Back to binalyze.com

Responder Exception Rules

Why Create Exception Rules for AIR in EDR/AV Systems

AIR operates by collecting and analyzing extensive forensic data from assets. This process involves the execution of binaries, the creation of temporary files, and access to sensitive directories. Without proper allow-listing or exception rules in your Endpoint Detection and Response (EDR) or Antivirus (AV) systems, these activities may be flagged as suspicious or malicious, potentially leading to disrupted investigations and incomplete forensic acquisitions.

Allow-listing AIR components ensure that AIR can perform its essential tasks without interference, enabling fast, efficient investigations. By setting up proper exception rules in your security systems, you help maintain the integrity of the incident response process while avoiding false positives that could delay critical operations.

How to Configure EDR and AV Exceptions for AIR

For optimal performance, configure your EDR and AV systems to exclude specific AIR folders and binary files. The paths and binaries to exclude vary by operating system:

Windows

Folders to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\

  • C:\ProgramData\.binalyze-air

Binaries to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\DRONE.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\TACTICAL.exe

  • %ProgramData%\.binalyze-air\WATCHDOG.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\curl.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\osqueryi.exe

Linux

Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/share/.binalyze-air/

Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

macOS

Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/local/share/.binalyze-air/

Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

PreviousResponder and Active Directory OUsNextAIR Watchdog Folder

Last updated

Was this helpful?