Troubleshoot Arctic Wolf Agent

This information provides solutions for common Arctic Wolf® Agent issues.

Arctic Wolf is not receiving Agent data

Possible cause: Traffic to Arctic Wolf is not communicating over port 1514. If Agent is not able to reach Arctic Wolf over port 1514, Arctic Wolf does not receive security observations. This can result in Arctic Wolf having limited Agent endpoint visibility.

Resolution:

  • Configure your firewall to allow outbound traffic over port 1514. This traffic is typically a layer 3 rule.
  • Configure your systems to allow Agent processes.
  • Configure your systems with the correct Agent hash values.

For more information, see Unable to run Agent scans on Windows.

Agent Status is Degraded

Possible cause: In the Arctic Wolf Unified Portal, Agent might report these Degraded health status results:

  • Wazuh Connection Failure
  • Wazuh Not Installed
  • Wazuh Reconnection Failure
  • Wazuh Service Failure

Resolution: Based on your health status result, do one of these actions:

  • Wazuh Connection Failure:
    • Check that your firewall allows an outbound connection on port 1514.
    • Add the Agent DNS hostnames to your allowlist.

    For more information, see Unable to run Agent scans on Windows.

  • Wazuh Not Installed — Contact your Concierge Security® Team (CST) at security@arcticwolf.com for assistance.
  • Wazuh Reconnection Failure — The Wazuh service was restarted but could not connect. Contact your CST at security@arcticwolf.com for assistance.
  • Wazuh Service Failure — Contact your CST at security@arcticwolf.com for assistance.

Resources spike during an Agent scan

Possible cause: This is expected behavior. Agent causes CPU and memory usage spikes because vulnerability and benchmark scans are resource intensive. For example, it is normal to see 30% of a 2.5GHz single core CPU and 1GB of memory used.

Resolution: If an endpoint has resource requirements during certain times, schedule your scans accordingly.

An endpoint monitoring solution is blocking Agent installation

Possible cause: Agent is designed to avoid triggering endpoint monitoring solutions such as anti-malware, but sometimes the installer script needs to be allowlisted.

Resolution: Add the installer script to the allowlist for the solution that is blocking Agent installation.

Error notifications appear when running the Windows Agent installer manually

Possible cause: An issue exists with host policies or file locations.

Resolution:

  • Check the policies on the host and update any permissions that:
    • Do not allow Agent installation.
    • Prevent Arctic Wolf Agent Manager from starting during installation.
  • Confirm that the customer.json file and the Agent install file are in the same folder. For more information, see Unable to run Agent scans on Windows.
  • Reinstall Agent using administrator privileges.

Agent is not registering

Possible cause: Outbound firewall rules are blocking traffic over ports from the Agent-monitored endpoints. Arctic Wolf Agent communicates over TCP ports 443 and 1514 for registration and communicating with Arctic Wolf.

Resolution: Verify that no outbound firewall rules are in place that block traffic over ports from the Agent-monitored endpoints. Customers must implement firewall rules for Agent DNS addresses and ports before installing Agent. For more information, see Unable to run Agent scans on Windows.

Agent does not update automatically on Windows

Possible cause: Updates are blocked by misconfigured permissions, firewall rules, or allowlists.

Resolution:

  • Verify that the Agent process hash values have the correct checksum allowlisted for other endpoint security software on the machine.
  • Verify that you have the necessary permissions to allow software updates such as Agent.
  • Verify that the Agent firewall rules for 443 and 1514 are correct.

For more information, see Unable to run Agent scans on Windows.

VPN is preventing Agent from communicating with Arctic Wolf

Possible cause: Your VPN configuration might be preventing Agent from communicating with Arctic Wolf.

Resolution: Configure the VPN to handle Agent HTTPS and TCP traffic.

Agent on Windows version 2025-01-08 does not send health check data

Possible cause: Agent version 2025-01-08 that was installed on c:\ (lowercase) drive does not send health check data and Agent incorrectly displays as offline. Changing the installed drive letter to C:\ (uppercase) resolves the issue.

To check if you are experiencing this issue, right-click the Arctic Wolf Agent Manager service and check if the path in Path to executable starts with c:\ (lowercase).

Resolution: Change the Agent drive letter path to C:\ (uppercase) using one of these methods:

Edit the path in Windows registry

  1. On a Windows device, in the taskbar search box, enter regedit.
  2. Go to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ArcticWolfAgentMgr.
  3. Change the path to C:\Program Files (x86)\Arctic Wolf Networks\Agent\scout-client.exe.
  4. Close the Registry Editor.
  5. Restart the Arctic Wolf Agent Manager service.

Edit the path using a Group Policy Object (GPO)

  1. On the Windows device, press Windows key + R, and then enter gpmc.msc.
  2. On the domain, right-click and then select Create a GPO in this domain, and Link it here....
  3. In New GPO, enter a name, for example, AWNRegistryKey.
  4. Click OK.
  5. Right-click the new GPO, and select Edit.
  6. Go to Computer Configuration > Preferences > Windows Settings.
  7. Right-click Registry, and go to New > Registry Item.
  8. In Key Path, click , and select SYSTEM\CurrentControlSet\Services\ArcticWolfAgentMgr.
  9. Click ImagePath.
  10. Under Value data, change the value to C:\Program Files (x86)\Arctic Wolf Networks\Agent\scout-client.exe.
  11. To apply the change, click OK.
  12. In the GPMC, link the new GPO to all computers with Agent installed.

    After the Arctic Wolf Agent Manager service is restarted, the issue should be resolved.

Edit the path using PowerShell

  1. Open a PowerShell session.
  2. Enter these commands:
    CODE 
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\ArcticWolfAgentMgr" -Name "ImagePath" -Type ExpandString -Value '"C:\Program Files (x86)\Arctic Wolf Networks\Agent\scout-client.exe"'
Get-Service | where -Property ServiceName -like "ArcticwolfAgentMgr" | Restart-Service

    The Arctic Wolf Agent Manager service restarts.

Edit the path by merging a registry key

  1. Using a text editor, save this data as AWNRegKey_ArcticWolfAgentMgr.reg:
    CODE 
    Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ArcticWolfAgentMgr]
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
  6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,20,00,28,00,78,00,38,00,36,00,29,\
  00,5c,00,41,00,72,00,63,00,74,00,69,00,63,00,20,00,57,00,6f,00,6c,00,66,00,\
  20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,73,00,5c,00,41,00,67,00,65,\
  00,6e,00,74,00,5c,00,73,00,63,00,6f,00,75,00,74,00,2d,00,63,00,6c,00,69,00,\
  65,00,6e,00,74,00,2e,00,65,00,78,00,65,00,22,00,00,00
  2. Double-click the AWNRegKey_ArcticWolfAgentMgr.reg registry file to merge the change into the registry.
  3. Restart the Arctic Wolf Agent Manager service.

Edit the path using a Remote Monitoring and Management (RMM) tool

  1. Using your RMM tool, uninstall Agent.
  2. Re-install Agent using C:\ as the path.

Unable to run Agent scans on Windows

Agent scans are not working on Windows devices that have PowerShell restrictions enforced by application control software.

Possible cause: PowerShell commands are configured to run in Constrained Language Mode, which is restricting the Agent scanner PowerShell scripts from running.

Resolution: Trust the signer information in the Agent scanner signed files. For more information, see Trust Agent scanner signed files on Windows.