Agent Release Notes

Note:

Some release notes are listed as Product Update because they are small changes that are not included in the full Agent version release.

Your version of Arctic Wolf® Agent automatically updates when a new version of Agent is released. No action is required from you, unless you need to update the allowlist of your Endpoint Detection and Response (EDR) solution. Contact your Arctic Wolf Concierge Security® Team (CST) at security@arcticwolf.com if you have questions or feedback. For Agent Containment Driver release notes, see Agent Containment Driver Release Notes.

Based on your operating system, see the appropriate release notes:

See Arctic Wolf Agent hash values for more information.

Linux

These release notes are for Agent on Linux.

Version 2025.11.03

Release Date: December 15, 2025

Features or Enhancements

  • Improved Wazuh health check logic to resolve an issue where Agents were incorrectly reported as Degraded in the Unified Portal.
  • Added support for Risk Scan Engine resource constrained mode.
  • Added the capability to regenerate the Agent UUID if detected as shared by other Agent hosts.
  • This release does not apply to CentOS 8 and Ubuntu 16.04. These versions continue to be supported by Agent version 2025.03.13.

Version 2025.03.13

Release Date: April 28, 2025

Features or Enhancements

  • Added support for these Linux distributions:
    • AlmaLinux 8 and 9
    • Rocky Linux 8 and 9
  • Added a recovery process to handle corruption of the ossec.conf file.
  • Added a verification process to confirm that the Wazuh module restarted successfully.

Bug Fixes

  • Resolved an issue that prevented the Wazuh module from installing and upgrading on some Debian based distributions.
  • Resolved an issue that prevented a complete Wazuh uninstall on some RPM based distributions.
  • Resolved an issue causing high CPU utilization by the ossec-syscheckd process.

Product Update October 2024

Release Date: October 24, 2024

Features or Enhancements

  • Added information to include Active Directory Domain data through the release of Arctic Wolf Agent for Linux Wazuh version v24.3.26.

Version 2024.02.84

Release Date: June 2024

Features or Enhancements

  • Content Delivery System (CDS)
    • Agent now has a content delivery system (CDS) that supports the downloading and installation of independent feature modules.
    • Added a new Agent uninstall executable for the CDS:
      • Directory: /var/arcticwolfnetworks/agent/bin/uninstall_modules
      • File: uninstall_modules
  • Wazuh module installed through the Content Delivery System (CDS) — The Agent events collection component, Wazuh v24.1.20, is now installed and updated separately through CDS for easier releases and upgrades.
  • Added log collection for Red Hat Linux distributions for /var/log/cron log entries.
  • Added support for SUSE Linux Enterprise Server (SLES) v15 and later.
  • Added support for Debian 12.
  • Added support for Managed Risk Vulnerability Evidence.

Bug Fixes

  • Added the DISABLE_AGENT_DESKTOP=true install option, so that admins can exclude the Agent desktop component from non-GUI Linux endpoints during installation.
  • Resolved an issue where the Operating System for Linux Agents appeared as blank or Unknown in the Risk Dashboard.
  • Updated ossec.conf data sources to address the Linux Agent client high CPU usage issue.

Version 2022.03.54

Release Date: September 13, 2023

Note:

This release is for Red Hat, CentOS, and other RPM-based Linux distributions only.

Bug Fixes

  • Resolved these issues that occurred when upgrading Red Hat, CentOS, and other RPM-based Linux distributions:
    • Updated ossec.conf data sources.
    • Removed the net-tools package dependency.

Version 2022.03

Release Date: October 31, 2022

Features or Enhancements

  • Added support for these OS:
    • CentOS Stream 9
    • Debian 11.2
    • Linux Mint 20.3
    • Oracle Linux Server 8.5
  • Updated the ossec.conf file with additional Linux data collection to:
    • Increase process list output frequency.
    • List all network connections, including listening ports.
    • List new files and their hash values.
    • Capture bash command history.
    INI 
    date; echo "5"; ps axfo pid,ppid,pcpu,pmem,vsz,rss,tt,stat,lstart,time,command --sort +etimes | awk '$5 != 0'
	find <dir_path> -maxdepth 3 -mmin -1 -size -50M -type f -exec sha1sum {} +; 
	netstat -tuapn -W | column -t
	date; echo "60"; find /home/*/.bash_history -mmin -1 -exec grep -e "$pattern" {} +;

    You must update bash.rc to include timestamp information on the bash command history for more accurate alerting data.

