Overview of Arctic Wolf Agent Containment

Containment is a feature of our Managed Detection and Response (MDR) service that allows Arctic Wolf® to isolate network traffic on the Windows Agent host.

Arctic Wolf Agent Containment Driver on Windows

Agent containment requires that you install the Arctic Wolf Agent Containment Driver.

Requirements

• Arctic Wolf Agent version 2023-01
• Supported operating systems:
  • Desktop:
    • Windows 10 and 11
  • Server:
    • Windows Server 2012 R2, 2016, 2019, and 2022

Install the Arctic Wolf Agent Containment Driver

1. Install the Arctic Wolf Agent Containment Driver.
2. (Optional) Verify the installation.
3. (Optional) Verify containment availability.

Step 1: Install the Arctic Wolf Agent Containment Driver

Using the Arctic Wolf Unified Portal is the preferred installation method to manage and automatically update the Agent Containment Driver.

1. Sign in to the Arctic Wolf Unified Portal.

2. Go to Telemetry Management > Agents.

3. Use the checkbox to select one or more Agents.

4. Click Enable Driver Updates.

   A notification indicates that the driver is enabled. The Containment Driver status changes to Installation Pending.

You can optionally install the Agent Containment driver using an msi file. See Agent Containment - Manual Installation for more information.

Step 2: (Optional) Verify the installation

1. Verify in Windows Services that the Arctic Wolf Agent Containment service is installed and running.
2. If you installed the Containment Driver using the Arctic Wolf Dashboard, verify that the Containment Driver status in the Arctic Wolf Dashboard displays the driver version number, for example v1.2.5.

Step 3: (Optional) Verify containment availability

• Contact your CST to verify that containment is working correctly.

  See Contact your Concierge Security Team in the Arctic Wolf Portal.

Uninstall the Arctic Wolf Containment Driver

You must uninstall the Containment Driver using the same method that was used to install the Containment Driver.

1. Sign in to Arctic Wolf Unified Portal.

2. Go to Telemetry Management > Agents.

3. Use the checkbox to select one or more Agents.

4. Click Disable Driver Updates.

   A notification indicates the driver is uninstalled.

To uninstall the Containment Driver that used the msi file for install, see Agent Containment - Manual Installation.

Host notification of containment and containment removal

When a host is successfully contained, a PowerShell pop up notification from Arctic Wolf appears notifying the user that “This machine has been quarantined.”

When host containment is removed, a PowerShell pop up notification from Arctic Wolf appears notifying the user that “This machine’s quarantine has been lifted.”

Troubleshooting the Arctic Wolf Agent Containment service installation

See troubleshooting steps below for issues with Arctic Wolf Agent Containment service installation.

Collect log information

You may need to collect additional log information when troubleshooting.

To collect the Agent containment log file:

1. Make a copy of C:\Program Files (x86)\Arctic Wolf Networks\Agent\scout-client-manager.log.

2. Rename the copied file to <customername>-scout-client-manager.log.

3. Send the file to your CST.

   See Contact your Concierge Security Team in the Arctic Wolf Portal.