Automatic Responder update exclusion rules help protect critical assets during maintenance windows. Administrators can now define named, policy-style rules that automatically exclude matching assets from automatic Responder updates. This is especially valuable for production systems such as messaging clusters, infrastructure services, and other sensitive assets where an unscheduled Responder restart could disrupt investigation readiness or business operations.
Expanded macOS artifact coverage improves visibility into user activity. AIR now expands KnowledgeC collection coverage with additional macOS activity streams, including application focus, web usage, lock and power state indicators, audio output, media activity, and modern macOS activity streams. This gives analysts broader context when reconstructing user activity during security investigations.
Task memory-limit configuration is available across acquisition, Hunt/Triage, and Full Text Search workflows. Memory-limit settings are now available in task advanced options and policy configuration. This helps administrators control task impact on production assets while preserving the ability to collect and analyze evidence at scale.
Linux file system enumeration now includes mounted local filesystems. File System Enumeration on Linux assets now covers eligible local mounted disks and volumes, not only the root filesystem. Virtual, pseudo, volatile, container, and network filesystems remain excluded by default to avoid unstable runtime trees and performance issues.
AIR now supports automatic Responder update exclusion based on saved asset filter rules. Administrators can define one or more named rules under asset update settings, and any asset that matches an enabled rule is automatically excluded from automatic Responder updates.
This improvement is designed for environments where critical systems must be updated only during approved maintenance windows. For example, an administrator can create a rule that matches assets tagged as production infrastructure or sensitive Linux servers. Newly registered assets or assets that receive matching tags later are handled automatically, without requiring manual bulk updates.
The rule-based exclusion is additive with the existing per-asset manual exclusion flag. Manual Responder update actions remain available, so administrators can still update excluded assets deliberately when they are ready.
The asset detail page now also shows which update exclusion rules match the selected asset. This gives administrators a clear explanation of why an asset is being skipped by the automatic update workflow.
Bulk uninstall, purge, and uninstall-with-purge operations now support an optional maximum matched-asset assertion. If the filter matches more assets than the configured threshold, AIR stops the operation before making changes.
This is useful for cleanup scripts and scheduled administration workflows where filters may evolve over time. Administrators can use the assertion as a guardrail to prevent accidental removal of more assets than intended.
When no assets match the filter, AIR now returns a clearer not-found response instead of silently proceeding. This helps administrators identify filter mistakes before they rely on automation.
Memory limit configuration is now available in task advanced options and policy configuration. AIR also passes resource-limit fields through Hunt/Triage and Full Text Search task flows so the configured limits are preserved when tasks are submitted.
This improvement helps administrators control resource consumption on production assets. For investigation teams, it supports safer evidence collection and analysis by reducing the chance that long-running or high-volume tasks consume more memory than expected.
Administrators can configure these limits as part of task or policy settings, depending on the workflow. Existing task behavior remains unchanged when no limit is configured.
The empty asset page now updates the “Deploy your first Responder” action correctly when license capabilities or permissions are available. This improves the onboarding experience for newly deployed AIR tenants and reduces confusion for administrators who have the required access but previously saw the action disabled.
The Deploy > Chrome package page now points to the updated official Chrome Web Store listing for the AIR For Chrome extension. Quick Deployment actions such as Copy Link to Chrome Store and Add to Chrome now open the updated extension URL.
This ensures administrators and analysts are directed to the current official AIR For Chrome extension when deploying the standalone collector.
User date and time preferences now include additional month-first date format options. These formats better support users in regions where month-first dates are the standard.
Users can select these formats from Profile > Date & Time Preferences. This improves readability in investigation timelines, reports, and operational views for teams that use month-first date conventions.
License validation now preserves the license server’s response more accurately when the license key is invalid or not found. AIR now distinguishes invalid-license scenarios from license server connectivity issues more clearly.
This reduces troubleshooting time for administrators and support teams by pointing them toward the correct root cause, such as an invalid key or capacity condition, instead of suggesting a network issue.
The Console Address certificate import flow now handles custom PFX imports more reliably when the Console Address itself is unchanged. The import modal also prevents the PFX password from appearing in the browser URL.
This improves both usability and credential handling for administrators configuring Console Address certificates under Settings > General > Connection > Console Address.
AIR expands macOS KnowledgeC parsing with additional high-value activity streams. New parsed streams include application focus, web usage, device lock state, power connection state, battery percentage, audio output route, media now-playing activity, application media usage, and application intents where present on the asset.
These artifacts help analysts build a more complete timeline of user activity and system state during an investigation. For example, application focus and media usage can help confirm whether a user was active, which applications were in use, and how activity correlates with other evidence.
Raw KnowledgeC data collection remains available, while the expanded parsed coverage makes more of the data directly searchable and usable inside AIR workflows.
Linux shell history collection now accounts for user home directories that exist under /home even when the user is not listed in the local password file. This improves coverage for environments that resolve users through directory services or similar identity integrations.
For investigation teams, this reduces the chance of missing command history from domain or externally managed users whose home directories are present on disk. The collector keeps discovery bounded by scanning immediate home directories rather than recursively walking the entire filesystem.
Linux File System Enumeration now enumerates the root filesystem plus eligible local mounted filesystems. Previously, mount points such as /mnt, /media, /srv, and /afs could appear as single directory entries while their mounted contents were absent from FileSystemEnumeration.csv.
AIR applies a Linux-specific traversal policy for eligible local mounts while continuing to exclude virtual, pseudo, volatile, container, and network filesystems by default. Darwin and AIX root-device behavior is unchanged.
