Links

AIR Agent Deployment

In this section we will look at the deployment of AIR agents to Windows, Linux and Mac operating systems.
The AIR agent is a ‘zero-config’ deployment as the file name has all the information you need for quickly deploying an agent.
This level of detail in the filename provides all the information needed as a digitally signed binary - this prevents issues with security solutions and to-date not one issue has arisen.
The file name example shown here has 4 main components:
AIR.Agent_2.26.4_air-demo.binalyze.com_176_9df51c56a73341f4_amd64_.msi
  1. 1.
    2.26.4 - is the agent version number.
  2. 2.
    air-demo.binalyze.com - is the address of the console with which the agent will be communicating
  3. 3.
    176 - is the consoles internal organization number ID.
  4. 4.
    And the apparently random mixture of letters and numbers, 9df51c56a73341f4, is the - Deployment Token.
  5. 5.
    amd64 - describes the processor architecture of the machine on which the agent will run.
There are multiple ways of deploying the agent all of which are designed to be quick and scalable. Let's take a look at the different ways in which you can deploy AIR agents to endpoints:
From the Main Menu select 'Assets' and then 'All Assets' from the Secondary Menu. Now you will see the page name 'Assets' and next to that is the Action Button which for the Assets page is labeled '+ Add New.'
When this '+ Add New' button is selected three deployment options are offered in a drop down menu:
Three deployment options for adding AIR agents to assets.
Each one of the options will present the user with a wizard which will walk through the options needed for the chosen deployment method:
  1. 1.
    Deploy New - For assets that are attached to a network that is visible to the AIR console
  2. 2.
    Cloud Account - For assets that reside in AWS EC2, and Virtual Machines in Microsoft Azure.
  3. 3.
    Off-Network - To generate triage and collection packages for asset that are not connected to a visible network.

Deploy Agent to New Asset Wizard

  1. 1.
    When you choose 'Deploy New', you'll be prompted via a wizard to determine if the agent should establish a direct connection to the AIR console or if utilizing a Relay Server connection would be more suitable for your environment. Relay Server is explained here.
Select a connection route
  1. 2.
    The second step of the deployment wizard provides distinct deployment options for all of the currently supported, network attached operating systems; Windows, Linux, and macOS:

Windows PowerShell Command:

  • The command varies based on the Organization affiliation. An example PowerShell command to copy is provided below:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
(New-Object System.Net.WebClient).DownloadFile("https://air-demo.binalyze.com/api/endpoints/download/0/deploy/windows?deployment-token=d297145d3b514037", "$PWD\deploy-agent.ps1")
.\deploy-agent.ps1
This command is specific to your console address and Organization.

Windows PowerShell Script:

