ReversingLabs Insights™ Insights
  • Forgot your password?
By logging in, you agree that you have read and accepted the terms of service set forth in the ReversingLabs, Inc. End User License Agreement
  • ReversingLabs
  • What's New
  • Cookie Policy
  • Privacy Policy
  • End User License Agreement
ReversingLabs Insights™, 6.4.0-23   |   TiCore Version: 4.0.8-1

RLI v6.4 Release Highlights

Static Analysis

  • TitaniumCore v4.0.8-1 initially integrated into the v6.3.2 patch release, is included with RLI v6.4. The release delivers improved certificate reputation baselines through the adding of time limits to recently leaked certificates and updates to publisher trust ratings within the RL data corpus. This update also delivers on the following outcomes for our users:
    • Updated malware classification machine learning models
    • Improved classification efficacy through updated malware detection rules
    • Even more files classified through RHA
    • More YARA classification rules with broader coverage
    • Improved certificate reputation baselines
    • Quality improvements through delivery of prioritized bug fixes
  • Change threat status of a sample via API using /api/samples/setclassification/, offering the existing GUI function via RLI’s REST API. This offers improved productivity for response teams by automating the process of bulk reclassification of samples, decreasing manual work and delivering on customer satisfaction

Dynamic and Network Analysis

  • Network Threat Intelligence Domain Analysis information is now shown on the URL summary page. Data is retrieved from TitaniumCloud dynamically upon page load, providing users with more efficient and richer triage capabilities with coverage from the full RL data corpus. Domain threat intelligence contains domain reputation from various reputation sources, the maliciousness of files found on the domain and other metadata like last DNS records, related URLs and related domains (subdomains, siblings)
  • URL Analysis improvements and enhancements include:
    • Richer URL analysis workflows, with the Sample Summary page of failed submissions now returning URL and domain threat intelligence from other sources, if available
    • Improved error actionability for users where the Sample Summary pages of unsuccessful URL analyses will now show additional info on why analysis failed in the page sidebar
    • RLI REST API updates include optional parameters added to the Report Summary API allowing retrieval of URL and domain threat intelligence as part of the API response and URL and domain threat intelligence added to URL status API responses
  • CAPE and Cuckoo reports have been updated with information on dropped files

Workflows

  • Global Upload Workflow: Users can now easily and quickly upload samples using a globally available control regardless of which screen they are on, improving usability and delivering richer concurrent triage and hunting workflows
  • Global Search Workflow: Users can more efficiently search samples and interesting data within the RL data corpus using a globally available control; improving usability, Triage and Response team productivity
  • YARA enhancements:
    • Error Handling improvements within the YARA Editor, notably Automatic validation during loading of the YARA editor without the need to click ‘Save’ and better syntax error display
    • Import and Edit of invalid Ruleset workflows have been added, allowing users to import and edit invalid rulesets within RLI instead of previous off-box workflows. Importing rulesets that don't pass YARA validation will now import the rules as ‘disabled’
  • Search Progress Icon: The Advanced Search and RHA pages will now show a progress icon next to items that are reprocessing

Maintenance & Operations

  • Modern Exchange Authentication (OAuth 2.0) is now supported on the AbuseBox connector, allowing for better security and integration with MS Exchange, giving users and organizations who use Office365 the ability to forward emails into RLI for analysis and further inspection
  • System Health Indicator: RLI users remain informed of potential system-level problems that may affect processing of samples, giving clear visibility regardless of which appliance screen they may be looking at and actionable guidance for further investigation of the problem
  • Quality improvements through a number of prioritized defect fixes, notably around YARA Error handling and misstated error states in some processing scenarios

See the full release notes on the ReversingLabs Customer Portal (login required).

RLI v6.3.2 Release Highlights

Maintenance & Operations

  • Quality improvements through a number of prioritized defect fixes, notably displaying local data when appliance API requests have exceeded quota instead of a 429 Status Error code and improved service resiliency upon appliance reboot

See the full release notes on the ReversingLabs Customer Portal (login required).

RLI v6.3.1 Release Highlights

Dynamic & Network Analysis

  • Improved usability of the FireEye section on the Sample Summary page, with visual uniformity in line with our other supported third-party sandbox integrations
  • Improved URL submission usability with more descriptive error information provided to users when RLI fails to scrape a submitted URL, providing users help with debugging

Maintenance & Operations

  • Security compliance updates in v6.3.1 include fixes for Python Django and Go technologies, ensuring security compliance coverage for our users
  • Quality improvements through a number of prioritized defect fixes, notably improved handling of a particular case where the TitaniumCore Goodware classification was not being propagated correctly to overall file classification, and a fringe case where the unknown classification was returned if the appliance’s TitaniumCloud reputation source was disabled by an administrator
  • YARA Rules per rulesets limits have been relaxed following a period of performance monitoring, enabling greater efficiency in customer workflows
  • Privacy Policy updated in v6.3.1 to provide users with improved readability

See the full release notes on the ReversingLabs Customer Portal (login required).

