Creating exclusions/exception rules for Responder on EPP and EDR Solutions
It’s common for anti-virus, EPP, and EDR (Endpoint Detection and Response) solutions to utilize exception rules to avoid unintentionally blocking important files or activities necessary for normal business operations.
These rules act as exclusions, allowing specific files, processes, or activities to bypass the security software's detection or blocking mechanisms. This is necessary in cases such as false-positive alerts triggered by (a) a legitimate application that may resemble malware or (b) a critical system file that is falsely flagged as malicious by security software.
To ensure proper functionality, the AIR responder uses distinct executables for different tasks, all of which must be excluded by associated security solutions. AIR offers folder-level exception rules exclusively for the AIR responder folder since different security solutions have varying exception mechanisms. See below for the operating system-specific full paths to the AIR responder folders.
Windows
Folders to Exclude:
- C:\Program Files (x86)\Binalyze\AIR\agent\
- C:\ProgramData.binalyze-air
Binaries to Exclude:
- C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe
- C:\Program Files (x86)\Binalyze\AIR\agent\DRONE.exe
- C:\Program Files (x86)\Binalyze\AIR\agent\TACTICAL.exe
- %ProgramData%.binalyze-air\WATCHDOG.exe
- C:\Program Files (x86)\Binalyze\AIR\agent\utils\curl.exe
- C:\Program Files (x86)\Binalyze\AIR\agent\utils\osqueryi.exe
Linux
Folders to Exclude:
- /opt/binalyze/air/agent/
- /usr/share/.binalyze-air/
Binaries to Exclude:
- /opt/binalyze/air/agent/air
- /opt/binalyze/air/agent/drone
- /opt/binalyze/air/agent/tactical
- /opt/binalyze/air/agent/utils/osqueryi
- /opt/binalyze/air/agent/utils/curl
- /usr/share/.binalyze-air/watchdog
macOS
Folders to Exclude:
- /opt/binalyze/air/agent/
- /usr/local/share/.binalyze-air/
Binaries to Exclude:
- /opt/binalyze/air/agent/air
- /opt/binalyze/air/agent/drone
- /opt/binalyze/air/agent/tactical
- /opt/binalyze/air/agent/utils/osqueryi
- /opt/binalyze/air/agent/utils/curl
- /usr/share/.binalyze-air/watchdog
Last updated
Was this helpful?

