Arctic Wolf Agent FAQ

Frequently Asked Questions

Overview

These are frequently asked questions (FAQs) for the Arctic Wolf® Agent.

Q: What endpoints support Arctic Wolf Agent?

A: Arctic Wolf Agent is available for desktop, laptop, and virtual machine (VM) endpoints and some cloud deployments.

Q What operating systems support Arctic Wolf Agent?

A: Arctic Wolf Agent is available for Windows, Linux, and Mac operating systems. See Q: How do I install the Arctic Wolf Agent for more details.

Q: How do I install Agent?

A: To install Agent, see Arctic Wolf Agent Installation Guide.

Q: Can I pre-install Arctic Wolf Agent on a base image?

A: No, users should not pre-install the Agent on a base image. However, users can run the installer as a post-image install script after the system loads the image successfully.

Q: Where can I view Arctic Wolf Agent information?

A: You can view Arctic Wolf Agent information these ways:

Q: Does Arctic Wolf Agent cause CPU and memory usage spikes?

A: Yes, vulnerability and benchmark scans are resource intensive. For example, during a scan, it is normal to see 100% CPU utilization and at least 1GB of RAM used. Schedule your scans accordingly if the endpoint has other resource requirements at certain times.

Q: What are the bandwidth requirements for Arctic Wolf Agent?

A: Arctic Wolf Agent requires a minimum bandwidth of 1 Mbps for both download and upload at all times, not just during a scan.

Agent deactivation FAQs

These FAQs pertain to Agent deactivation.

Q: How do I deactivate an Agent?

A: To deactivate an Agent:

  1. Confirm that the Agent is uninstalled from the device.

  2. On the Arctic Wolf Portal, navigate to the Endpoint Status page.

  3. In the Endpoints table, click garbage can on the appropriate device.

    Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.

  4. In the dialog box, click Remove Endpoint.

    Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.

Q: As a Managed Risk customer can I deactivate Agents?

A: Yes, if you are only a Managed Risk (MR) customer and you can access the Arctic Wolf Portal, you can deactivate devices in the Endpoints table. If you cannot access the Arctic Wolf Portal and you need to deactivate an Agent, contact your Concierge Security Team (CST).

Note: You cannot make these changes in the Risk Dashboard.

Q: Should I uninstall the Agent before deactivating it?

A: Yes, we recommend uninstalling Agents before deactivating them. Agents that are still installed can come Online and therefore reappear in the Endpoints table.

Q: What happens if the Agent that I deactivate is still in use?

A: If you remove an Agent from the Arctic Wolf Portal that is still installed on a system, the endpoint will reappear in the Endpoints table the next time that it is Online.

Q: Does data get deleted if I remove an Agent from the Endpoints table?

A: No, if you remove an Agent from the Endpoints table, existing data for this endpoint is not deleted from Arctic Wolf internal databases.

Q: Should I deactivate Agents if they are contained?

A: No, you are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.

You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.

Tip: You can only remove endpoints that have not checked in for 72 hours.

Q: Are any Agents automatically removed from the Endpoints table?

A: Yes, any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.