Antivirus Exceptions
When deploying the Breeze agent without code-signed binaries, endpoint protection software may flag, quarantine, or block the agent. This guide covers the exclusions needed for each platform.
Why Exclusions Are Needed
Section titled “Why Exclusions Are Needed”The Breeze agent is a single Go binary that:
- Runs as a system service with elevated privileges
- Opens persistent WebSocket connections to your Breeze server
- Executes scripts and commands on behalf of remote administrators
- Spawns child processes (terminal sessions, user helper, discovery scans)
- Reads hardware and software inventory from the system
These behaviors overlap with patterns that heuristic-based antivirus engines flag as suspicious. Without code signing, there is no publisher reputation to offset the heuristic score.
Paths to Exclude
Section titled “Paths to Exclude”Agent Binary
Section titled “Agent Binary”| OS | Default Path |
|---|---|
| Linux | /usr/local/bin/breeze-agent |
| macOS | /usr/local/bin/breeze-agent |
| Windows | C:\Program Files\Breeze\breeze-agent.exe |
Configuration Directory
Section titled “Configuration Directory”| OS | Path |
|---|---|
| Linux | /etc/breeze/ |
| macOS | /Library/Application Support/Breeze/ |
| Windows | C:\ProgramData\Breeze\ |
Log Directory
Section titled “Log Directory”| OS | Path |
|---|---|
| Linux | /var/log/breeze/ |
| macOS | /Library/Application Support/Breeze/logs/ |
| Windows | C:\ProgramData\Breeze\logs\ |
User Helper (if installed)
Section titled “User Helper (if installed)”| OS | Path |
|---|---|
| Linux | /usr/local/bin/breeze-helper |
| macOS | /usr/local/bin/breeze-helper |
| Windows | C:\Program Files\Breeze\breeze-helper.exe |
Windows
Section titled “Windows”Microsoft Defender
Section titled “Microsoft Defender”Run as Administrator:
# Process exclusionsAdd-MpPreference -ExclusionProcess "C:\Program Files\Breeze\breeze-agent.exe"Add-MpPreference -ExclusionProcess "C:\Program Files\Breeze\breeze-helper.exe"
# Path exclusions (config, logs, working directories)Add-MpPreference -ExclusionPath "C:\Program Files\Breeze"Add-MpPreference -ExclusionPath "C:\ProgramData\Breeze"
# VerifyGet-MpPreference | Select-Object -ExpandProperty ExclusionProcessGet-MpPreference | Select-Object -ExpandProperty ExclusionPathFor fleet deployment via GPO:
- Open Group Policy Management and create or edit a GPO linked to the target OU.
- Navigate to Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions.
- Under Path Exclusions, add:
C:\Program Files\BreezeC:\ProgramData\Breeze
- Under Process Exclusions, add:
C:\Program Files\Breeze\breeze-agent.exeC:\Program Files\Breeze\breeze-helper.exe
- Run
gpupdate /forceon target machines or wait for the next policy refresh.
For Microsoft Intune-managed devices:
-
Go to Endpoint security → Antivirus → Create policy.
-
Select Windows 10/11 and Microsoft Defender Antivirus exclusions.
-
Add the following exclusions:
Type Value Process C:\Program Files\Breeze\breeze-agent.exeProcess C:\Program Files\Breeze\breeze-helper.exeFolder C:\Program Files\BreezeFolder C:\ProgramData\Breeze -
Assign the policy to the appropriate device groups.
Windows SmartScreen
Section titled “Windows SmartScreen”SmartScreen may block the initial download or execution of an unsigned .exe. To bypass for a single file:
- Right-click the binary → Properties → check Unblock → OK
- Or run from an elevated PowerShell:
Unblock-File "C:\Program Files\Breeze\breeze-agent.exe"
For MSI deployments via GPO/SCCM/Intune, SmartScreen does not interfere since the installer runs silently under SYSTEM.
Third-Party Antivirus (Windows)
Section titled “Third-Party Antivirus (Windows)”For products like CrowdStrike, SentinelOne, Sophos, Bitdefender, etc., add both process and path exclusions:
| Exclusion Type | Value |
|---|---|
| Process / Application | C:\Program Files\Breeze\breeze-agent.exe |
| Process / Application | C:\Program Files\Breeze\breeze-helper.exe |
| Directory | C:\Program Files\Breeze\ |
| Directory | C:\ProgramData\Breeze\ |
CrowdStrike Falcon
Section titled “CrowdStrike Falcon”- In the Falcon console, go to Configuration → Prevention Policies.
- Select the relevant policy → Machine Learning Exclusions.
- Add a pattern:
C:\Program Files\Breeze\** - Under IOA Exclusions, add the process path for
breeze-agent.exe.
SentinelOne
Section titled “SentinelOne”- In the management console, go to Sentinels → Exclusions.