    Run this command:

    INI 
    if [ -z "$HISTTIMEFORMAT" ]
  then export HISTTIMEFORMAT="%F %T "
fi

Bug Fixes

  • Added all on-demand signature validation client checks to improve Agent security.
  • Added scheduled executable validation checks during health checks to improve Agent security.
  • Added retry logic to improve scan component downloads during scans.
  • Added the OssecSvc kill process after install initialize to improve AutoUpdates process.
  • Added functionality to drop Agent returned errors to improve containment processing requests.
  • Added functionality to notify of failed Start or Stop containment for all Windows failures encountered to improve containment process.
  • Added scan object debug_scan_flag to determine debug scans instead of health check response to increase performance.
  • Changed Linux uninstall command from yum remove to rpm --erase.
  • Changed the logic to use the correct sysmon version.
  • Updated outOfMemory check to differentiate between different heap space errors to increase performance.
  • Improved network connection verification to increase performance.
  • Improved route containment to increase reliability.
  • Improved Linux iptables containment initialization.
  • Removed the kardianos/service package.
  • Removed client-side vendor version calculations.

Product Update January 2022

Release Date: January 12, 2022

Features or Enhancements

  • Arctic Wolf now offers support for Linux-based Detection and Response through Agent. Agent supports these Linux Distributions:
    • Ubuntu — Version 16.04, 18.04, and 20.04
    • Red Hat — Version 7 and 8
    • CentOS — Version 7 and 8
      Note:

      Vulnerability scanning is not supported on CentOS.

    • Amazon Linux — Version 2

macOS

These release notes are for Agent on macOS.

Version 2025-07_03

Release Date: September 2, 2025

Features or Enhancements

  • Added capture of installed software date.

Bug Fixes

  • Added validation for Agent user notification process on launch.
  • Resolved an issue that prevented a complete Wazuh uninstall.
  • Improved DNS query performance.

Version 2025-05_14

Release Date: June 2, 2025

Features or Enhancements

  • Added support for Risk Scan Engine resource constrained mode.
  • Added support for Apple Silicon (M-series) Native JRE for Risk Scan Engine.
  • Updated all signatures for the macOS app.
  • Reduced and optimized agent power consumption.

Bug Fixes

  • Resolved an issue when packet filtering conflicts with existing filtering rules.
  • Resolved an issue that did not correctly re-use connections in a connection pool.

Version 2025-02_12

Release Date: March 10, 2025

Features or Enhancements

  • Agent is available as a universal application and runs natively on both Apple silicon and Intel-based Mac computers.
    Note:
    • This release applies to macOS 11+.
    • For Managed Risk only — If your device uses ARM-based processors (M-series CPUs), Rosetta 2 is required to run the Risk Scan Engine.
    • All other macOS versions continue to be supported by Agent version 2024-03_88.

Bug Fixes

  • Resolved an issue that prevented the remote uninstall of Agent.

Version 2024-03_88

Release Date: October 24, 2024

Features or Enhancements

  • Added information collected to include Active Directory Domain data.

Version 2024-01_27

Release Date: May 20, 2024

Features or Enhancements

  • Agent now has a content delivery system (CDS) that supports the downloading and installation of independent feature modules.
  • Added support for Managed Risk vulnerability evidence. For more information, see Product Updates.
  • Deprecated the Wazuh module. Connectivity over port 1514 is no longer required and all outbound traffic communicates over port 443.

Windows

These release notes are for Agent on Windows.

Version 2026-01_47

Release Date: April 24, 2026

Features or Enhancements

  • Upgraded Agent to a 64-bit executable.
  • Added support for the Managed Risk Resolve service for seamless remediation of risks.
  • Updated Agent containment pop-up notifications to not use PowerShell.
  • Increased the default HTTP client timeout for improved support of agents with slower download speeds.
  • Prevented Agent from being installed on Windows 32-bit operating systems. Agents on 32-bit operating systems continue to be supported by version 2025-08_19.
  • Added support for ARM architecture in emulated mode. The containment driver is not currently supported for ARM, and containment functions require Windows firewall to be enabled.

