Back to binalyze.com

Responder Exception Rules

Overview

Allow-listing is required for AIR responders to run acquisition tools, write temporary artifacts, and access protected areas of the file system. Without explicit exclusions in your Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), or antivirus solution, these routine activities can trigger false positives and interrupt evidence collection.

Use the tables below to add the recommended folder and binary exclusions for each supported operating system. Choose the entries that match your deployment to keep responders running without false positives.

Windows

Folders to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\

  • C:\ProgramData\.binalyze-air

Binaries to Exclude:

  • C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\DRONE.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\TACTICAL.exe

  • C:\ProgramData\.binalyze-air\WATCHDOG.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\curl.exe

  • C:\Program Files (x86)\Binalyze\AIR\agent\utils\osqueryi.exe

Linux

Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/share/.binalyze-air/

Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

macOS

Folders to Exclude:

  • /opt/binalyze/air/agent/

  • /usr/local/share/.binalyze-air/

Binaries to Exclude:

  • /opt/binalyze/air/agent/air

  • /opt/binalyze/air/agent/drone

  • /opt/binalyze/air/agent/tactical

  • /opt/binalyze/air/agent/utils/osqueryi

  • /opt/binalyze/air/agent/utils/curl

  • /usr/share/.binalyze-air/watchdog

PreviousResponder and Active Directory OUsNextAIR Watchdog Folder

Last updated

Was this helpful?