Agent Release Notes

Your version of Arctic Wolf® Agent automatically updates when a new version of Agent is released. No action is required from you unless you need to update the allowlist of your Endpoint Detection and Response (EDR) solution. If you have additional questions or feedback, contact your Arctic Wolf Concierge Security® Team.

See Arctic Wolf Agent SHA-256 hash values for more information.

Version 2023-02

Release Date: Fall 2023

Features or Enhancements

• Wazuh module installed through the Content Delivery System (CDS) — The Agent events collection component Wazuh is now installed and updated separately through CDS for easier releases and upgrades.
• Kernel host containment allowlisting — When performing kernel host containment, specific processes can be set to bypass containment. This allows software that needs to communicate outside of host containment, such as VPNs, to continue functioning. Contact your Concierge Security Team (CST) to configure a host containment allowlist.
• Collected minimum, maximum, and average memory usage statistics for Agent health checks.
• Enabled automatic Agent restarts if memory exceeds 512 MB.
• Added validation for SHA-2 code signing on Windows 10 prior to installing Arctic Wolf Containment Service.
• Merged the base-agent.exe process into the scout-client.exe process and removed Arctic Wolf Base Agent service.

Bug Fixes

• Restricted validation checks to the Agent client.
• Resolved Agent memory leak.
• Resolved Agent error handling condition resulting in Agent duplication.
• Resolved Agent vendor architecture detection issue that identified specific x64 chipsets as x86 and may have prevented Agent scans from starting.

Version 2022.03.54

Release Date: September 13, 2023

• Resolved issues when upgrading Red Hat, CentOS, and other RPM-based Linux distributions. Fixes include:
  • Updated ossec.conf data sources.
  • Removed the net-tools package dependency.

Version 2023-01

Release Date: March 20, 2023

Features or Enhancements

• Content Delivery System (CDS)

  • Agent now has a content delivery system (CDS) that supports the downloading and installation of independent feature modules.
  • Added a new Agent uninstall executable for the CDS:
    • Directory: C:\Program Files (x86)\Arctic Wolf Networks\Agent\uninstall_modules.exe
    • File: uninstall_modules.exe

• Kernel Containment Module Support — From the Arctic Wolf® Unified Portal, you can now control how the Arctic Wolf Containment Driver is installed on endpoints. Contact your CST for self-managed deployment options.

  See Arctic Wolf Agent Host Containment and Arctic Wolf Agent Containment Driver Release Notes for more information.

• Virtual Desktop Infrastructure (VDI) Support — You can now deploy Agent on your non-persistent VDI for these solutions:

  • VMware Horizons

  • Citrix Workspaces

  • Windows Remote Desktop Services

    See Arctic Wolf Agent Installation on Windows for more information.

Bug Fixes

• Added missing logon session data to the audit logs.
• Improved the Agent logic to prevent it from uploading empty scan result files.
• Improved the date format of installed software rules so that dates display in a consistent format in the Managed Risk Dashboard.
• Resolved an issue in Agent that prevented some Windows hosts from generating a machine UUID during registration.
• Resolved an OS version collection issue in Agent where Windows 11 hosts reported as Windows 10.

Version 2022-03

Release Date: October 31, 2022

Features or Enhancements

• Added Agent executable validation.

• Added support for Managed Risk on German language Windows Endpoints.

• Added support for the following operating systems:

  • CentOS Stream 9
  • Debian 11.2
  • Linux Mint 20.3
  • Oracle Linux Server 8.5

• Added manual startup Windows services for Agent:

  • Arctic Wolf Agent
  • Arctic Wolf Base Agent

• Updated the ossec.conf file with additional Linux data collection to:

  • Increase process list output frequency.

  • List all network connections, including listening ports.

  • List new files and their hash values.