For investigation teams, this improves filesystem visibility on Linux assets where evidence is spread across multiple mounted disks or volumes, without expanding collection into unstable runtime or network-backed trees.
Linux Responders no longer flush the full connection tracking table on every service start. The cleanup now runs only when isolation artifacts are present and cleanup is actually required.
This change prevents brief network disruptions on NAT-dependent production workloads during Responder updates. It is especially relevant for customers running clustered infrastructure where even a sub-second connection reset can cause service impact.
DRONE now classifies Windows Event ID 104 as “Event Log Cleared” only when the provider matches the Windows event log provider. This prevents unrelated USB or smart card driver events from being reported as event log clearing activity.
This reduces false positives and helps analysts focus on activity that is more likely to be relevant during an investigation.
Audit log event filtering now behaves more consistently across Console processes. Customer-reported issues where event filter settings appeared stale or inconsistent after changes have been addressed. Saved audit log event filter settings are now invalidated across running processes, and the settings read path reflects the latest saved configuration more reliably. This improves confidence when administrators use “Log only selected events” or “Log all except selected events” to reduce audit log noise.
Audit log filtering controls now better preserve administrator intent. AIR improves handling around audit event selection modes so administrators can switch between logging modes with less risk of losing or misapplying selected event filters.
Outbound connector validation has been hardened across AIR Console integrations. AIR now applies a secure-by-default outbound destination validator to Console-initiated requests, including Git repository validation, event subscriptions, evidence repository validation, directory services validation, syslog validation, proxy validation, and related connector checks. SaaS deployments block non-public and cloud-metadata destinations, while on-premise deployments preserve legitimate internal connectivity with configurable allow-list controls.
Investigation Hub query handling has been secured and parameterized. Time-based and second-order query injection paths in Investigation Hub timeline count and finding exclusion-rule workflows have been fixed. Stored values are treated as untrusted at use time, and affected query paths now use safer parameter handling.
Investigation Hub object-scope checks have been tightened. AIR now enforces authorization more consistently when listing, creating, or applying Investigation Hub exclusion rules and when building asset summary data. This prevents users from expanding results or writing exclusion rules outside their permitted investigation scope.
Stored script execution in Investigation Hub asset filters has been fixed. Asset and assignment names displayed in the Evidence Assets filter are now escaped before highlighting. Server-side validation was also added to prevent unsafe asset-name input in section creation workflows. This protects analysts from stored script execution when viewing investigation report-generation filters.
Investigation Hub search results now open records more reliably on large datasets. AIR optimized the search-to-grid path so selecting artifact search hits is less likely to result in a timeout or an empty records view when matching data exists.
The “New evidence has been added” toast no longer appears incorrectly for task-assignment investigations. AIR now suppresses this notification for investigations that are permanently scoped to a single task assignment, avoiding confusion when the initial import completes while an analyst is already viewing the Investigation Hub.
Findings CSV export no longer duplicates the “Flags” column. Exported findings now contain a single human-readable Flags column, allowing the CSV to be re-imported without duplicate-header errors.
The Platform “Add to Filter” action in finding details now creates a valid advanced filter. AIR now falls back to an allowed operation when the requested filter operation is not supported by the selected field.
Remote repository browsing no longer shows stale results during rapid search or navigation. AIR now ignores superseded repository list responses so slow responses from earlier requests do not overwrite newer search results.
Date pattern changes no longer fail because of unchanged profile name fields. Date and time preference saves now submit only the relevant preference data, so users with identity-provider-managed names containing restricted characters can still update date formatting.
Additional month-first date formats are now available. Users can choose formats such as month/day/year and month-day-year variants from Date & Time Preferences.
Invalid license keys now produce clearer validation messages. AIR no longer reports a license server connectivity problem when the server is reachable and the actual issue is an invalid or missing license key.
PFX import no longer exposes the PFX password in the URL. The certificate import modal prevents native form submission and keeps sensitive certificate passwords out of client-visible locations.
The “Deploy your first Responder” button now updates correctly on new tenants. The empty asset page now reflects current permissions and license features reactively, so eligible administrators can start deployment without refreshing or navigating away.
Responder reinstall handling on Linux has been improved. AIR addresses a scenario where an older Responder process could remain running after uninstall and block the newly installed service from starting because the previous process still held the runtime lock.
Responder updates are safer for NAT-dependent Linux workloads. A startup cleanup path that could briefly reset established network flows on certain Linux hosts has been fixed. Customers running affected Responder versions should upgrade to the fixed Responder release before resuming automatic updates on sensitive clustered workloads.
DRONE no longer reports unrelated USB or smart card driver events as event log clearing. Event classification now checks the provider, reducing false positives in Windows event analysis.
A restrictive Permissions-Policy response header has been added. AIR now explicitly disables access to browser features such as geolocation, camera, microphone, payment, USB, and motion sensors unless they are intentionally enabled in the future.
Console-initiated outbound requests now sanitize failure behavior more consistently. Connector validation paths no longer rely on inconsistent destination filtering, reducing internal reachability exposure in SaaS environments.
API token metadata visibility has been improved for integrations. External consumers can retrieve token details such as expiration date, enabling better token renewal warnings and reducing failed automation caused by expired credentials.
Background worker consistency for audit logging has been improved. Multiple Console containers and workers now receive audit log setting changes more reliably, reducing discrepancies between saved settings and logged events.