- Add a Path exclusion:
C:\Program Files\Breeze\ - Add a Signer Identity or Hash exclusion if the binary hash is stable across your builds.
Sophos
Section titled “Sophos”- In Sophos Central, go to Global Settings → General → Global Exclusions.
- Add exclusions for the process and directory paths listed above.
Gatekeeper
Section titled “Gatekeeper”macOS Gatekeeper blocks unsigned binaries downloaded from the internet. See the installation guide for the xattr command to remove the quarantine flag.
For MDM-managed fleets, deploy the binary via your MDM profile to bypass Gatekeeper entirely.
XProtect
Section titled “XProtect”XProtect performs signature-based malware checks. It does not typically flag custom Go binaries, but if it does:
# Check if the binary is quarantinedxattr -l /usr/local/bin/breeze-agent
# Remove all extended attributessudo xattr -c /usr/local/bin/breeze-agentThird-Party Antivirus (macOS)
Section titled “Third-Party Antivirus (macOS)”For products like CrowdStrike, SentinelOne, or Jamf Protect, add these exclusions:
| Exclusion Type | Value |
|---|---|
| Process | /usr/local/bin/breeze-agent |
| Process | /usr/local/bin/breeze-helper |
| Directory | /Library/Application Support/Breeze/ |
| Directory | /etc/breeze/ (if symlinked) |
MDM Configuration Profile
Section titled “MDM Configuration Profile”For managed fleets, deploy a configuration profile to suppress Gatekeeper and TCC prompts:
<!-- Gatekeeper: allow identified developers + unsigned --><key>AllowIdentifiedDevelopers</key><true/><key>EnableAssessment</key><false/>Linux antivirus is less common but increasingly used in enterprise environments.
SELinux
Section titled “SELinux”If SELinux is in enforcing mode, the agent may be blocked from binding sockets, executing scripts, or accessing certain paths. Create a custom policy module:
# Generate a policy from audit denialssudo ausearch -m avc -ts recent | audit2allow -M breeze-agent
# Install the modulesudo semodule -i breeze-agent.pp
# Verifysudo semodule -l | grep breezeAlternatively, label the binary with an appropriate SELinux type:
sudo semanage fcontext -a -t bin_t "/usr/local/bin/breeze-agent"sudo restorecon -v /usr/local/bin/breeze-agentAppArmor
Section titled “AppArmor”On Ubuntu/Debian systems with AppArmor, create a permissive profile if the agent is blocked:
# Create a basic profilesudo aa-autodep /usr/local/bin/breeze-agent
# Set to complain mode (log but don't block)sudo aa-complain /usr/local/bin/breeze-agent
# After verifying logs, enforce if desired# sudo aa-enforce /usr/local/bin/breeze-agentClamAV
Section titled “ClamAV”If ClamAV’s on-access scanner flags the binary:
# Add to /etc/clamav/clamd.confExcludePath ^/usr/local/bin/breeze-agent$ExcludePath ^/etc/breeze/ExcludePath ^/var/log/breeze/Restart the ClamAV daemon after changes: sudo systemctl restart clamav-daemon
Third-Party EDR (Linux)
Section titled “Third-Party EDR (Linux)”For CrowdStrike, SentinelOne, or similar:
| Exclusion Type | Value |
|---|---|
| Process | /usr/local/bin/breeze-agent |
| Directory | /etc/breeze/ |
| Directory | /var/log/breeze/ |
Verifying Exclusions
Section titled “Verifying Exclusions”After configuring exclusions, verify the agent runs without interference:
# Check agent service statussudo breeze-agent service status
# Watch logs for AV-related errors# Linuxsudo journalctl -u breeze-agent -f
# macOSsudo tail -f "/Library/Application Support/Breeze/logs/agent.log"
# Windows (PowerShell)Get-Content "C:\ProgramData\Breeze\logs\agent.log" -WaitCommon symptoms of AV interference:
| Symptom | Likely Cause |
|---|---|
| Agent binary deleted or moved to quarantine | Real-time scan flagging the unsigned binary |
| Agent service starts then stops immediately | On-execution scan blocking the process |
| Intermittent WebSocket disconnections | Network inspection blocking persistent connections |
| Script execution failures | Behavior-based detection blocking child processes |
| High CPU usage from agent process | On-access scanning of agent I/O operations |
Minimum Exclusion Summary
Section titled “Minimum Exclusion Summary”For quick reference, here are the minimum exclusions needed per platform:
Processes:
C:\Program Files\Breeze\breeze-agent.exeC:\Program Files\Breeze\breeze-helper.exe
Directories:
C:\Program Files\Breeze\C:\ProgramData\Breeze\
Processes:
/usr/local/bin/breeze-agent/usr/local/bin/breeze-helper
Directories:
/Library/Application Support/Breeze/
Processes:
/usr/local/bin/breeze-agent
Directories:
/etc/breeze//var/log/breeze/