search
Back to binalyze.com

Responder Exception Rules for EPP and EDR

hashtag
Overview

Allow-listing is required for AIR responders to run acquisition tools, write temporary artifacts, and access protected areas of the file system. Without explicit exclusions in your Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), or antivirus solution, these routine activities can trigger false positives and interrupt evidence collection.

Use the tables below to add the recommended folder and binary exclusions for each supported operating system. Choose the entries that match your deployment to keep responders running without false positives.

hashtag
Windows

hashtag
Folders to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\

  • C:\ProgramData\.binalyze-air

hashtag
Binaries to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\DRONE.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\TACTICAL.exe

  • C:\ProgramData\.binalyze-air\WATCHDOG.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\curl.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\osqueryi.exe

hashtag
Linux

hashtag
Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/share/.binalyze-air/

hashtag
Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

hashtag
macOS

hashtag
Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/local/share/.binalyze-air/

hashtag
Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

PreviousResponder and Active Directory OUsNextAIR Watchdog Folder

Last updated

Was this helpful?