Back to binalyze.com

Assets

Responder Updates

Manage updates for the AIR responders installed on assets.

  • This feature enables or disables automatic updates for responders. If enabled, the responders will automatically update to the latest version when a new release is available. This ensures that responders are always running the most current version, complete with all the latest features and security patches.

  • Deployment Tokens: These tokens are used to securely install and register responders on new assets, ensuring the responders communicate correctly with the AIR Console upon installation.

Backward Compatibility for AIR and Responder Updates

Clarifying Backward Compatibility since AIR v4.29+

Overview In AIR v4.29, we introduced a major improvement: decoupling AIR console updates from Responder updates. This gives teams greater flexibility when deploying AIR updates, especially in large-scale environments.

What This Means (and What It Doesn’t)

  • Starting with AIR v4.29, the AIR console can be updated independently of Responder updates.

  • All AIR versions (4.29 and onward) will maintain backward compatibility with Responders that are also on version 4.29 or newer.

  • Responders running versions older than 4.29 (e.g., 2.54.3) are not compatible with certain key features such as:

    • Evidence acquisition

    • Triage

    • interACT

Users with older Responder versions will see messages like:

"The asset’s AIR Responder must be updated to accept tasks."

To summarize: Backward compatibility was introduced with AIR version 4.29 and onwards. If your Responders are still on versions earlier than 4.29, they must be upgraded at least once to benefit from this compatibility model going forward.

Tamper Detection

Enable alerts for tampering attempts on responders.

  • When Tamper Detection is enabled, the responder will actively monitor its own operation for any interference or attempts to disable it.

  • Functionality: If there is an attempt to modify or interfere with the responder (e.g., by disabling it or altering its files), the responder will notify the AIR Console, ensuring that any malicious attempts are flagged immediately.

  • This feature is critical for ensuring the integrity and continuous operation of responders in high-security environments.

Uninstallation Password

Prevent unauthorized uninstallation of responders by requiring a password.

  • When this feature is enabled, users must enter a protection password to uninstall the responder from an asset. This prevents unauthorized personnel from removing the responder, which could otherwise leave the asset vulnerable or unmonitored.

  • Uninstallation Method: The uninstallation process will be restricted to shell commands, meaning it can't be removed via a simple GUI or file system manipulation, adding an extra layer of security.

Active Directory (AD) Integration

Synchronize assets from Active Directory with AIR.

  • This feature allows AIR to integrate with your Active Directory (AD) environment. You can specify the AD server (e.g., 10.0.0.1) and the domain (e.g., company.local) to automatically synchronize information about computers and users from AD into AIR.

  • LDAP Synchronization: By manually starting the LDAP synchronization, you can query Active Directory for specific objects such as computers, ensuring that AIR can discover and manage assets from your organization's AD.

  • The Query For Computers field (e.g., (&(objectCategory=computer))) uses an LDAP filter to query and sync only computer objects from the directory.

  • Authentication: You will need to provide an AD username and password to authenticate and pull information from the directory.

PreviousGeneralNextSecurity

Last updated

Was this helpful?