Skip to main content

Configuring CrowdStrike Falcon Exclusions for Swif.ai to Prevent False Positives

Updated over a week ago

Swif's agent software may occasionally trigger false-positive detections in CrowdStrike Falcon due to its security-related functionalities. To prevent these disruptions, configure exclusions in your CrowdStrike Falcon platform.

Steps to Add an Exclusion for Swif in CrowdStrike

Step 1: Log into CrowdStrike Falcon Console

Step 2: Navigate to the Exclusion Settings

  1. From the left-hand navigation menu, select Configuration.

  2. Click File Exclusions or IOA Exclusions, depending on the exclusion type you need.

Step 3: Create a New Exclusion

  • Click Create Exclusion.

Step 4: Configure Exclusion Parameters

Fill in the exclusion details with Swif's recommended settings:

  • Exclusion type: Choose File or Folder (typically "File").

  • Platform: Select Windows, macOS, or Linux, based on your environment.

  • Exclusion Pattern:

Add the following Swif-specific file paths or processes as recommended:

Windows

C:\Program Files\Swifteam\swifteam.exe 
C:\Program Files\Swifteam\gorilla.exe
C:\ProgramData\Swifteam\swifteam.exe
C:\ProgramData\Swifteam\gorilla.exe
C:\ProgramData\gorilla
C:\Users\{{USER}}\AppData\Local\gorilla

C:\Program Files\Swifteam\swifteam.exe:
This is the Swif agent binary installed on the device. Most management operations are handled through the associated service called STService. The primary functions include:

  • Retrieving device information

  • Managing certain policies

  • Handling local user operations

  • Live Terminal

C:\Program Files\Swifteam\gorilla.exe:
This binary is used for Application Management operations on the device. It is associated with the STGorilla service.

Cloned versions of these binaries are also available under the C:\ProgramData\Swifteam\ directory. Since the Program Files directory may have restricted access for some users, the agent automatically copies both swifteam.exe and gorilla.exe into ProgramData.
Through Swif's task execution system, when operations require USER-level permissions, the binaries located under C:\ProgramData\Swifteam\ are invoked.

macOS

/usr/local/swifteam/swifteam

Linux

/usr/bin/swifteam
/usr/bin/systemcheck
  • Description: Enter a descriptive text, e.g., "Swif agent file exclusion to prevent false positives."

Step 5: Apply to Policies

  • Select the relevant policies to which this exclusion should apply.

  • Click Save.

Verification

After configuring exclusions:

  • Deploy or verify Swif agent functionality to ensure no false positives occur.

  • Check CrowdStrike Falcon console alerts to confirm the exclusions are working effectively.

Recommended Best Practices

  • Regularly review your exclusion lists to ensure they remain accurate and secure.

  • Limit exclusions to essential paths to maintain optimal security posture.

If further assistance is required, contact Swif support or CrowdStrike support.

Did this answer your question?