Bug Fixes

  • Resolved an issue where Sysmon version 15.20, under specific circumstances, was not displaying in the Unified Portal and the configuration did not download.
  • Ensured that Agent installer's custom action DLL is now signed to improve compatibility with security tools.
  • Changed scan content downloads to save directly within the agent directory, avoiding temporary directories and reducing antivirus alerts.
  • Resolved a panic while containing endpoints, under specific circumstances.
  • Resolved an issue that could prevent agents from connecting to Arctic Wolf under certain DNS configurations

Version 2025-08_19

Release Date: October 14, 2025

Features or Enhancements

  • Improved Wazuh health check logic to resolve an issue where Agents were incorrectly reported as Degraded in the Unified Portal.

Bug Fixes

  • Resolved an issue where uninstallation details were briefly displayed on the console during the uninstall process.
  • Renamed systeminfo.exe to awn-systeminfo.exe to avoid naming conflicts with the native Windows utility.
  • Resolved an issue where Agent data was not transmitted during shutdown.
  • Resolved an issue that didn't list all network interfaces.
  • Resolved an issue that prevented Agent from being installed on Windows Server 2012 Core.

Version 2025-04_54

Release Date: May 28, 2025

Features or Enhancements

  • Added the capability to regenerate the Agent UUID if detected as shared by other Agent hosts.
  • Added a compatibility mechanism for restrictive environments with web filter software that prevented endpoint agents from being uncontained after network isolation. If applicable, contact your CST to enable this feature.
  • Added support for Risk Scan Engine resource constrained mode.

Bug Fixes

  • Resolved an issue that prevented the host operating system details from being reported.
  • Resolved an issue that caused files to remain after Agent is uninstalled.
  • Resolved an issue where Agent scans might fail and requires a host reboot.
  • Resolved an issue that did not correctly re-use connections in a connection pool.

Version 2025-01_09

Release Date: April 9, 2025

Bug Fixes

  • Resolved an issue where some agents may incorrectly show as offline in the Unified Portal.

Version 2025-01_08

Release Date: February 18, 2025

Features or Enhancements

  • Updated osquery.
  • Improved the Wazuh restart process.
  • Improved upload reliability for Managed Risk Debug Scan files.
  • Enhanced access controls on Agent subfolders and files.
  • Added a recovery process when ossec.conf and client.keys become corrupt.
  • Added support for Windows Server 2025.

  • This release applies to Windows 10+ and Windows Server 2012+.

    Windows 7, 8, and 8.1 and Windows Server 2008 R2 continue to be supported by Agent version 2023-02_138.

Bug Fixes

  • Resolved an issue that caused a connectivity verification process to produce incorrect results for German locale.
  • Resolved an issue with DNS lookups of allowlisted domains.
  • Resolved an issue with VDI instant-clone.
  • Removed risks in the Risk Dashboard for deactivated agents.

Version 2023-02_138

Release Date: April 15, 2024

Features or Enhancements

  • Added support for Managed Risk vulnerability evidence. For more information, see Product Updates.
  • Added support for Microsoft Defender Antivirus log ingestion.

Version 2023-02_137

Release Date: November 16, 2023

Bug Fixes

  • Resolved an issue where the MachineGUID and WMI GUID values did not change as expected for certain VDI and cloning situations, resulting in multiple Agents reporting under the same Agent identifier.

Version 2023-02_135

Release Date: Oct 11, 2023

Bug Fixes

  • Resolved an issue that could cause the Sysmon status in the Arctic Wolf Unified Portal to be incorrect.
  • Resolved an issue where Agent could crash while offline.

