Back to binalyze.com

Binalyze AIR Watchdog Folder

Binalyze AIR Watchdog Folder:

C:\ProgramData\.binalyze-air\ or %ProgramData%\.binalyze-air\*

The Binalyze AIR Watchdog Folder (C:\ProgramData\.binalyze-air\ or %ProgramData%\.binalyze-air\) is a critical directory used by the Binalyze AIR responder for storing internal data required to maintain and monitor the health and proper functioning of the AIR responder agent. This folder contains temporary files, logs, and configuration data that help the Watchdog component of the AIR platform ensure that the responder agent is running correctly and automatically restarts the agent if any issues arise.

Purpose of the Watchdog Folder

  1. Health Monitoring: The Watchdog monitors the responder agent’s status. If the agent stops unexpectedly or malfunctions, the Watchdog uses this folder to store diagnostic data and trigger the necessary actions (e.g., restarting the agent).

  2. Temporary Storage: The folder stores temporary files used by the AIR responder during its forensic and investigative processes. These may include logs, process monitoring data, or execution-related files.

  3. Configuration Data: The directory can also house configuration and state files that help the agent track its operational state, ensuring that it maintains continuity of processes even in the event of interruptions.

Exception Configuration

When configuring EDR (Endpoint Detection and Response) or AV (Antivirus) software, it is essential to exclude this folder from being scanned or interfered with. Failure to do so may cause unnecessary alerts or interruptions to the operations of the AIR responder, potentially halting the forensic collection process or causing data collection to fail.

Folder Path Variations

  • Absolute Path: C:\ProgramData\.binalyze-air\* This is the standard path used by the Binalyze AIR Watchdog on Windows systems.

  • Environment Variable Path: %ProgramData%\.binalyze-air\* This variation uses the %ProgramData% environment variable, which points to the C:\ProgramData\ folder. It's a more dynamic way of referencing the same location in different system configurations.

Importance of Allow-Listing This Folder

For Binalyze AIR to function seamlessly, especially during critical incident response tasks, excluding this folder from AV/EDR scans or interference is vital. The Watchdog service ensures that the responder is continuously running and can self-correct when issues arise. Blocking access to or deleting files from this folder could disrupt the AIR responder's ability to perform its monitoring tasks, leading to downtime and delayed investigations.

To ensure uninterrupted operation, follow these allow-listing rules in your security setup:

  • Windows AV/EDR Systems: Allow-list the folder C:\ProgramData\.binalyze-air\*

  • Linux/macOS Equivalents: Similar watchdog components may exist in those environments within paths like /usr/share/.binalyze-air/ or /opt/binalyze/air/agent/ (adjust based on OS).

By allowing the Watchdog folder, you ensure Binalyze AIR remains resilient and responsive, even in the event of unexpected issues.

PreviousAIR Responder Exception RulesNextFDA via Jamf and Apple’s PPPC utility

Last updated