Policies
Last updated
Was this helpful?
Last updated
Was this helpful?
Policies are used in AIR to standardize critical options at the organization level for the Console, Responders, and Evidence Repositories.
AIR includes a Default Policy that is read-only and covers all configuration areas. It cannot be edited and acts as a fallback when no other policies are assigned or when some settings are missing. This ensures every acquisition task has a complete configuration, preventing gaps.
Policies in AIR help standardize critical settings for the Console, Responders, and Evidence Repositories at the organization level. While the Default Policy is preconfigured and uneditable, users with the necessary permissions can view, create, and modify custom policies as needed.
To create a new policy, click the "Settings" button in the Main Menu and then select “Policies” from the Secondary Menu.
When you select the "+Add New" Action Button, you can create the required policies by configuring the options shown below:
The Policy name.
The Organization(s) affected by the policy.
The destination for collected evidence by OS platform:
Local - use the local asset.
Path - By default, the path to save evidence locally is: Binalyze\AIR\
Direct Collection - Enable this switch to collect data while minimizing local disk space usage. During the upload process, approximately 100MB of temporary data is stored in the Cases folder, which is automatically deleted upon completion.
Automatically Select Volume - Toggle on this switch to allow AIR to select the local volume with the most available space.
The destination for files collected by interACT:
Asset Resource Limits utilized by AIR Task Assignments executed by Responders:
CPU - We suggest setting CPU usage limits to about 40% on active assets/endpoints to avoid disruptions. Schedule resource-heavy tasks during off-peak hours and use lighter triage rules for in-use systems. Monitor impact and adjust as needed.
Bandwidth - Bandwidth limitations primarily depend on the network and the constraints of the target server. To prevent accidental disruptions to mission-critical operations, users can configure an upper limit on bandwidth usage.
Disk Space - Evidence collection on the local asset will continue until the specified amount of free disk space remains.
Compression and encryption settings
Compression is enabled by default, but users can disable it if preferred. Note that disabling compression may significantly increase the size of your collections on disk.
Encrypt Evidence toggled on will require the entry of a password, which will be needed later to access the collected data. The data will be encrypted with AES256-bit encryption and stored in a zip archive.
We do not save the passwords you enter, and they cannot be recovered through the AIR console. Therefore, please ensure you securely store them yourself. We strongly recommend using a Password Manager application to manage and safeguard your passwords.
Scan Local Drive Only (Triage)
Enable this option to limit the YARA scan to the machine's local drives only, preventing it from scanning mapped network or external drives. This ensures the scan stays focused on the local system, avoiding unnecessary delays from remote locations.
Isolation IP/Port & Process Allow Lists
In AIR Policies, the Isolation IP/Port & Process Allow Lists feature enables users to create custom allow lists that can be applied after an asset has been isolated by AIR. This provides more granular control over the network access and functionality of isolated assets.
Evidence Repository - use a remote storage location set in .
The AIR console provides the ability to by terminating all existing connections to an asset and preventing any new connections. This isolation feature operates using a Kernel Mode Driver and does not rely on the Windows Firewall.
