Execution options

The Execution options page lets you configure how Arc collects data, manage detection features, and control network discovery and polling behaviors. You can also set logging levels and adjust specific execution parameters to optimize performance.

Figure 1. Execution options

Execution options

Execution time

This field lets you set the time that Arc will run to collect data. This is applicable for One-shot and Offline modes.
Note:
When this is set to 0, the execution time is interpreted as infinite.

Maximum disk space

This field lets you control the maximum amount of disk space in megabyte (MB) that will be used for Offline mode.

Sigma rules (Windows only)

This lets you enable/disable Sigma rules for local behavior analysis.

YARA rules (Windows only)

This lets you enable/disable YARA rules. YARA rules are applied to every newly-detected non-signed portable executable (PE) on the host machine's file system.

USB detections (Windows only)

This lets you enable/disable universal serial bus (USB) detections.

Node points

This lets you enable/disable the production of node points.

Discovery

When enabled, this sends out unsolicited lightweight network announcements to discover neighboring nodes.

Discovery uses lightweight protocol-specific broadcast messages to identify network devices. These messages trigger a response from the devices, which includes identity information. The process is repeated at predefined intervals. At each interval, the sensor will identify the suitable network interfaces and send broadcast messages through them to discover devices on each subnetwork connected to the sensor.

Smart Polling

This lets you enable/disable the execution of Smart Polling strategies from Arc. When enabled, this sends out Smart Polling queries following remote requests coming from Guardian to poll assets that Arc can reach, or assets that have been identified with Discovery.

Note:
Smart Polling requires that a Smart Polling license is enabled upstream.

To force Smart Polling from a specific Arc sensor, even when Guardian was the first to monitor a node, you can use a command-line interface (CLI) command such as: vi node 192.168.1.1 capture_device arc[1e6a174c] In this example, 192.168.1.1 is an internet protocol (IP) address of a node you want to poll from a specific Arc sensor. 1e6a174c are the first eight characters of the Arc sensor identifier (ID) that you want to poll the node with. To find that sensor ID, you can select the Arc sensor from the Sensors page of your Guardian and read the ID field in the right pane. To reset the behavior, you can set the capture_device back to the value of the Guardian interface.

Local ARP table

This lets you enable/disable the ability to use the local address resolution protocol (ARP) table to confirm media access control (MAC) addresses. The Use static entries checkbox lets you enable/disable the use of static entries in the ARP table. Static entries are user-defined. You should only use them if they can be trusted.

Log level

This dropdown lets you select the verbosity level for the log files. The options are:

  • Debug
  • Info
  • Warning
  • Error
The logging system options have an increasing level of verbosity, from the least verbose to the most verbose. Error < Warning < Info < Debug.
  • Error: Creates a minimalistic log, only unexpected errors are logged
  • Warning: Creates extra errors that might show on some operating system (OS)s, but that are generally considered as acceptable
  • Info: Logs relevant successful events, it shows the program’s progress (recommended)
  • Debug: Logs extra events that are normally useful for debugging purposes. Given its verbosity it is best to activate it only when debugging activities are involved