Arctic Wolf Agent Installation on a Single Endpoint
Updated Jul 31, 2023Arctic Wolf Agent installation on a single endpoint
Arctic Wolf® Agent is an endpoint security management tool that functions as a component of the following solutions:
- Managed Detection and Response (MDR) — Agent forwards security-relevant event and audit logs from endpoint devices in your network to Arctic Wolf to support continuous threat monitoring.
- Managed Risk — Agent creates an inventory of endpoint devices in your network and performs routine host vulnerability scans and security control benchmark scans to identify security risks. See Arctic Wolf Agent Scans for more information.
You can install a single instance of Arctic Wolf Agent on Windows, macOS, or Linux.
Tip: To perform a bulk installation of Agent, see Agent installation options
Requirements
-
Administrator permissions or the ability to perform administrator or root level functions
Supported operating systems
-
Windows:
- Windows 11 for 64-bit systems
- Windows 10 Pro, 8.1, 8, and 7 Enterprise for 64-bit and 32-bit systems
- Windows Server 2022, 2019, 2016, 2012 R2, 2012, and 2008 R2 for 64-bit systems
- Windows 11 IoT, Windows 10 IoT, and 8.1 Embedded for 64-bit systems
Note: If you plan to use Sysmon with Arctic Wolf Agent, Sysmon has these operating system requirements:
- Windows 8.1 or newer for 64- and 32-bit systems
- Windows Server 2012 or newer for 64-bit systems
-
macOS:
- macOS 10.14 or newer for 64-bit systems
-
Linux:
- Amazon Linux 2
- CentOS 7 and 8
- CentOS Stream 9
- Debian 11.2 (Stable)
- Linux Mint 20.3
- Oracle Linux 8.5
- Red Hat 7 and 8
- Ubuntu 16.04, 18.04, 20.04, and 22.04
Note: Vulnerability scanning is not supported on CentOS.
System requirements
-
At a minimum, dual-core CPU
-
x64 or x86 processor
-
At a minimum, 2 GB of memory
Notes:
- Although Agent is designed to maintain a minimal footprint on all systems, Arctic Wolf recommends certain operating system requirements. Arctic Wolf cannot guarantee Arctic Wolf Agent functionality on virtual machine (VM) environments if resources do not meet recommended levels.
- Agent does not support ARM architecture.
Networking requirements
-
Ports 443 and 1514 outbound open
-
Add all necessary Arctic Wolf Agent DNS entries to your allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Agent.
Note: Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative impact on the system.
Download the Agent installer
-
In the Arctic Wolf Portal, click Accounts > Downloads.
-
Under Endpoint Agent, select the desired Operating System option.
-
Click Download Agent.
-
Extract the Arctic Wolf Agent
.zip
contents into the same folder. These contents vary depending on operating system, including:- Windows — The
.msi
file and thecustomer.json
file. - macOS — The
.pkg
file and thecustomer.json
file. - Linux — The
arcticwolfagent_<version>.<deb|rpm>
package file and thecustomer.json
file.
Caution:
- Do not make any edits to the
customer.json
file. Editing this file causes installation errors. - Do not save the Agent installer or
customer.json
to publicly accessible storage.customer.json
should be kept confidential.
- Windows — The
Install Agent on Windows or macOS
-
Right-click the installation file for your operating system:
- Windows — .msi
- macOS — .pkg
-
Click Run to run the installation.
-
Follow the prompts to proceed with the installation.
-
Contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team to confirm that Agent data is reaching Arctic Wolf.
Install Agent on Linux
-
Run the command appropriate for your operating system:
-
Ubuntu:
sudo DEBIAN_FRONTEND=noninteractive AWN_CUSTOMER_JSON=/tmp/customer.json apt install ./arcticwolfagent_<version>.deb
-
Redhat, CentOS, or Amazon Linux:
sudo AWN_CUSTOMER_JSON=/tmp/customer.json yum install arcticwolfagent_<version>.rpm
Note: Ensure that the customer.json path is specified correctly. If you receive any errors pertaining to the customer.json file, see Troubleshooting Arctic Wolf Agent on Linux.
-
-
Contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team to confirm that Agent data is reaching Arctic Wolf.
Uninstall an individual Agent client
- Follow the instructions for your operating system:
Note: When Arctic Wolf Agent is uninstalled, devices and associated risks are removed from the Arctic Wolf Portal and Risk Dashboard.
Uninstall Agent on Windows
-
Open Control Panel and click Programs and Features.
-
Locate the Agent application in the list.
-
Click on the application in the list, and then click Uninstall.
-
Follow the prompts to proceed with the uninstallation.
Uninstall Agent on macOS
- Open the terminal.
- Run this command to uninstall Agent:
sudo ~/Library/ArcticWolfNetworks/Agent/uninstall.sh
Uninstall Agent on Linux
-
Run the appropriate command for your operating system:
-
Ubuntu:
sudo apt remove arcticwolfagent
-
RedHat, CentOS, or Amazon Linux:
sudo yum remove arcticwolfagent
-
-
(Optional) If you are not reinstalling Agent, remove the
/var/arcticwolfnetworks/agent
folder from your device.
Agent deactivation
You can deactivate Agents by removing them from the Endpoints table in the Arctic Wolf Portal. We recommend uninstalling Agents before deactivating them. If you deactivate an Agent that is still installed on a system, the endpoint reappears in the Endpoints table the next time that it is Online.
Deactivating an endpoint does not delete existing data from Arctic Wolf internal databases.
Contained Agent deactivation
You are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.
You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.
Tip: You can only remove endpoints that have not checked in for 72 hours.
Automatic Agent deactivation and activation
Any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.
Deactivate an Agent
If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Portal. If you cannot access the Arctic Wolf Portal, contact your Concierge Security Team (CST).
Note: You cannot make these changes in the Risk Dashboard.
-
Confirm that the Agent is uninstalled from the device.
-
On the Arctic Wolf Portal, click Endpoint Status.
-
In the Endpoints table, click Remove offline endpoint on the appropriate device.
Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.
-
In the dialog, click Remove Endpoint.
Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.