Spectra Analyze changelog
The changelog contains references to our internal ticketing system. We use the Keep a Changelog format.
v9.2.2
November 2024
Added
- The S3 connector can now fetch files based on their previous classification or threat name. The prerequisite for this is for the files to have appropriately formatted object metadata that contains this information. Spectra Detect v5.2.1 allows saving such metadata together with the processed file. This allows a workflow where files are pre-processed by a Worker, saved (together with metadata) to S3, and then pulled by Spectra Analyze if they satisfy certain criteria. [TCB-18855]
Changed
- Spectra Core updated to version 5.2.1. [TCB-18789]
- The search date picker now supports time as well for "Custom" ranges. [TCB-18541]
Fixed
- JSON decoding error crashes the summary page. [TCB-18752]
v9.2.1
October 2024
Added
- Added an "Automatically expand search period" checkbox option with a tooltip in the page settings, allowing users to disable automatic search period expansion when no results are found. [TCB-17110]
Fixed
- Processing samples will no longer fail due to the psycopg2.errors.StatementTooComplex: stack depth limit exceeded error message. [TCB-18617]
get_yara_matches
query performance is improved forrevision_id
values with high samples matches, preventing long execution times. [TCB-18608] [TCB-18577]- Improved responsiveness of the popup modal, resolving slow dropdown menu interaction and delayed text input. [TCB-18439]
- Resolved restarts and memory issues in the
/api/yara/ruleset
API endpoint by addressing validation and size checking order for improved stability. [TCB-18647] - The "Use Query Builder" label no longer overlaps the "Favorite Query" dropdown menu in the Search page settings. [TCB-18596]
v9.2.0
September 2024
Added
- The Sample Report Summary page has been thoroughly redesigned to provide more information at a glance. All available analysis methods are now listed under the Sample Summary page header, with the decisive classification highlighted. Where appropriate, the method tiles open into a dropdown with more information, indicated by an arrow. This page also contains MITRE ATT&CK information, the Relationship Graph, Threat Intelligence overview, Network References, analysis insights and YARA matches. [TCB-17721]
- A new search keyword,
exploit
, allows the users to search for malware that abuses a specific CVE. Non-keyword searches are also supported if the query is formatted asCVE-XXXX-YYYYY
. [TCB-14715] - Custom YARA ruleset repositories can now be added to the appliance, with the ability to automatically monitor and synchronize changes and updates. [TCB-16977]
- For files that are YARA matches, the Hex tab in the Preview Sample / Visualization pop-up dialog now also highlights the matched ASCII content. [TCB-18292]
- The YARA Test Run page now supports adding test samples by hashes. [TCB-16578]
- Clearer messaging when the Advanced Search API quota has been exceeded, instead of a generic error. [TCB-17835]
- YARA Ruleset pages now contain "Enable Ruleset" and "Run Ruleset in Cloud" switches, removing the need to visit the Edit Ruleset page to change these options. [TCB-18374]
- A new configuration page has been added for Spectra Intelligence quota usage email notifications. Users can now enable email alerting, manage recipients, and set alert thresholds based on system quotas. [TCB-17217]
Changed
- Spectra Core updated to version 5.1.1. [TCB-18319]
- Added identification for: ONNX, PicklePKL and Safetensors file types
- Added unpacking support for: Composer, EFI, OVA, VDI, VHDX, VMDK file types
- Multiple predefined appliance user accounts have been hardened. [TCB-17886]
- Search keyword autocompletion sorting improved to offer better matches more reliably. [TCB-17085]
- "python-gevent" updated to version 23.9.1-2. [TCB-18245]
- Improved support for upgrading local appliance accounts to SSO accounts. [TCB-17335]
- Improved autocompletion for the
filetype
keyword. [TCB-18361] - Samples without a filetype are now shown as "---" instead of "Binary/None". [TCB-18321]
- The "Open User Guide" menu item now leads to Spectra Analyze documentation on the online documentation portal. [TCB-18499]
Fixed
- Joe Sandbox analyses fail and show UnicodeDecodeError. [TCB-18407]
- Spectra Analyze configuration can't be applied if the Permit Root SSH Login checkbox is enabled. [TCB-18342]
- Depending on the user's configured timezone, relative dates shown incorrectly across the interface. [TCB-18332]
- Text and hex visualization render file contents twice. [TCB-18294]
- When using the query builder, the firstseen value doesn't sync to the dropdown menu. [TCB-18281]
- The label "Configured by Spectra Detect Manager" missing in some managed sections. [TCB-18261]
- The "Enable Root Login via SSH" checkbox shows wrong state and is not clickable. [TCB-18243]
- Minor user interface typos and inconsistencies. [TCB-18224], [TCB-18184]
