Sometimes, endpoint security products like Sophos can mistakenly identify the Swif agent as a threat or unwanted program. This can lead to an automatic removal of the Swif agent, causing management issues. To resolve this, you need to exclude the Swif agent from Sophos scanning. By creating an exclusion (also known as whitelisting) in Sophos, you ensure that it won’t quarantine or delete the Swif agent files.
Steps to Exclude the Swif Agent in Sophos
1. Gather Swif Agent Information
Identify the installation path of the Swif agent (for example:
C:\Program Files\Swif\SwifAgent.exe) or its file hashes (if you have them).If you aren’t sure, contact Swif Support or check your deployment notes to confirm the exact path.
2. Sign In to the Sophos Admin Console
Log in to Sophos Central with your administrator credentials.
3. Navigate to Global Settings > Global Exclusions
Look for the Global Settings section in the left-hand menu (label may vary by Sophos version).
Select Global Exclusions, where you can add files, folders, or processes to exclude from scanning.
4. Add a New Exclusion
Click Add Exclusion (or a similar button, depending on your Sophos version).
Specify the type of exclusion (e.g., “File or Folder”).
Enter the Swif agent path (e.g.,
C:\Program Files\Swif\SwifAgent.exe) or the directory containing the agent.If Sophos offers threat or detection type options, select “All threats” or ensure that the agent is excluded from both Real-Time Scanning and Behavioral/Exploit Protection.
Optional: If you know the file hash (SHA-256, MD5), you can add a hash-based exclusion as well—especially useful if the path can vary.
Tip: You may need to create multiple exclusions if the Swif agent has multiple executables or if your environment uses separate scanning policies for different threats.
5. Save and Apply
Confirm the exclusion details, then click Save, OK, or Add (depending on the console version).
Sophos should now distribute this updated exclusion policy to endpoints.
6. Verify the Exclusion on Endpoints
On a test device, reinstall or update the Swif agent if needed.
Check Sophos logs to confirm it no longer flags or removes
SwifAgent.exe.If Sophos still attempts to quarantine the agent, verify that the exclusion is correctly configured and that there are no additional policy settings overriding global exclusions.
Troubleshooting Tips
Multiple Sophos Policies:
Ensure you’ve added the agent path to all relevant policies (e.g., server vs. workstation policy, different groups). If the device belongs to a specific policy group that doesn’t have the new exclusion, Sophos might still remove it.
Hash vs. Path Exclusion:
If your environment often updates or reinstalls the Swif agent, a folder path exclusion (e.g.,
C:\Program Files\Swif\*) may be more reliable than a hash-based exclusion.Conversely, if you want more precision, a hash-based exclusion ensures only that specific file is allowed.
Endpoint Reboot:
Sometimes Sophos requires a device restart for the new policy to take full effect. If you still see issues, try rebooting the endpoint.
Review Real-Time Scanning Exceptions:
Sophos has separate categories of scanning (e.g., on-access, on-demand, exploit prevention). Confirm that your exclusion applies to all relevant scanning layers.
Contact Sophos:
If the agent still gets removed, open a case with Sophos support. Provide them with logs showing that the file was quarantined or deleted despite your whitelisting efforts.
Further Reading
Sophos Documentation: Exclusion Variables on Windows
This official doc shows how to add exclusions and handle variable paths or detection types in Sophos Central.
Summary
To keep the Swif agent running smoothly on endpoints protected by Sophos, add the agent’s file path (and/or file hash) as an exclusion. Once excluded at the global or policy level, Sophos will stop flagging the agent, allowing it to function uninterrupted. If you have any further questions or run into difficulties, please reach out to Swif Support or your Sophos representative.