Version 2023-02_130

Release Date: Fall 2023

Features or Enhancements

  • Wazuh module installed through the Content Delivery System (CDS) — The Agent events collection component, Wazuh, is now installed and updated separately through CDS for easier releases and upgrades.
  • Kernel host containment allowlisting — When performing kernel host containment, specific processes can be set to bypass containment. This allows software that needs to communicate outside of host containment, for example VPNs, to continue functioning. Contact your CST at security@arcticwolf.com to configure a host containment allowlist.
  • Collected minimum, maximum, and average memory usage statistics for Agent health checks.
  • Enabled automatic Agent restarts if memory exceeds 512 MB.
  • Added validation for SHA-2 code signing on Windows 10 prior to installing Arctic Wolf Containment Service.
  • Merged the base-agent.exe process into the scout-client.exe process, and removed Arctic Wolf Base Agent service.

Bug Fixes

  • Restricted validation checks to the Agent client.
  • Resolved Agent memory leak.
  • Resolved Agent error handling condition that resulted in Agent duplication.
  • Resolved Agent vendor architecture detection issue that identified specific x64 chipsets as x86, and might have prevented Agent scans from starting.

Version 2023-01_05

Release Date: March 20, 2023

Features or Enhancements

Bug Fixes

  • Added missing logon session data to the audit logs.
  • Improved the Agent logic to prevent it from uploading empty scan result files.
  • Improved the date format of installed software rules so that dates display in a consistent format in the Risk Dashboard.
  • Resolved an issue in Agent that prevented some Windows hosts from generating a machine UUID during registration.
  • Resolved an operating system (OS) version collection issue in Agent, where Windows 11 hosts reported as Windows 10.

Version 2022-03_52

Release Date: October 31, 2022

Features or Enhancements

  • Added Agent executable validation.
  • Added support for Managed Risk on German language Windows endpoints.
  • Added manual startup Windows services for Agent:
    • Agent
    • Arctic Wolf Base Agent
  • Added more Windows executables:
    Note:

    Windows 32-bit devices have the path C:\Program Files\Arctic Wolf Networks\Agent.

    • C:\Program Files (x86)\Arctic Wolf Networks\Agent\base-agent.exe
    • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\osquery\osquery.exe (64-bit only)
    • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\osquery\osqueryi.exe
    • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\systeminfo\systeminfo.exe
    • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\usb\usb.exe
    • C:\Program Files (x86)\Arctic Wolf Networks\Agent\plugins\wlan\wlan.exe

Bug Fixes

  • Added retry logic to improve scan component downloads during scans.
  • Added functionality to drop Agent returned errors to improve containment processing requests.
  • Added functionality to check if an executable has a valid signature on the Windows client side to improve Agent security.
  • Added functionality to notify of failed start or stop containment for all Windows failures encountered to improve containment process.
  • Added scan object debug_scan_flag to determine debug scans instead of health check response to increase performance.
  • Added all on-demand signature validation client checks to improve Agent security.
  • Added scheduled executable validation checks during health checks to improve Agent security.
  • Changed the logic to use the correct Sysmon version.
  • Updated outOfMemory check to differentiate between different heap space errors to increase performance.
  • Improved network connection verification to increase performance.
  • Improved route containment to increase reliability.
  • Removed client-side vendor version calculations.
  • Removed the kardianos/service package.

Product Update July 2022

Release Date: July 13, 2022

Features or Enhancements

  • Agent implemented the scan operations capabilities with Managed Risk solution. You can start, rescan, and stop with Agent.

Product Update June 2022

Release Date: June 15, 2022

Features or Enhancements

  • Agent supports Windows Server 2022. It allows for the Agent to support host isolation containment, event collection, audit data collection, and vulnerability scans for Windows Server 2022.

Version 2022-01_04

Release Date: March 28, 2022

Features or Enhancements

  • Granular Timers — Increased timers for scanning controls to allow for starting and stopping of Agent scans to 1 minute granularity.
  • Working Directory Change — Changed the temporary working directory for scanning to the Arctic Wolf Networks directories, instead of the Windows temporary directory.
    Note:

    If you required \Windows\Temp to be in the allowlist for Agent to function correctly, add C:\Program Files\Arctic Wolf Networks\Agent to the allowlist on your EDR and AV console before March 28, 2022. Arctic Wolf also recommends removing \Windows\Temp from the allowlist if it exists.

Bug Fixes

  • Released a patch for Windows 10 IOT and Windows 8.1 that resolves the issue that prevented scanning from reporting back to our cloud.