- Search page stuck infinitely reloading after creating a PDF report. [TCB-18078]
- Clicking the user tags on the Alerts page results in an invalid search query. [TCB-17648]
- The first section on the Cloud Sample Summary pages is not automatically expanded. [TCB-17605]
- Sample action menus don't close properly on the Hash Not Found tab on the Search page. [TCB-17852]
- Unclear messaging when users try to import or upload YARA rulesets larger than the allowed size. [TCB-16946]
- Multiple redundancy fixes and improvements [TCB-18328], such as:
- When configuring a redundancy cluster, the progress percentage sometimes decreases. [TCB-18189]
- Files can't be uploaded to appliances configured as a redundant cluster. [TCB-17518]
- Performing a redundancy switch over results in 500 error page when allowed hosts are not configured. [TCB-18186]
- Setting up a redundancy times out and results in a 50x error. [TCB-18182], [TCB-18183], [TCB-18042]
- Shutting down a primary node in a redundancy cluster while files are actively being uploaded fails to switch over to the secondary appliance. [TCB-15283]
v9.1.2
Added
- Samples that fail due to reasons such as long processing times or decompression bombs are no longer deleted, and can be reanalyzed by clicking the "Retry Analysis" in the actions menu (☰) on the Search page. [TCB-17491]
- TLSH hash values are now displayed in the PDF report summary. [TCB-17974]
Changed
- The filename column in the exported sample reports now shows the actual file name rather than the SHA1. [TCB-18308]]
Fixed
- "Configured By Spectra Detect Manager" label is no longer missing when configuration is applied. [TCB-18261]
- Fixed an issue with the collector agent throwing an exception. [TCB-18312]
v9.1.1
Added
- Spectra Analyze v9.1.1 integrates a new version of Spectra Core (v5.0.2). [TCB-17902]
- TLSH hash values are now calculated and displayed on sample summary pages and in expanded rows. TLSH is a hashing algorithm based on file similarity, helping to efficiently identify similar, nearly identical, or modified files. [TCB-17969]
- RL Auxiliary Analysis now displays additional fields (Magic, TLSH, and Classification). [TCB-17912]
Changed
- CAPE Sandbox integration is updated to V2. [TCB-17908]
- S3 Bucket Folder input description is modified to improve clarity and remove redundant information. [TCB-18176]
- Enhanced design consistency for the "Change" button in the user interface. [TCB-18029]
Removed
- yara_monitoring feature flag indicator is no longer available on the YARA dashboard page. [TCB-17968]
Fixed
- Fixed a high security issue in python-gevent. [TCB-17495]
- Failed samples being reprocessed during local retro hunt. [TCB-18192]
- Incorrect "Enable Root Login via SSH" configuration checkbox state after disabling the option. [TCB-18139]
- Fixed the "Test Connection" button with the integration of Trellix (formerly FireEye). [TCB-18022]
- User is no longer presented with a "404 Not Found" page when searching for a non-existent single hash. [TCB-17570]
- Disabling rulesets causing "Out of Sync" status on the YARA Synchronization page. [TCB-18134]
- Multiple RL Auxiliary Analysis UI fixes and readability improvements. [TCB-17813] [TCB-17824] [TCB-17825] [TCB-17826] [TCB-17827] [TCB-17876]
v9.1.0
Added
- URLs and domains now have a new type of sample summary page focused on networking reputation. This page unifies all the data ReversingLabs has on the network resource, including third-party reputation. [TCB-16950]
- Search results pages for queries containing a single domain/URL now display a link to the Networking Sample Summary page of the network resource. [TCB-16951]
- In case sample is/has a YARA ruleset match, the Hex tab in the Preview Sample / Visualization pop-up dialog now highlights the matched content, and allows filtering by ruleset, rule or matched value. [TCB-17388]
- Added an alternative way of writing search queries in the form of Query Builder. This feature preview improves context awareness during auto-completion and overall search performance. It can be enabled from the gear icon menu on the Search page. [TCB-17553]
- Spectra Analyze instances connected to a Spectra Detect cluster comprising a Manager and a Hub group now have the option to trigger YARA retro hunts on remote S3 buckets connected to the Spectra Detect Hub group using the Hub group's S3 connector service. To start a remote storage YARA retro hunt, click the
Run Retro Hunt
button on the YARA page, switch to theRemote Storage Retro Hunt
option, select the buckets and configure the filters. Results of remote retro hunts can be found via links to the Spectra Detect Manager analytics dashboard in theOpen Retro Hunt List
pop-up dialog. [TCB-17480] - A notification system has been added to the Alerts feature, displayed as a bell icon in main menu. Clicking the icon opens a list of recent alerts, and any new notifications will be indicated by a red badge.
