Agent Release Notes

Your version of Arctic Wolf® Agent automatically updates when a new version of Agent is released. No action is required from you, unless you need to update the allowlist of your Endpoint Detection and Response (EDR) solution. Contact your Arctic Wolf Concierge Security® Team (CST) at security@arcticwolf.com if you have questions or feedback.

Based on your operating system, see the appropriate release notes:

• Windows
• Linux

See Arctic Wolf Agent SHA-256 hash values for more information.

Windows

These release notes are for Agent on Windows.

Version 2023-02_137

Release Date: Nov 16, 2023

Bug Fixes

• Resolved an issue where the MachineGUID and WMI GUID values did not change as expected for certain VDI and cloning situations, resulting in multiple Agents reporting under the same Agent identifier.

Version 2023-02_135

Release Date: Oct 11, 2023

Bug Fixes

• Resolved an issue that could cause the Sysmon status in the Arctic Wolf Unified Portal to be incorrect.
• Resolved an issue where Agent could crash while offline.

Version 2023-02_130

Release Date: Fall 2023

Features or Enhancements

• Wazuh module installed through the Content Delivery System (CDS) — The Agent events collection component, Wazuh, is now installed and updated separately through CDS for easier releases and upgrades.
• Kernel host containment allowlisting — When performing kernel host containment, specific processes can be set to bypass containment. This allows software that needs to communicate outside of host containment, for example VPNs, to continue functioning. Contact your CST at security@arcticwolf.com to configure a host containment allowlist.
• Collected minimum, maximum, and average memory usage statistics for Agent health checks.
• Enabled automatic Agent restarts if memory exceeds 512 MB.
• Added validation for SHA-2 code signing on Windows 10 prior to installing Arctic Wolf Containment Service.
• Merged the base-agent.exe process into the scout-client.exe process, and removed Arctic Wolf Base Agent service.

Bug Fixes

• Restricted validation checks to the Agent client.
• Resolved Agent memory leak.
• Resolved Agent error handling condition that resulted in Agent duplication.
• Resolved Agent vendor architecture detection issue that identified specific x64 chipsets as x86, and might have prevented Agent scans from starting.

Version 2023-01_05

Release Date: March 20, 2023

Features or Enhancements

• Content Delivery System (CDS)

  • Agent now has a content delivery system (CDS) that supports the downloading and installation of independent feature modules.
  • Added a new Agent uninstall executable for the CDS:
    • Directory: C:\Program Files (x86)\Arctic Wolf Networks\Agent\uninstall_modules.exe
    • File: uninstall_modules.exe

• Kernel Containment Module Support — You can now control how the Arctic Wolf Containment Driver is installed on endpoints from the Arctic Wolf Unified Portal. Contact your CST at security@arcticwolf.com for self-managed deployment options.

  See Arctic Wolf Agent Host Containment and Arctic Wolf Agent Containment Driver Release Notes for more information.

• Virtual Desktop Infrastructure (VDI) Support — You can now deploy Agent on your non-persistent VDI for these solutions:

  • VMware Horizons

  • Citrix Workspaces

  • Windows Remote Desktop Services

    See Install Arctic Wolf Agent on non-persistent Windows VDIs for more information.

Bug Fixes

• Added missing logon session data to the audit logs.
• Improved the Agent logic to prevent it from uploading empty scan result files.
• Improved the date format of installed software rules so that dates display in a consistent format in the Risk Dashboard.
• Resolved an issue in Agent that prevented some Windows hosts from generating a machine UUID during registration.
• Resolved an operating system (OS) version collection issue in Agent, where Windows 11 hosts reported as Windows 10.

Version 2022-03_52

Release Date: October 31, 2022

Features or Enhancements

• Added Agent executable validation.

• Added support for Managed Risk on German language Windows endpoints.

• Added manual startup Windows services for Agent:

  • Agent
  • Arctic Wolf Base Agent

• Added more Windows executables:

  Note: Windows 32-bit devices have the path C:\Program Files\Arctic Wolf Networks\Agent.

