Arctic Wolf Agent Debug Scans on Windows

Updated Feb 22, 2024

Run an Arctic Wolf Agent Debug Scan on Windows

You can run an Arctic Wolf® Agent debug scan to get more details about how a vulnerability was detected on a device.

Requirement

Before you begin

Steps

  1. On the device, create a copy of the C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\oval.ini file, and rename it to oval_copy.ini.

  2. In a text editor, open the new oval_copy.ini file.

    Note: You might need administrator permissions to open this file for editing.

  3. In the file, find the section starting with [Report: Target results -> JSON events].

    [Report: Target results -> JSON events]
    export.dir: scans/reports/vulnerability
    input.type: arf
    output.extension: json
    transform.file: scans/scan-utility/tools/arf_xccdf_results_to_json_events.xsl    
  4. Copy this content, and then replace the entire section that you found in the previous step:

    [Report: Raw ARF report]
    export.dir: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability
    input.type: arf
    output.extension: arf.xml
    
    [Report: Diagnostic HTML report]
    export.dir: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability
    input.type: xccdf_results#failureDiag
    output.extension: diagnostic.html
    transform.file: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\tools\xccdf_results_to_html.xsl
    
    [Report: Annotated HTML report]
    export.dir: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability
    input.type: json#annotated
    output.extension: annotated.html
    transform.file: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\tools\hostscan_json_to_html.js

    Notes:

    • When editing the INI file, make sure the syntax is correct, and that export.dir, input.type, output.extension, and transform.file are on separate lines.
    • To only review results that failed vulnerability scanning checks, set the input.type field in the Report: Diagnostic HTML report section to xccdf_results#failureDiag.
    • To review all successful and failed vulnerability scanning tests, set the input.type field in the Report: Diagnostic HTML report section to xccdf_results#diagnostic. The file size will be larger than the file size for a section that is set to xccdf_results#failureDiag.
  5. Open a command prompt with administrator permissions.

  6. Click the clipboard to copy this command to the command line, including the double quotation marks, to perform the scan:

    "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\jre\jre\bin\java.exe" -Xmx4096m -Djoval.shellcommandAdapter.enable=true -Djoval.diagnostics.maxCount=2000 -Dlicense.file="C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\arcticwolf.com.sig.xml" -jar "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\Scan-Utilities.jar" scan -c "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\oval_copy.ini"

    Note: For a 64-bit OS, if you receive an insufficient memory error, the device needs 6 GB of space available. To expand the memory size from 4 GB to 6 GB, change the -Xmx4096moption in the command to-Xmx6144m.

  7. Wait for the scan to complete, and then look for the output files in the C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability\ folder.

    Note: To view the scan progress, you might need to press Enter in the command or terminal window during the scan.

    The scan generates these files:

    • Raw XML output (default filename LOCALHOST.arf.xml)
    • HTML Diagnostic Vulnerability long form report (default filename LOCALHOST.diagnostic.html)
    • HTML Annotated report (default filename LOCALHOST.annotated.html)
  8. Upload the raw XML output, HTML Diagnostic Vulnerability long form report, and HTML Annotated report to Arctic Wolf. Use the link that your Concierge Security® Team (CST) provided. If you do not have a link, contact your CST at security@arcticwolf.com.

  9. (Optional) Open the HTML Annotated report in a browser and click Fail in the Rule Results Summary to filter on the vulnerabilities found and view failed tests.

    Tip: See Risk Dashboard User Guide to interpret the report results.

See also