- The top right corner now contains an icon that expands to a quota panel for Spectra Intelligence, showing time-based or count-based limits. [TCB-17408]
- The Spectra Analyze API documentation is now also available as an Open API specification, accessible from the
Help > API Docs
item from the main menu. You can authorize with either a session cookie (sessionId) or with an appliance token, and can send API requests directly from the documentation.
Changed
- The pop-up dialogs for submitting files and URLs have been reworked. File Analysis now has the options to optionally submit the file to the Spectra Intelligence cloud and ReversingLabs Cloud Sandbox for further analysis. URL Submissions going through the cloud can also be simultaneously submitted for dynamic analysis. The option to submit ZIP files with passwords is now part of the File Analysis dialog. [TCB-14428]
- Previously a tooltip, the YARA retro history list has been transformed into a full dialog window containing more information about previous and active retro hunts, as well as pivot links to the Spectra Detect manager when the run was executed on a remote S3 bucket. [TCB-17481]
- Clicking the System Status icon in the top right expands it and shows more system information at a glance: Disk Usage, Memory, CPU, and any outstanding alerts and issues. Previously, it was just a shortcut to the System Status page. [TCB-17562]
- Django updated to version 4.2 [TCB-16329]
Removed
- Removed
vulnerability (cve)
,cve-affects
andcve-score
keywords. Their functionality will be streamlined/improved upon in Spectra Analyze v9.2. [TCB-17226] - Networking tabs have been removed from Sample Summary pages, as the information has moved to the new Networking Sample Summary pages. [TCB-17532]
Fixed
- Sending requests with an empty
hash_value
field to the Summary Analysis Report API returns a list of all samples on the appliance. [TCB-5819] - The Right-To-Left Unicode character no longer breaks certain parts of the GUI. [TCB-7533]
- Exporting results from the Advanced Search page that contain samples classified as unknown will incorrectly show them as unclassified and with an assigned risk score. [TCB-13139]
- Opening the system status page in one browser tab and changing the appliance configuration in another shows multiple system status errors instead of switching to the "Maintenance" page. [TCB-13282]
- RL Cloud Sandbox is slow to respond in case of files that are not supported or found, or when the rate limit has been exceeded. [TCB-15210]
- The appliance doesn't display an error message about a query being invalid when trying to share it. [TCB-16111]
- Cloud Sample Summary pages show a "Not configured to be included in the final classification" for RL Cloud Sandbox even though this setting doesn't apply to Cloud samples. [TCB-16587]
- The
Test Connection
button timeouts have been increased. [TCB-16713] - Some information missing when using the
domain
keyword and on the domain details page. [TCB-16986] - When searching for a valid MD5 or SHA256 hash of a sample not existing locally or in the cloud, the appliance opens its sample summary page in an infinite loading loop. [TCB-17069]
- In some cases, hashes disappear from the advanced search box. [TCB-17091]
- Advanced search returns domain search results for queries including filename extensions. [TCB-17170]
- The
itw
keyword doesn't return local results. [TCB-17310] - Misconfigured validation for certain fields in the S3 bucket configuration form. [TCB-17391]
- There are leftover logs from the deprecated Queue Manager. [TCB-17506]
- Uploads not working when the appliance is configured as a redundancy cluster. [TCB-17518]
- If both SMTP connector and SMTP integration are configured, and the SMTP connector is disabled, Postfix will stay disabled. [TCB-17521]
- Stopping and erasing the query in the search bar while searching for something with no local matches, and then switching to the local tab triggers the search to start again using the deleted query. [TCB-17533]
- Clicking the "Contact your TAM team" button breaks the page after the pop-up closes. [TCB-17534]
- Upgrading the appliance disables the ARN Role setting in S3 Connector settings. [TCB-17540]
- Bulk search is not working as expected when uploading a large set of hashes for the first time, with all hashes displayed as unknown and possible errors. [TCB-17566]
- Incorrect validation for the "Period of Inactivity Before Sign Out" field. [TCB-17578]
- Idling on the User Roles > Add page results in a 404 error. [TCB-17619]
- Unauthenticated users can preview password rules. [TCB-17664]
- Enabling the "Submit Only Distinct Files to Joe Sandbox" option invalidates the previously valid API key. [TCB-17669]
- Network Threat Intelligence shows corrupted data when there's no domain information. [TCB-17691]
- Setting the time to Custom on the Local Search tab doesn't translate to the Cloud tab and defaults to "Today" which expands into an empty sub-menu. [TCB-17693]
- YARA APIs do not check for valid ruleset file size. [TCB-17717]
- Sorting the YARA rulesets sometimes results in an empty table. [TCB-17749]
- File Threat Intelligence classification differs between Sample Summary pages and PDF reports. [TCB-17872]
- Subscribing to YARA matches is not possible. [TCB-17580]