Binalyze AIR v5.20

What’s New?

• Expanded Windows event collection coverage: Acquisition profiles now include additional relevant Windows Event IDs. This increases visibility into activity that may be important during security investigations and retrospective analysis..

• Improved interACT file download experience: interACT command result downloads now include file size information, enabling progress indication for larger files and improving the experience for analysts and external integrations.

• Investigation Hub usability improvements: A Toolbox button is now available in the Investigation Hub header, making related investigation actions easier to access during active case review.

New Features & Improvements

Responder and Task Execution

Expanded Windows Event Collection Coverage

AIR acquisition profiles now include additional Windows Event IDs that are relevant to security investigations. These additions improve coverage for event-based review and help analysts identify activity that may otherwise require manual profile updates.

Administrators can use the updated acquisition configuration as part of standard evidence collection workflows. The expanded event coverage supports stronger timeline reconstruction and better evidence-backed decisions during post-incident investigation.

Investigation Hub

Toolbox Access from the Investigation Hub Header

The Investigation Hub header now includes a Toolbox button. This makes supporting actions more accessible while analysts are reviewing evidence, findings, and artifacts inside a case.

By reducing navigation friction, the change helps analysts stay focused on the active investigation context and move more quickly between review and response actions.

interACT

Improved Command Result Downloads

interACT command result downloads now include the content length in the response. This allows browsers and integrations to display accurate progress for larger downloads.

The improvement is useful when analysts retrieve larger command outputs or files through interACT. It reduces uncertainty during downloads and provides a clearer indication that the file transfer is progressing.

Bug Fixes

• Responder startup no longer disrupts Linux connection tracking when isolation was not used. A Linux Responder startup path could clear host connection tracking during upgrade or service restart, even on assets where network isolation had never been used. This could briefly disrupt NAT-dependent clustered workloads. The cleanup now runs only when isolation artifacts are present, preserving normal network state during routine Responder updates.

• Acquisition now stops immediately on disk-full write errors. When a collector encounters a no-space-left condition during evidence collection, AIR now cancels the acquisition pipeline immediately instead of allowing additional collectors to continue failing and generating excessive logs. This reduces wasted processing and improves clarity when an asset lacks sufficient disk space.

• Console proxy settings are now applied to license validation in on-premise deployments. License validation now respects the configured Console proxy. This resolves failures in environments where outbound internet access must pass through a proxy and avoids misleading situations where proxy verification succeeds but license validation bypasses the proxy.

• RelayPro registration now works correctly in multiport Console configurations. RelayPro agent-facing registration and communication endpoints are now accepted through the supported Responder communication path. This resolves 403 “Console Port Forbidden” errors that prevented RelayPro from registering in affected on-premise configurations.

• Fresh installations now create the required File Explorer processor configuration. AIR now creates the required File Explorer processor during installation. This resolves Repository Explorer failures where the supporting service was healthy but AIR reported that the processor was not configured.

• Investigation Hub export URLs now resolve correctly. The Investigation Evidence Export Request API now returns a usable download URL. API users can create an export request and retrieve the generated CSV instead of receiving a 404 response from the returned URL.

• Investigation Hub filtering has been improved for large findings datasets. The Flag “Is blank” advanced filter has been optimized so large findings views do not become unresponsive or fail because of long-running queries. This improves review workflows for cases containing a high volume of findings.

• Artifact data now remains visible when filtering by affected assets. AIR fixed an Investigation Hub issue where artifact data could disappear from the left-side panel after applying certain asset filters. Clearing filters is no longer required to restore the artifact view.

• Investigation Hub evidence relationship handling has been corrected. AIR fixed an issue that affected evidence relationship display and correlation inside Investigation Hub, improving consistency when analysts review linked artifacts and findings.

• Advanced filter value lists now show expected available values. AIR fixed an issue where some valid filter values did not appear in Advanced Filter controls across areas such as Assets and Tasks. Analysts and administrators can now select available environment values more reliably.

• Asset selection now matches the task scope for Triage tasks. AIR fixed an issue where the selection count could include assets selected across multiple filtered views, while the resulting Triage task only processed assets from the latest filter view. Task creation now better reflects the intended asset selection.

• Disk Image and Repository Explorer search behavior has been corrected. Search filtering now works more reliably when selecting repositories or browsing disk image lists, helping analysts locate relevant evidence sources faster.

• PFX certificate import messaging and trust handling have been improved. AIR now handles PKCS12 certificate conversion and certificate chain validation more reliably, with clearer guidance when certificate trust issues are detected.

• License error messages now better reflect the actual condition. AIR now provides more accurate license validation feedback, reducing confusion between capacity-related conditions and connectivity problems.

• MITRE notification formatting has been corrected. Analyzer database change notifications now render more cleanly, improving readability for administrators reviewing update information.

• Bulk case closure now reduces load on cache services. AIR no longer proactively scans and removes large numbers of investigation jobs when a case is closed. Job processors now check case state when processing and skip work for closed cases, reducing load during bulk closure operations.

• Task assignment reads no longer include large response payloads by default. AIR avoids loading large task assignment response data unless needed. This improves performance in environments where task responses contain large JSON bodies, such as auto asset tag responses.

• Auto-tag organization isolation has been corrected. Auto asset tags are now filtered by organization during assignment and scheduled processing. This prevents tags configured for one organization from appearing in another organization’s cases or assets.

• Security and authorization hardening has been applied across tenant-scoped workflows. AIR corrected cross-organization authorization gaps in Investigation Hub advanced filters, finding exclusion rules, and asset tag deletion. These fixes strengthen tenant boundaries and prevent unauthorized cross-organization modification of saved searches, exclusion rules, and tags.

• Audit log filtering has been hardened. AIR now safely handles user-supplied audit log filter keys, preventing unsafe query construction while preserving existing filtering behavior.

• SSO provider data remains current after configuration changes. AIR now invalidates cached SSO provider data when providers are created, updated, or deleted, ensuring administrators see current authentication configuration.

• Integration settings load more efficiently. AIR improved integration settings retrieval performance, reducing delays for administrators working with cloud and repository integrations.

• Setup and role seeding reliability has been improved. AIR fixed a race condition between setup and predefined role seeding, improving reliability during installation and provisioning.