:vulnerability scanner" host tag to distinguish between malicious attacker-initiated vulnerability scans and scheduled benign scans. We recommended that hosts that perform benign vulnerability scans are tagged with the appropriate tag to ensure only malicious scans are correlated. Lastline-defined tags can be assigned to hosts …continue.

New Features

We are planning on changing the public IP addresses that are used by Lastline backend services to reflect our move away from an older datacenter provider to more scalable infrastructure. These are the IP addresses assigned to lastline.com contacted by Lastline appliances (such as log.lastline.com, user.lastline.com, management.lastline.com, update.lastline.com, and anonvpn.lastline.com) when accessing services like cloud APIs and image registries. This will affect both hosted and on-premise installations of all Lastline products.

It is required that these IP addresses are permitted by firewall rules to prevent service issues when these IP addresses are expected go live in August 2021.

The new IP address range …continue.

Detection Improvements

• TRES-1979: Improved detection of d77fd67d malware family.
• TRES-1990: Improved detection of malware abusing image file execution options.

Bug Fixes and Improvements

• FEAT-6687: Sniffing and ICAP sensors now support the extraction from the wire of Executables and Linkable Format (ELF) files.
• MALS-3451: The Lastline Analyst API now supports HTTP Basic Authentication (RFC 7617). To support backwards-compatibility, authentication headers are ignored if another form of authentication is provided.
• SENT-3081: Fix to an issue where the submission of a completely benign document on an ICAP sensor would incorrectly cause its analysis to be stalled indefinitely.
• SENT-3080: This fix resolves a major issue in the sensor ICAP implementation where …continue.