Arctic Wolf Agent FAQ

Frequently Asked Questions

Updated Nov 7, 2022

Arctic Wolf Agent FAQ

Overview Direct link to this section

These are frequently asked questions (FAQs) for the Arctic Wolf® Agent.

Q: What endpoints support Arctic Wolf Agent? Direct link to this section

A: Arctic Wolf Agent is available for desktop, laptop, and virtual machine (VM) endpoints and some cloud deployments.

Q: What operating systems support Arctic Wolf Agent? Direct link to this section

A: Arctic Wolf Agent is available for Windows, Linux, and Mac operating systems. See Q: How do I install the Arctic Wolf Agent for more details.

Q: How do I install Agent? Direct link to this section

A: To install Agent, see Arctic Wolf Agent Installation Guide.

Q: Can I pre-install Arctic Wolf Agent on a base image? Direct link to this section

A: No, users should not pre-install the Agent on a base image. However, users can run the installer as a post-image install script after the system loads the image successfully.

Q: Where can I view Arctic Wolf Agent information? Direct link to this section

A: You can view Arctic Wolf Agent information these ways:

Q: How does Agent update? Direct link to this section

A: Agent automatically checks for updates every hour. If an update is available, Agent downloads the update installer from the Simple Storage Service (S3) URL. If this download fails, Agent downloads the update installer through the rest API. Once the installer is downloaded, Agent automatically runs it in the background and removes the old application. Updates are pushed to Agents on all endpoints unless you specifically block an update for Advanced Threat Protection (ATP) testing. Updates download over port 443 in the Agent manager binary.

Q: Does Arctic Wolf Agent cause CPU and memory usage spikes? Direct link to this section

A: Yes, vulnerability and benchmark scans are resource intensive. For example, during a scan, it is normal to see 100% CPU utilization and at least 1GB of RAM used. Schedule your scans accordingly if the endpoint has other resource requirements at certain times.

Q: What are the bandwidth requirements for Arctic Wolf Agent? Direct link to this section

A: Arctic Wolf Agent requires a minimum bandwidth of 1 Mbps for both download and upload at all times, not just during a scan.

Q: Does Arctic Wolf Agent forward all event logs to Arctic Wolf? Direct link to this section

A: No, Arctic Wolf Agent does not forward all event logs to Arctic Wolf for storage. Agent is not a replacement for off-site log storage to meet industry compliance requirements.

Q: What Windows Event Logs does Arctic Wolf Agent forward to Arctic Wolf? Direct link to this section

A: Arctic Wolf Agent without Sysmon captures a limited number of security-relevant Windows events, such as Active Directory (AD) lockouts for administrator accounts, AD sign-in failures for high-criticality users, and Kerberos replay attacks. When Sysmon is installed on the device, Arctic Wolf Agent can detect more events, such as process creation, loading drivers, and possible malicious PowerShell.

Q: Which Windows services for Agent have a manual startup? Direct link to this section

A: The following Windows services for Agent have a manual startup:

These services are controlled by the Arctic Wolf Agent Manager service and no additional action is required to start or stop the services.

Agent deactivation FAQs Direct link to this section

These FAQs pertain to Agent deactivation.

Q: How do I deactivate an Agent? Direct link to this section

A: To deactivate an Agent:

  1. Confirm that the Agent is uninstalled from the device.

  2. On the Arctic Wolf Portal, navigate to the Endpoint Status page.

  3. In the Endpoints table, click garbage can on the appropriate device.

    Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.

  4. In the dialog box, click Remove Endpoint.

    Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.

Q: As a Managed Risk customer can I deactivate Agents? Direct link to this section

A: Yes, if you are only a Managed Risk (MR) customer and you can access the Arctic Wolf Portal, you can deactivate devices in the Endpoints table. If you cannot access the Arctic Wolf Portal and you need to deactivate an Agent, contact your Concierge Security Team (CST).

Note: You cannot make these changes in the Risk Dashboard.

Q: Should I uninstall the Agent before deactivating it? Direct link to this section

A: Yes, we recommend uninstalling Agents before deactivating them. Agents that are still installed can come Online and therefore reappear in the Endpoints table.

Q: When Arctic Wolf Agent is uninstalled, what happens to the device and associated risks in the Portal and Risk Dashboard? Direct link to this section

A: When Agent is uninstalled, any device and associated risks are automatically removed from visibility in the Arctic Wolf Portal and the Risk Dashboard.

Q: What happens if the Agent that I deactivate is still in use? Direct link to this section

A: If you remove an Agent from the Arctic Wolf Portal that is still installed on a system, the endpoint will reappear in the Endpoints table the next time that it is Online.

Q: Does data get deleted if I remove an Agent from the Endpoints table? Direct link to this section

A: No, if you remove an Agent from the Endpoints table, existing data for this endpoint is not deleted from Arctic Wolf internal databases.

Q: Should I deactivate Agents if they are contained? Direct link to this section

A: No, you are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.

You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.

Tip: You can only remove endpoints that have not checked in for 72 hours.

Q: Are any Agents automatically removed from the Endpoints table? Direct link to this section

A: Yes, any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.