Arctic Wolf Agent Host Containment

Overview of Arctic Wolf Agent Containment Direct link to this section

Containment is a feature of our Managed Detection and Response (MDR) service that allows Arctic Wolf® to isolate network traffic on the Windows Agent host.

Arctic Wolf Agent Containment Driver on Windows Direct link to this section

Agent containment requires that you install the Arctic Wolf Agent Containment Driver.

Requirements Direct link to this section

• Arctic Wolf Agent version 2023-01
• Supported operating systems:
  • Desktop:
    • Windows 10 and 11
  • Server:
    • Windows Server 2012 R2, 2016, 2019, and 2022

Install the Arctic Wolf Agent Containment Driver Direct link to this section

1. Install the Arctic Wolf Agent Containment Driver.
2. (Optional) Verify the installation.
3. (Optional) Verify containment availability.

Step 1: Install the Arctic Wolf Agent Containment Driver Direct link to this section

Using the Arctic Wolf Unified Portal is the preferred installation method to manage and automatically update the Agent Containment Driver.

1. Sign in to the Arctic Wolf Unified Portal.

2. Go to Telemetry Management > Agents.

3. Select one or more Agents.

4. Click Enable Driver Updates.

   A notification indicates that the driver is enabled. The Containment Driver status changes to Installation Pending.

You can optionally install the Agent Containment driver using an msi file. See Agent Containment - Manual Installation for more information.

Step 2: (Optional) Verify the installation Direct link to this section

1. Verify in Windows Services that the Arctic Wolf Agent Containment service is installed and running.
2. If you installed the Containment Driver using the Arctic Wolf Dashboard, verify that the Containment Driver status in the Arctic Wolf Dashboard displays the driver version number, for example v1.2.5.

Step 3: (Optional) Verify containment availability Direct link to this section

• Contact your CST to verify that containment is working correctly.

  See Contact your Concierge Security Team in the Managed Detection and Response Dashboard.

Uninstall the Arctic Wolf Containment Driver Direct link to this section

You must uninstall the Containment Driver using the same method that was used to install the Containment Driver.

1. Sign in to Arctic Wolf Unified Portal.

2. Go to Telemetry Management > Agents.

3. Select one or more Agents.

4. Click Disable Driver Updates.

   A notification indicates the driver is uninstalled.

To uninstall the Containment Driver that used the msi file for install, see Agent Containment - Manual Installation.

Host notification of containment and containment removal Direct link to this section

When a host is successfully contained, a PowerShell pop up notification from Arctic Wolf appears notifying the user that “This machine has been quarantined.”

When host containment is removed, a PowerShell pop up notification from Arctic Wolf appears notifying the user that “This machine’s quarantine has been lifted.”

Troubleshooting the Arctic Wolf Agent Containment service installation Direct link to this section

See troubleshooting steps below for issues with Arctic Wolf Agent Containment service installation.

Collect log information Direct link to this section

You may need to collect additional log information when troubleshooting.

To collect the Agent containment log file:

1. Make a copy of C:\Program Files (x86)\Arctic Wolf Networks\Agent\scout-client-manager.log.

2. Rename the copied file to <customername>-scout-client-manager.log.

3. Send the file to your CST.

   See Contact your Concierge Security Team in the Managed Detection and Response Dashboard.