  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\base-agent.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\osquery\osquery.exe (64-bit only)
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\osquery\osqueryi.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\systeminfo\systeminfo.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\usb\usb.exe
  • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\wlan\wlan.exe

Bug Fixes

• Added retry logic to improve scan component downloads during scans.
• Added functionality to drop Agent returned errors to improve containment processing requests.
• Added functionality to check if an executable has a valid signature on the Windows client side to improve Agent security.
• Added functionality to notify of failed start or stop containment for all Windows failures encountered to improve containment process.
• Added scan object debug_scan_flag to determine debug scans instead of health check response to increase performance.
• Added all on-demand signature validation client checks to improve Agent security.
• Added scheduled executable validation checks during health checks to improve Agent security.
• Changed the logic to use the correct Sysmon version.
• Updated outOfMemory check to differentiate between different heap space errors to increase performance.
• Improved network connection verification to increase performance.
• Improved route containment to increase reliability.
• Removed client-side vendor version calculations.
• Removed the kardianos/service package.

Product Update July 2022

Release Date: July 13, 2022

Features or Enhancements

• Agent implemented the scan operations capabilities with Managed Risk solution. You can start, rescan, and stop with Agent.

Product Update June 2022

Release Date: June 15, 2022

Features or Enhancements

• Agent supports Windows Server 2022. It allows for the Agent to support host isolation containment, event collection, audit data collection, and vulnerability scans for Windows Server 2022.

Version 2022-01_04

Release Date: March 28, 2022

Features or Enhancements

• Granular Timers — Increased timers for scanning controls to allow for starting and stopping of Agent scans to 1 minute granularity.

• Working Directory Change — Changed the temporary working directory for scanning to the Arctic Wolf Networks directories, instead of the Windows temporary directory.

  Note: If you required \Windows\Temp to be in the allowlist for Agent to function correctly, add C:\Program Files\Arctic Wolf Networks\Agent to the allowlist on your EDR and AV console before March 28, 2022. Arctic Wolf also recommends removing \Windows\Temp from the allowlist if it exists.

Bug Fixes

• Released a patch for Windows 10 IOT and Windows 8.1 that resolves the issue that prevented scanning from reporting back to our cloud.

Linux

These release notes are for Agent on Linux.

Version 2022.03.54

Release Date: September 13, 2023

Bug Fixes

• Resolved these issues that occurred when upgrading Red Hat, CentOS, and other RPM-based Linux distributions:
  • Updated ossec.conf data sources.
  • Removed the net-tools package dependency.

Version 2022.03

Release Date: October 31, 2022

Features or Enhancements

• Added support for these OS:
  • CentOS Stream 9
  • Debian 11.2
  • Linux Mint 20.3
  • Oracle Linux Server 8.5
• Updated the ossec.conf file with additional Linux data collection to:

  • Increase process list output frequency.

  • List all network connections, including listening ports.

  • List new files and their hash values.

  • Capture bash command history.

    date; echo "5"; ps axfo pid,ppid,pcpu,pmem,vsz,rss,tt,stat,lstart,time,command --sort +etimes | awk '$5 != 0'
    find <dir_path> -maxdepth 3 -mmin -1 -size -50M -type f -exec sha1sum {} +; 
    netstat -tuapn -W | column -t
    date; echo "60"; find /home/*/.bash_history -mmin -1 -exec grep -e "$pattern" {} +;

    You must update bash.rc to include timestamp information on the bash command history for more accurate alerting data.

    Run this command:

    echo "
    if [ -z "$HISTTIMEFORMAT" ]
      then export HISTTIMEFORMAT="%F %T "
    fi

Bug Fixes

• Added all on-demand signature validation client checks to improve Agent security.
• Added scheduled executable validation checks during health checks to improve Agent security.
• Added retry logic to improve scan component downloads during scans.
• Added the OssecSvc kill process after install initialize to improve AutoUpdates process.
• Added functionality to drop Agent returned errors to improve containment processing requests.
• Added functionality to notify of failed Start or Stop containment for all Windows failures encountered to improve containment process.
• Added scan object debug_scan_flag to determine debug scans instead of health check response to increase performance.
• Changed Linux uninstall command from yum remove to rpm --erase.
• Changed the logic to use the correct sysmon version.
• Updated outOfMemory check to differentiate between different heap space errors to increase performance.
• Improved network connection verification to increase performance.
• Improved route containment to increase reliability.
• Improved Linux iptables containment initialization.
• Removed the kardianos/service package.
• Removed client-side vendor version calculations.

Product Update January 2022

Release Date: January 12, 2022

Features or Enhancements

• Arctic Wolf now offers support for Linux-based Detection and Response through Agent. Agent supports these Linux Distributions:
  • Ubuntu — Version 16.04, 18.04, and 20.04
  • Red Hat — Version 7 and 8
  • CentOS — Version 7 and 8

    Note: Vulnerability scanning is not supported on CentOS.

  • Amazon Linux — Version 2