Swif's agent software may occasionally trigger false-positive detections in CrowdStrike Falcon due to its security-related functionalities. To prevent these disruptions, configure exclusions in your CrowdStrike Falcon platform.
Steps to Add an Exclusion for Swif in CrowdStrike
Step 1: Log into CrowdStrike Falcon Console
Access your CrowdStrike Falcon Console.
Step 2: Navigate to the Exclusion Settings
From the left-hand navigation menu, select Configuration.
Click File Exclusions or IOA Exclusions, depending on the exclusion type you need.
Step 3: Create a New Exclusion
Click Create Exclusion.
Step 4: Configure Exclusion Parameters
Fill in the exclusion details with Swif's recommended settings:
Exclusion type: Choose File or Folder (typically "File").
Platform: Select Windows, macOS, or Linux, based on your environment.
Exclusion Pattern:
Add the following Swif-specific file paths or processes as recommended:
Windows
C:\Program Files\Swifteam\swifteam.exe
C:\Program Files\Swifteam\gorilla.exe
C:\ProgramData\Swifteam\swifteam.exe
C:\ProgramData\Swifteam\gorilla.exe
C:\ProgramData\gorilla
C:\Users\{{USER}}\AppData\Local\gorilla
C:\Program Files\Swifteam\swifteam.exe:
This is the Swif agent binary installed on the device. Most management operations are handled through the associated service called STService. The primary functions include:
Retrieving device information
Managing certain policies
Handling local user operations
Live Terminal
C:\Program Files\Swifteam\gorilla.exe:
This binary is used for Application Management operations on the device. It is associated with the STGorilla service.
Cloned versions of these binaries are also available under the C:\ProgramData\Swifteam\ directory. Since the Program Files directory may have restricted access for some users, the agent automatically copies both swifteam.exe and gorilla.exe into ProgramData.
Through Swif's task execution system, when operations require USER-level permissions, the binaries located under C:\ProgramData\Swifteam\ are invoked.
macOS
/usr/local/swifteam/swifteam
Linux
/usr/bin/swifteam
/usr/bin/systemcheck
Description: Enter a descriptive text, e.g., "Swif agent file exclusion to prevent false positives."
Step 5: Apply to Policies
Select the relevant policies to which this exclusion should apply.
Click Save.
Verification
After configuring exclusions:
Deploy or verify Swif agent functionality to ensure no false positives occur.
Check CrowdStrike Falcon console alerts to confirm the exclusions are working effectively.
Recommended Best Practices
Regularly review your exclusion lists to ensure they remain accurate and secure.
Limit exclusions to essential paths to maintain optimal security posture.
If further assistance is required, contact Swif support or CrowdStrike support.