RLI v6.3 Release Highlights

Static Analysis

  • TitaniumCore v4.0.8 delivers further improved certificate reputation baselines through the adding of time limits to recently leaked certificates and updates to publisher trust ratings within the RL data corpus
  • TitaniumCore v4.0.7, initially integrated into the v6.2.2 February 2022 patch release, is included with RLI v6.3.The release improves Excel format support through extracting embedded formulas into separate textual files, expanding macro code extraction and enhancing password protected document decryption. This update also delivers on the following outcomes for our users:
    • Updated malware classification machine learning models
    • Improved classification efficacy through updated malware detection rules
    • Even more files classified through RHA
    • More YARA classification rules with broader coverage
    • Improved certificate reputation baselines
    • Quality improvements through delivery of prioritized bug fixes
  • attack-tactic and attack-technique advanced search keywords have been added, allowing users to search for samples based on detected ATT&CK framework attacks and techniques

Dynamic and Network Analysis

  • RL Cloud Sandbox:
    • Usability Refresh The analysis results pages have been redesigned for readability and now show all information on a single page, with general file details and classifications at the top, followed by a table listing all analyses performed on the sample. Additionally, tabbed navigation is now added for refreshed Network and Behavioral analysis information, and newly added Dropped Files and MITRE ATT&CK
    • MITRE ATT&CK tab added, linking to a table of MITRE ATT&CK Techniques detected during dynamic analysis
    • Dropped Files tab added, listing files that the sample dropped during dynamic analysis. If available locally, these files can be interacted with and inspected like any other file on the appliance
    • Behavior and Network Analysis refresh with revised key data overview and user-friendly navigation
    • ZIP Archive Support is now a supported filetype, configurable to automatically analyze uploaded ZIP archives
    • Merged and Historic Reports now allow users to more easily switch between the merged analysis report and any of the individual reports within the UI using a dropdown menu above the tabbed section
  • Network Threat Intelligence API Integration Sample Summary Pages for URL submissions now contain an additional tab displaying results of the ReversingLabs TitaniumCloud URL Threat Intelligence service. For URL submissions that failed to analyze, this tab will display any data held by ReversingLabs or third party URL reputation information, if available

Workflows

  • Submit File (Password & Platform) button, configurable via administration, has been added, enabling submission of password protected .ZIP file archives. This enables the submitting of suspicious and malicious files, for example; email attachments, as password-protected archives to RLI, along with the additional option of selecting the RL Cloud Sandbox platform to which the extracted file will be submitted
  • GUI Upload Priority: Files uploaded using the user interface are now prioritized over files uploaded using other upload methods (eg. REST API, Connectors, Automation scripts) streamlining workflows for RLI interface users
  • Predicted filenames generated by TitaniumCore are now visible on the Sample Summary pages and returned via the Report Summary API and Full Report API in the proposed_filename response field
  • MITRE & ATTACK section of the Sample Summary report has been updated to be consistent with the MITRE ATT&CK section in the sidebar menu. Both are now presented as tables
  • Embedded File Type Statistics pie chart has been improved for better readability when displaying samples with a large number of extracted file types. The Statistics section in general will be overhauled in a future release

Maintenance

  • URL submissions forwarded to Joe Sandbox integrations will now be submitted as a URL, using the Joe Sandbox Browse URL API
  • Security compliance updates in v6.3 include a number of updates for backend services
  • Quality improvements through a number of prioritized defect fixes, including restoration of ‘Comments’ to the sidebar of Sample Summary pages

See the full release notes on the ReversingLabs Customer Portal (login required).

RLI v6.2.2 Release Highlights

Classification / Innovation (Tier 1 and Tier 2 Analysts, Threat Hunters, Security Analysts)

RLI v6.2.2 integrates the latest version of ReversingLabs’ industry leading static analysis engine TitaniumCore v4.0.7. In addition to better format support through extracting embedded Excel formulas into separate textual files, this update delivers on the following outcomes for our users:

  • Updated malware classification machine learning models
  • Improved classification efficacy through updated malware detection rules
  • Even more files classified through RHA
  • More YARA classification rules with broader coverage
  • Improved certificate reputation baselines
  • Quality improvements through delivery of prioritized bug fixes

Enterprise Readiness / Usability (Tier 1 and Tier 2 Analysts, Threat Hunters, Security Analysts, SOC Managers)

  • Security compliance updates in v6.2.2 include a number of updates for backend services
  • Quality improvements through a number of prioritized defect fixes, notably improved reliability for local appliance URL processing
  • Updated Privacy Policy

See the full release notes on the ReversingLabs Customer Portal (login required).

RLI v6.2.1 Release Highlights

Enterprise Readiness / Usability (Tier 1 and Tier 2 Analysts, Threat Hunters, Security Analysts, SOC Managers)

  • Security compliance updates: v6.2.1 includes a number of security compliance updates, notably Python Django and a number of backend technologies, ensuring security coverage for our users
  • Usability issues were resolved in v6.2.1, notably around navigation from within the sample summary page
  • Improved performance through a reduction in database transactions, configuration optimization, and various backend task tweaks
  • Quality improvements through a number of prioritized defect fixes, including improvements around automated re-submission of samples to JoeSandbox integrations, along with improved reliability and error handling for URL processing

See the full release notes on the ReversingLabs Customer Portal (login required).