Install vScanner using Microsoft Hyper-V Manager

As part of Arctic Wolf® Managed Risk, install a Virtual Scanner (vScanner) to perform continuous risk monitoring and vulnerability assessments. vScanner provides context for vulnerabilities that you may have in your environment.

Requirements

• Microsoft Hyper-V Server 2016 or Microsoft Hyper-V Server 2019

• The appropriate Arctic Wolf permissions to complete the virtual scanner deployment. Contact your Concierge Security® Team (CST) to confirm who in your organization has these permissions.

• These system resources:

  Note: Reducing or limiting resource allocations below the specified requirements impacts vLC performance.

  • 8 vCPUs
  • 16 GB RAM
  • 40 GB storage

Before you begin

• Make sure you have the appropriate Arctic Wolf permissions to complete the vScanner deployment. Contact your Concierge Security Team© (CST) to confirm who in your organization has these permissions.
• Add all necessary IP addresses, ports, and services to your allowlist for full vScanner functionality.

  Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Scanners.

• If you rate-limit the vScanner with Quality of Service (QoS), remove this for best performance.
• If your firewall provides SSL/TLS inspection, do not perform this inspection on the vScanner management IP address.
• If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the vScanner management IP address.

Steps

1. Download the vScanner image. 
2. Import the vScanner VM.
3. Configure the vScanner VM.
4. Register the vScanner with Arctic Wolf.
5. Set a static IP address.

Step 1: Download the vScanner image

1. Sign in to the Risk Dashboard.

   Note: The Risk Dashboard is only compatible with Google Chrome.

2. In the navigation menu, click Downloads.

3. Under Download a Scanner Virtual Machine image for your virtualization infrastructure, from the list, select hyper-v-2016+.

4. Click Download Scanner VM.

5. Click Download to confirm and start the zip file download.

6. When the download completes, extract the zip file.

Step 2: Import the vScanner VM

Based on your Hyper-V Server version, do one of these actions:

• Import the vScanner VM to Hyper-V Server 2019.
• Import the vScanner VM to Hyper-V Server 2016.

Import the vScanner VM to Hyper-V Server 2019

1. In Hyper-V Manager, select the desired server.
2. In the Actions menu, click Import Virtual Machine.
3. Click Next.
4. Select the folder that contains the VHDX file:
   1. Click Browse, and then navigate to the rootsecure-sensor-hyperv-latest folder that you extracted from the zip file.
   2. Select the Virtual Hard Disks folder, which contains the VHDX file.
   3. Click Next.
5. Select the virtual machine (VM) to import.
6. Choose your preferred import type, and then click Next.
7. If applicable, configure other settings based on the import type you selected, and then click Next.
8. Review the summary of your VM import.
9. Click Finish.

Import the vScanner VM to Hyper-V Server 2016

1. In Hyper-V Manager, select the desired server.
2. In the Actions menu, click New > Virtual Machine.
3. Click Next.
4. Enter a name for the VM. For example, Arctic Wolf Scanner.
5. (Optional) Change the storage location of the VM.
6. Click Next.
7. Select Generation 2, and then click Next.
8. Set the desired amount of memory for the VM, and then click Next.
9. Select the network interface that you want the VM to use, and then click Next.
10. Select the VHDX file to import:
    1. Select Use an existing virtual harddisk.
    2. Click Browse, and then navigate to the rootsecure-sensor-hyperv-latest folder that you extracted from the zip file.
    3. Open the Virtual Hard Disks folder, and then select the VHDX file.
    4. Click Next.
11. Review the summary of your VM import.
12. Click Finish.

Step 3: Configure the vScanner VM

1. In Hyper-V Manager, select the desired server.
2. In the Virtual Machines section, right-click the vScanner VM, and then select Settings.
3. Configure these Hardware settings:
   • Firmware — Boot from Hard Drive
   • Security — Secure Boot disabled
4. Configure these Management settings:
   • Name — For example, Arctic Wolf Scanner
   • Integration Services — Some services offered
   • Checkpoints — Production
   • Automatic Start Action — Always start
   • Automatic Stop Action — Save

Step 4: Register the vScanner with Arctic Wolf

1. Contact the Arctic Wolf Deployment team at onboarding@arcticwolf.com for a registration token. You need this token to progress.

2. After you receive the token from the Deployment team, turn on the VM power.

3. After the boot sequence completes, press Enter on the console to view the DHCP lease and the Automatic Private IP Addressing (APIPA) link-local address assignment.

4. Connect to the scanner registration page at http://<scanner_ip>:57005, where <scanner_ip> is the required DHCP address.

   Note: If you do not use DHCP, use the APIPA address from another machine on the same layer 2 switch.

5. In the Registration Token field, enter the token that you received from the Deployment team.

6. Click Register to start the registration process.

   Within five minutes, the scanner appears on the Config > Scanner Console page or the Config > Analyst Console page of the Risk Dashboard.

7. Contact the Arctic Wolf Deployment team at onboarding@arcticwolf.com and confirm that the scanner is now online and that the registration is complete.

Step 5: Set a static IP address

This task is optional. However, Arctic Wolf recommends that you set a static IP address so it is easy to identify the Managed Risk Scanner as an authorized source of internal network scans.

Before you begin

• Contact the Arctic Wolf Deployment team at onboarding@arcticwolf.com for Webmin login credentials. You need these credentials to proceed.
• Contact your onboarding engineer for more information about console credentials for the operating system. These credentials are not automatically granted.

Steps

1. Sign in to the Webmin console on the VM at https://<scanner_ip>:10000, where <scanner_ip> is the DHCP address.

   Note: If DHCP is unavailable, launch a browser from another system on the same L2 switch. Then, use the APIPA address to connect to the Webmin console at https://169.254.xxx.xxx:10000.

2. Make sure the default gateway is set:

   1. In the navigation menu, click Networking > Network Configuration.
   2. Click Routing and Gateways.
   3. On the Boot time configuration tab, verify that a default gateway is set.
   4. If the default gateway value is not set, enter the appropriate values.
   5. Click Save.

3. Make sure that all relevant DNS servers are configured:

   1. Return to the Network Configuration page.
   2. Click Hostname and DNS Client.
   3. (Optional) Change the Hostname value.
   4. Verify that the first field in the DNS Servers section is populated with your DNS server IP address.
   5. If the field is not populated, enter your DNS server IP address.
   6. (Optional) Enter up to two more DNS server IP addresses in the DNS Servers fields.
   7. Click Save.

4. Configure a static IP address:

   1. Return to the Network Configuration page.
   2. Click Network Interfaces.
   3. In the table, click the eth0 value.
   4. In the IPv4 address section, select Static configuration.
   5. Enter the IPv4 address and the Netmask that you want to use.
   6. In the IPv6 addresses section, verify that IPv6 disabled is selected.
   7. Click Save.

5. Apply your configuration changes:

   1. Return to the Network Configuration page.
   2. Click Network Interfaces.
   3. Select the eth0 row in the table, and then click Apply Selected Interfaces.

6. Restart the VM.

7. Verify the new configuration in Webmin:

   1. In the navigation menu, click Networking > Network Configuration.
   2. Click Routing and Gateways.
   3. On the Active configuration tab, in the Default router section:
      1. Make sure there is at least one row where the Destination value is set to Default Route.
      2. Make sure the Gateway value is an IP address rather than None.

Next steps

• Schedule host identification and vulnerability scans. See Manage Risk Scanner configuration for more information.

See also

• Export and Import virtual machines
• Serial Console User Guide
• Managed Risk Scanner Installation and Configuration Guide
• Managed Risk Scanner Migration