Install the Arctic Wolf Agent Containment Driver on Windows using the Arctic Wolf Unified Portal

Arctic Wolf® Agent containment requires that you install the Agent Containment Driver. Arctic Wolf recommends that you use the Arctic Wolf Unified Portal to install your Agent Containment Driver.

Note:

You can also install the Containment Driver using the MSI file, but the Containment Driver status does not appear in the Unified Portal and does not receive automatic updates. For more information, see Install the Arctic Wolf Agent Containment Driver on Windows using the MSI file. We strongly recommend installing the Containment Driver using the Arctic Wolf Unified Portal, rather then installing manually using the MSI file.

When a host is successfully contained, this notification appears: "This machine has been quarantined."

When host containment is removed, this notification appears: “This machine’s quarantine has been lifted.”

For information about troubleshooting containment, see Troubleshoot Arctic Wolf Agent Containment Driver.

Note:

Agent does not support ARM architecture.

These resources are required:

  • One of these operating systems:
    • Desktop

      • Windows 11 or 10

    • Server

      • 2022, 2019, 2016, or 2012 R2
    • These system resources:

      • A x64 or x86 processor

      • At a minimum:
        • A dual-core CPU
        • 2 GB of memory
        • 50 MB of disk space

These actions are required:

  • For your EDR system to communicate with the Agent endpoint during containment, you might need to allowlist your EDR system. Contact your Concierge Security® Team (CST) at security@arcticwolf.com to configure Agent allowlisting.

Install the Arctic Wolf Agent Containment Driver

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Agents.
  3. Select the checkbox beside each Arctic Wolf Agent you want to install.
  4. Click Install Containment Driver.

    A notification indicates that the driver is enabled. The Containment Driver status changes to Installation Pending.

Note:

You do not need to restart your services after installing the Agent Containment Driver.

Verify that the Arctic Wolf Agent Containment service is installed

This step is optional.

  1. In Windows Services, verify that the Agent Containment service is installed and running.
  2. If you installed the Containment Driver using the Arctic Wolf Dashboard, verify that the Containment Driver status displays the driver version number. For example v1.2.5.
  3. Contact your Concierge Security® Team (CST) at security@arcticwolf.com to verify that containment is working correctly.