AIR Responder Exception Rules

Why Create Exception Rules for Binalyze AIR in EDR/AV Systems

Binalyze AIR operates by collecting and analyzing extensive forensic data from assets. This process involves the execution of binaries, the creation of temporary files, and access to sensitive directories—activities that can trigger alarms in EDR or AV solutions, potentially disrupting or slowing down forensic investigations. If these tools block AIR components, it could lead to incomplete evidence acquisition or delays in incident response, thereby compromising the effectiveness of your cybersecurity activities.

Allow-listing Binalyze AIR components ensure that AIR can perform its essential tasks without interference, enabling fast, efficient investigations. By setting up proper exception rules in your security systems, you guarantee uninterrupted access to all evidence and forensic capabilities that AIR offers.

How to Configure EDR and AV Exceptions for Binalyze AIR

For optimal performance, configure your EDR and AV systems to exclude specific AIR folders and binary files. The paths and binaries to exclude vary by operating system:

Windows

Folders to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\

  • C:\ProgramData.binalyze-air

Binaries to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\DRONE.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\TACTICAL.exe

  • %ProgramData%.binalyze-air\WATCHDOG.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\curl.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\osqueryi.exe

Linux

Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/share/.binalyze-air/

Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

macOS

Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/local/share/.binalyze-air/

Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

Last updated