Skip to main content

Avoiding the “Reverse Shell” Warning with Swif Live Terminal

Updated this week

Some endpoint security tools (such as CrowdStrike) may flag Swif’s Live Terminal feature as a potential “reverse shell” or “command injection” activity, especially on Linux devices (including Arch Linux). This article explains what’s happening, why it’s safe, and how to configure Swif to avoid these warnings.

What’s triggering the warning?

Swif’s Live Terminal feature allows authorized admins to open an interactive shell on a managed device for troubleshooting. To do this securely, the Swif agent:

  • Opens a secure MQTT connection to the Swif backend

  • Starts a /bin/bash process on the endpoint when Live Terminal is enabled

Some EDR/AV products classify this behavior as “reverse shell–like” and may:

  • Raise alerts

  • Block the swif processes or the spawned bash process

  • Interrupt Live Terminal sessions

On affected environments, you may see repeated alerts as long as Live Terminal is enabled at the team level because:

When Live Terminal is enabled in team settings, the Swif agent will routinely check team settings. If Live Terminal is still enabled, it will open the MQTT connection and /bin/bash process again, which can cause the reverse shell warning.

Option 1: Disable Live Terminal to stop the warnings

If your team does not need Live Terminal, the simplest way to eliminate the warnings is to fully disable this feature.

Step-by-step: Disable Live Terminal in Swif

  1. Sign in to your Swif admin console.

  2. Go to Settings (or your organization / team settings area).

  3. Locate the Live Terminal setting under your device or security tools section.

  4. Toggle Live Terminal off for the team / organization.

  5. Save your changes.

Once Live Terminal is disabled:

  • The agent will detect the updated team settings.

  • It will stop opening the MQTT connection and /bin/bash process.

  • Your EDR should no longer see Swif behavior that looks like a reverse shell.

Note: This is the recommended approach if your security team prefers not to allow remote shell capabilities at all.

Option 2: Keep Live Terminal, but tune your security tool

If you rely on Live Terminal (for example, for remote troubleshooting or incident response), you can keep using it and work with your security tool to treat Swif behavior as expected and safe.

👉 Learn more at Configuring CrowdStrike Falcon Exclusions for Swif.ai to Prevent False Positives.

What to configure in your EDR/AV (e.g., CrowdStrike)

Each security product is different, but generally you’ll need to:

  1. Create an exception / safelist rule for:

    • The Swif agent binaries/processes; and

    • The specific pattern where Swif launches /bin/bash as part of Live Terminal.

  2. Scope the exception to:

    • Known Swif binaries and their installation path; and

    • Trusted users / groups (your admins) where possible.

  3. Ensure the rule is applied to:

    • The relevant Linux platforms, such as Arch Linux, where you are seeing the alerts.

This configuration should be created and approved by your security team. From a security perspective, the behavior is equivalent to an admin-initiated remote support shell.

If you’re working with CrowdStrike specifically, you would:

  • Submit a safelist / whitelist request to CrowdStrike that includes:

    • Swif agent process names and paths

    • The command-line pattern used to start /bin/bash for Live Terminal

    • Confirmation that this activity is expected for your environment

  • Apply any recommended policy changes they provide for your tenant.

Recommended approach for most customers

  • If you don’t actively use Live Terminal:

    • Disable it at the team / org settings level.

    • Confirm that the alerts stop after the agents update their configuration.

  • If you do use Live Terminal:

    • Keep it enabled.

    • Work with your security team to:

      • Add safelisting / allow rules for Swif’s Live Terminal behavior, and

      • Ensure any alerts are classified as known, expected behavior rather than high-risk incidents.

Frequently Asked Questions

Is Swif actually creating a malicious reverse shell?

No. The behavior is:

  • Initiated and controlled by your authenticated Swif admins

  • Logged and auditable within Swif

  • Used strictly for legitimate remote administration of enrolled devices

However, because it uses a pattern similar to reverse shells (remote control + /bin/bash), some tools will flag it generically.

Do I have to disable the feature on every device?

No. Disabling Live Terminal at the team/organization settings level is enough. The agents periodically check those settings; when they see that Live Terminal is disabled, they will not open the MQTT connection or start /bin/bash for Live Terminal.

Related Articles
How to Access and Use Live Terminal in Swif
How to run Commands as sudo on macOS with Swif
Installing Custom Software via Swif
How to Disable Location Tracking, Live Terminal, and Remote Desktop in Swif
Configuring CrowdStrike Falcon Exclusions for Swif.ai to Prevent False Positives
Did this answer your question?