  • Capture bash command history.

    date; echo "5"; ps axfo pid,ppid,pcpu,pmem,vsz,rss,tt,stat,lstart,time,command --sort +etimes | awk '$5 != 0'
    find <dir_path> -maxdepth 3 -mmin -1 -size -50M -type f -exec sha1sum {} +; 
    netstat -tuapn -W | column -t
    date; echo "60"; find /home/*/.bash_history -mmin -1 -exec grep -e "$pattern" {} +;

    The customer needs to update bash.rc to include timestamp information on the bash command history for more accurate alerting data with the following command:

    echo "
    if [ -z "$HISTTIMEFORMAT" ]
      then export HISTTIMEFORMAT="%F %T "
    fi

• Added additional Windows executables:

  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\base-agent.exe or C:\Program Files\Arctic Wolf Networks\Agent\base-agent.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\osquery\osquery.exe or C:\Program Files\Arctic Wolf Networks\Agent\plugins\osquery\osquery.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\osquery\osqueryi.exe or C:\Program Files\Arctic Wolf Networks\Agent\plugins\osquery\osqueryi.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\systeminfo\systeminfo.exe or C:\Program Files\Arctic Wolf Networks\Agent\plugins\systeminfo\systeminfo.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\usb\usb.exe or C:\Program Files\Arctic Wolf Networks\Agent\plugins\usb\usb.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\wlan\wlan.exe or C:\Program Files\Arctic Wolf Networks\Agent\plugins\wlan\wlan.exe

Bug Fixes

• Changed the logic to use the correct sysmon version.
• Improved network connection verification to increase performance.
• Added functionality to check if an executable has a valid signature on the Windows client side to improve Agent security.
• Added all on-demand signature validation client checks to improve Agent security.
• Added scheduled executable validation checks during health checks to improve Agent security.
• Changed Linux uninstall command from yum remove to rpm --erase.
• Removed client-side vendor version calculations.
• Improved route containment to increase reliability.
• Improved Linux iptables containment initialization.
• Added retry logic to improve scan component downloads during scans.
• Removed the kardianos/service package.
• Added the OssecSvc kill process after install initialize to improve AutoUpdates process.
• Added functionality to drop Agent returned errors to improve containment processing requests.
• Updated outOfMemory check to differentiate between different heap space errors to increase performance.
• Added functionality to notify of failed Start or Stop containment for all Windows failures encountered to improve containment process.
• Added scan object debug_scan_flag to determine debug scans instead of health check response to increase performance.

Product Update July 2022

Release Date: July 13, 2022

Features or Enhancements

• Agent has implemented the scan operations capabilities with Managed Risk solution. It allows you to start, rescan, and stop with Agent.

Product Update June 2022

Release Date: June 15, 2022

Features or Enhancements

• Agent is supporting Windows Server 2022. It allows for the Agent to support host isolation containment, event collection, audit data collection, and vulnerability scans for Windows Server 2022.

Version 2022-01

Release Date: March 28, 2022

Features or Enhancements

• Granular Timers — Increase timers for scanning controls to allow for starting and stopping of Agent scans to 1 minute granularity.
• Working Directory Change — Changed the temporary working directory for scanning to the Arctic Wolf Networks directories away from Windows temporary directory.

  Note: If you required \Windows\Temp to be in the allowlist to enable Agent to function properly, you will need to add C:\Program Files\Arctic Wolf Networks\Agent to the AllowList on your EDR or AV console before March 28, 2022. We also suggest taking \Windows\Temp out of the AllowList if it was used there.

Bug Fixes

• Released a patch for Windows 10 IOT and Windows 8.1 that resolves the issue that prevented scanning from reporting back to our cloud.

Product Update January 2022

Release Date: January 12, 2022

Features or Enhancements

• Arctic Wolf now offers support for Linux-based Detection and Response through Agent. Agent supports the following Linux Distributions:

  • Ubuntu — Version 16.04, 18.04, and 20.04

  • Red Hat — Version 7 or 8

  • CentOS — Version 7 or 8

    Note: Vulnerability scanning is not supported on CentOS.

  • Amazon Linux — Version 2

See also

• Arctic Wolf Agent Installation
• Arctic Wolf Agent Processes
• Arctic Wolf Agent Diagnostic Scans
• Arctic Wolf Unified Portal