Arctic Wolf Agent Containment Driver Installation
Updated Jul 31, 2023- Overview of Arctic Wolf Agent Containment
- Arctic Wolf Agent Containment Driver on Windows
- Install the Arctic Wolf Agent Containment Driver
- Uninstall the Arctic Wolf Containment Driver
- Host notification of containment and containment removal
- Troubleshooting the Arctic Wolf Agent Containment service installation
- Collect log information
Overview of Arctic Wolf Agent Containment
Containment is a feature of our Managed Detection and Response (MDR) service that allows Arctic Wolf® to isolate network traffic on the Windows Agent host.
Arctic Wolf Agent Containment Driver on Windows
Agent containment requires that you install the Arctic Wolf Agent Containment Driver.
Requirements
- Arctic Wolf Agent version 2023-01
- Supported operating systems:
- Desktop:
- Windows 10 and 11
- Server:
- Windows Server 2012 R2, 2016, 2019, and 2022
- Desktop:
Install the Arctic Wolf Agent Containment Driver
- Install the Arctic Wolf Agent Containment Driver.
- (Optional) Verify the installation.
- (Optional) Verify containment availability.
Step 1: Install the Arctic Wolf Agent Containment Driver
Using the Arctic Wolf Unified Portal is the preferred installation method to manage and automatically update the Agent Containment Driver.
-
Sign in to the Arctic Wolf Unified Portal.
-
Go to Telemetry Management > Agents.
-
Use the checkbox to select one or more Agents.
-
Click Enable Driver Updates.
A notification indicates that the driver is enabled. The Containment Driver status changes to Installation Pending.
Note: You do not need to restart your services after installing the Agent Containment Driver.
You can optionally install the Agent Containment driver using an msi
file. See Agent Containment - Manual Installation for more information.
Step 2: (Optional) Verify the installation
- Verify in Windows Services that the Arctic Wolf Agent Containment service is installed and running.
- If you installed the Containment Driver using the Arctic Wolf Dashboard, verify that the Containment Driver status in the Arctic Wolf Dashboard displays the driver version number, for example
v1.2.5
.
Step 3: (Optional) Verify containment availability
-
Contact your CST to verify that containment is working correctly.
See Contact your Concierge Security Team in the Arctic Wolf Portal.
Uninstall the Arctic Wolf Containment Driver
You must uninstall the Containment Driver using the same method that was used to install the Containment Driver.
-
Sign in to Arctic Wolf Unified Portal.
-
Go to Telemetry Management > Agents.
-
Use the checkbox to select one or more Agents.
-
Click Disable Driver Updates.
A notification indicates the driver is uninstalled.
To uninstall the Containment Driver that used the msi
file for install, see Agent Containment - Manual Installation.
Host notification of containment and containment removal
When a host is successfully contained, a PowerShell pop up notification from Arctic Wolf appears notifying the user that “This machine has been quarantined.”
When host containment is removed, a PowerShell pop up notification from Arctic Wolf appears notifying the user that “This machine’s quarantine has been lifted.”
Troubleshooting the Arctic Wolf Agent Containment service installation
See troubleshooting steps below for issues with Arctic Wolf Agent Containment service installation.
Collect log information
You may need to collect additional log information when troubleshooting.
To collect the Agent containment log file:
-
Make a copy of
C:\Program Files (x86)\Arctic Wolf Networks\Agent\scout-client-manager.log
. -
Rename the copied file to
<customername>-scout-client-manager.log
. -
Send the file to your CST.
See Contact your Concierge Security Team in the Arctic Wolf Portal.