Binalyze AIR Responder Proxy Support

Problem Statement

The Binalyze AIR responder needs to access certain network services to work properly. If any of these connection requirements are not satisfied, the Binalyze AIR responder may not work properly. Binalyze AIR responders use the network connection provided by the operating system. If some kind of proxy service is used in the enterprise network, the Binalyze AIR responder probably can not detect the proxy configuration hence can not connect to the required services and does not work properly.

Binalyze AIR Responder Proxy Support

The updated version of AIR responders automatically detects the proxy server configuration on the asset and modifies the network connection methods to access required services. AIR responders read the proxy configuration settings where it is located according to the operating system, Windows, Linux and macOS are supported operating systems.

Minimum network connection requirements and associated definitions are listed below.

AIR Responder to AIR Console connection requirements

• TCP/IP 80, 443 HTTP/HTTPS , 4222 NATS for Real-Time Task assignments, 443 WebSocket for interACT

The AIR responder communicates with the AIR console over 80 and 443 with HTTP/HTTPS. Therefore, TCP 80,443 HTTP/HTTPs ports and protocols must be open and accessible. In order for Real-Time task assignments to work, TCP/IP 4222 port must open and accessible. Similarly, in order for interACT to work, the WebSocket protocol must be configured over HTTPS.

AIR Responder to Evidence Repository connection requirements

If the collected evidence needs to be uploaded to a remote domain, the responder must be able to access these remote domains via HTTP/HTTPs, SMB, SFTP, FTPS and Amazon, Azure and Google domains, depending on the configuration previously defined in the evidence repository. If there is no support on the proxy server during the connection phase of protocols such as SMB, SFTP, FTPS, the Direct connection method is tried. In addition, HTTP/S Proxy connections are made by establishing a Tunnel with the HTTP Connect method. In addition to HTTP Proxies, SOCKS5 Proxy type is also supported.