Installing the Arctic Wolf Agent via Automox

  • 21 October 2020
  • 8 replies
  • 484 views

Installing the Arctic Wolf Agent


Recently we had to go about deploying an agent from a managed SOC called “Arctic Wolf” to all of our server endpoints. The trouble is, the MSI file had to be in the same directory as a “customer.json” file in order to work. This was an issue because Automox only allows you to upload the MSI. Luckily, with PowerShell your imagination is the limit. This is how we got around the limitation as the “customer.json” file is a rather small (one line) file and can be created at runtime with PowerShell.



  1. Create a Required Software policy for Windows

  2. Upload the MSI to Automox

  3. Set the Package Name and Package Version to how it appears in the Win32_Product WMI class when installed on a machine. This is how Automox determines if the package is installed and if a machine is compliant. Currently as of writing this, the name is Arctic Wolf Agent 2020-05_01 and the version is 20.20.0501.

  4. Use the following PowerShell syntax to install the software, replacing the customerUUID and registerDns JSON attribute values with your own.


$json = '{"customerUuid":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","registerDns":"xxxx-xxxx-reg.xxxxxxx.com"}' #This will be what is written to the customer.json file
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False #Set encoding for the output file to UTF8 with no Byte-order-mark
[System.IO.File]::WriteAllText("$pwd\customer.json",$json,$Utf8NoBomEncoding) #Write the file to the current working directory with UTF8 no BOM encoding. It is important to use native .Net functions to do this as Out-File adds a \r\n newline after the file. This will cause the installation to break. The -NoNewLine paramenter in Out-File only works on PowerShell 5+
exit (Start-Process -FilePath 'msiexec.exe' -ArgumentList ('/qn', '/i', '"arcticwolfagent-2020-05_01.msi"', '/l*v c:\AWAgent.log', '/norestart') -Wait -Passthru).ExitCode #Install with MSIExec and write to log c:\AWAgent.log


  1. Apply the policy to the appropriate groups and schedule as required!


If you need to ever change the customer.json file after the agent is installed.


You MAY run into a case where the AW agent was installed and the customer.json file was incorrect or corrupted. In this case, you will have a customer.json file in the installation directory, but no .agent_info file. You will need to create a worklet like this in order to rectify the situation:


Evaluation Code:


if((Test-Path -Path "C:\Program Files (x86)\Arctic Wolf Networks\Agent") -and (!(Test-Path -Path "C:\Program Files (x86)\Arctic Wolf Networks\Agent\.agent_info")))
{
exit 1 #Checks if the install directory exists but .agent_info doesn't exist (broken installation); returns 1
}
else
{
exit 0 #Returns 0 if this worklet doesn't apply to the machine it is run on.
}

Remediation Code:


The remediation code overwrites the customer.json file and restarts the service to get the agent to register with Arctic Wolf


try{
$automoxdir = "C:\Program Files (x86)\Arctic Wolf Networks\Agent"
$json = '{"customerUuid":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","registerDns":"xxxx-xxxx-reg.xxxxxxx.com"}'
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllText("$automoxdir\customer.json",$json,$Utf8NoBomEncoding)
Restart-Service -Name ArcticWolfAgentMgr
Exit 0
}
catch
{
Exit 1
}

Hopefully this helps someone out there in a similar situation, even if it is with a different application!


8 replies


I was curious if you could tell me more about the situation and the limitation you encountered. You should be able to upload multiple files, just one at a time. All uploaded files will be made available in the same directory at installation time. Thank you for any clarity you can provide.

Hmm interesting… I will have to try again. It seemed like it was overwriting the one file when trying to pick another. Do we have to save it and then go back into it and upload again? That might be why we were running into this problem in which case I guess it is user-error.

Thanks for the response! I uploaded my msi first, and accounted for the name and version evaluation. Once that was uploaded, I added my other files (txt and json files). I was able to save all at one time after that. I didn’t try to upload non-msi files first, so I am unsure if that makes a difference just yet.

I thought that’s how it was supposed to work but for some reason we couldn’t get that or the auto MSI evaluation to work a couple of days ago and had to work around the problem using this PowerShell method. I will check with the engineer implementing this Software policy to see if perhaps he has anything configured abnormally with his browser as well just in case it was a UI issue cause by adblock or some other extension/setting.

To clarify, the msi name and version response was in a required software policy. I also tested out a Worklet to ensure I could get multiple files added. That did work as well (to same some testing time, haha).

To make sure, you are supposed to be able to add multiple files in a required software policy as well as a worklet, correct? I will have to do some internal testing to figure out what happened.

That is correct. You should be able to upload multiple files to account for multi-file installers and things like transform files.

I’d love to setup a quick chat with you if you are still encountering issues as we are looking to make some incremental improvements early next year to this policy. Let me know!

Reply