  • This script can be downloaded from your AIR Console. Ensure you select or are working in the appropriate Organization before downloading.
<#
2022 (c) Binalyze
AIR Agent Powershell Script for Windows
PLEASE DO NOT EDIT! This file is automatically generated at 2023-10-03T15:28:51
VERSION 2.26.4
#>
<#
.SYNOPSIS
This script installs the AIR Agent using given parameters or default values are used.
This script requires administrator privileges!
MSI file is temporarily stored in %LOCALAPPDATA%\binalyze\air\agent
.DESCRIPTION
Powershell script to deploy the AIR Agent.
.PARAMETER Version
The version of the AIR Agent to be deployed.
.PARAMETER ConsoleAddress
The address of the AIR Console without https:// prefix, only domain address.
.PARAMETER OrganizationId
The organization id to register the AIR Agent.
.PARAMETER DeploymentToken
A Valid deployment token to deploy the AIR Agent.
.PARAMETER ConnectionRouteID
Set Connection Route Id for the AIR Agent.
.PARAMETER ConnectionRouteAddress
Set Connection Route Address for the AIR Agent.
.PARAMETER AllowInsecureTlsVersion
Allow insecure TLS version for the AIR Agent.
#>
Param ([string]$Version="2.26.4",
[string]$ConsoleAddress="air-demo.binalyze.com",
[string]$OrganizationId="176",
[string]$DeploymentToken="9df51c56a73341f4",
[string]$ConnectionRouteID="{{.AIR_CONNECTION_ROUTE_ID}}",
[string]$ConnectionRouteAddress="{{.AIR_CONNECTION_ROUTE_ADDRESS}}",
[switch]$AllowInsecureTlsVersion)
$downloadDir = "$env:LOCALAPPDATA\binalyze\air\agent"
Remove-Item $downloadDir -Force -Recurse -ErrorAction Ignore
New-Item -Path $downloadDir -ItemType Directory
Push-Location
Set-Location -Path $downloadDir
$arch = "386"
if ([Environment]::Is64BitProcess) {
$arch = "amd64"
}
if ($ConnectionRouteID -like '{*') {
$ConnectionRouteID = ""
}
if ($ConnectionRouteAddress -like '{*') {
$ConnectionRouteAddress = ""
}
$fileSuffix = ""
if ($ConnectionRouteID) {
$fileSuffix = "{0}_{1}_" -f $arch,$ConnectionRouteID
if ($ConnectionRouteAddress) {
$fileSuffix = "{0}{1}_" -f $fileSuffix,$ConnectionRouteAddress
}
}
$file = "{0}\AIR.Agent_{1}_{2}_{3}_{4}_{5}.msi" -f $downloadDir,$Version,$ConsoleAddress,$OrganizationId,$DeploymentToken,$fileSuffix
$url = "https://{0}/api/endpoints/download/{1}/windows/msi/{2}?deployment-token={3}" -f $ConsoleAddress,$OrganizationId,$arch,$DeploymentToken
Write-Debug "file: $file"
Write-Debug "url: $url"
if ($AllowInsecureTlsVersion) {
Write-Host "Allowed insecure TLS versions for the AIR Agent. If this flag is set, the AIR Agent will connect to the AIR Console with system default TLS version"
} else {
try {
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls13
} catch {
Write-Host "TLS1.3 and TLS1.2 is not supported on this operating system, please try to use AllowInsecureTlsVersion flag."
}
}
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
(New-Object system.net.webclient).DownloadFile($url,$file)
Start-Process C:\Windows\System32\msiexec.exe -ArgumentList "/i $file /quiet /norestart" -Wait
Pop-Location

SCCM Deployment for Windows Agent:

  • If you prefer, the Windows agent can be deployed using SCCM with the following command:
msiexec /i AIR.Agent_2.24.2_air-demo.binalyze.com_0_d297145d3b514037_.msi /qn /norestart
For a silent installation you can use the following command:
msiexec /i AIR.Agent_2.26.4_air-demo.binalyze.com_176_9df51c56a73341f4_.msi /qn /norestart
These commands are specific to your console address and Organization.

Windows Agent MSI Download:

  • The MSI for the Windows agent can be downloaded directly from the page, as depicted in the screenshot below:
  • All three operating systems support the Shareable deployment link available in the console. This method is often the most straightforward—simply share the link with your client, allowing them to download and install the agent. An example link is shown below:
https://air-demo.binalyze.com/#/shareable-deploy?token=d297145d3b514037

macOS and Linux Deployments:

  • Unlike Windows, macOS and Linux do not utilize PowerShell commands or scripts. Instead, they can employ CURL or WGET commands. Alternatively, you can use the Shareable deployment page link mentioned above.
Example of CURL deployment command:
sudo curl -kfsSL "https://air-demo.binalyze.com/api/endpoints/download/176/deploy/darwin?deployment-token=9df51c56a73341f4" | sudo sh
Example of WGET deployment command:
sudo wget --no-check-certificate -O- "https://air-demo.binalyze.com/api/endpoints/download/176/deploy/darwin?deployment-token=9df51c56a73341f4" | sudo sh
These commands are specific to your console address and Organization.
For macOS, the user/administrator has to allow Full Disk Access to the AIR agent for it to have full access to the disk for collections.
Open “System Settings -> Privacy & Security -> Full Disk Access”
Toggle the switch 'on' to enable Full Disk Access for the AIR agent.
Full Disk Access toggled 'on' for AIR