Execution options
The Execution options page lets you configure how Arc collects data, manage detection features, and control network discovery and polling behaviors. You can also set logging levels and adjust specific execution parameters to optimize performance.

Execution time
Maximum disk space
This field lets you control the maximum amount of disk space in megabyte (MB) that will be used for Offline mode.
Sigma rules (Windows only)
This lets you enable/disable Sigma rules for local behavior analysis.
YARA rules (Windows only)
This lets you enable/disable YARA rules. YARA rules are applied to every newly-detected non-signed portable executable (PE) on the host machine's file system.
USB detections (Windows only)
This lets you enable/disable universal serial bus (USB) detections.
Node points
This lets you enable/disable the production of node points.
Discovery
When enabled, this sends out unsolicited lightweight network announcements to discover neighboring nodes.
Discovery uses lightweight protocol-specific broadcast messages to identify network devices. These messages trigger a response from the devices, which includes identity information. The process is repeated at predefined intervals. At each interval, the sensor will identify the suitable network interfaces and send broadcast messages through them to discover devices on each subnetwork connected to the sensor.
Smart Polling
This lets you enable/disable the execution of Smart Polling strategies from Arc. When enabled, this sends out Smart Polling queries following remote requests coming from Guardian to poll assets that Arc can reach, or assets that have been identified with Discovery.
To force Smart Polling from a specific Arc sensor, even when Guardian was the first
to monitor a node, you can use a command-line interface (CLI) command such as:
vi node 192.168.1.1 capture_device arc[1e6a174c]
In this
example, 192.168.1.1
is an internet protocol (IP) address
of a node you want to poll from a specific Arc sensor. 1e6a174c
are
the first eight characters of the Arc sensor identifier (ID) that
you want to poll the node with. To find that sensor ID,
you can select the Arc sensor from the Sensors page of your
Guardian and read the ID field in the right pane. To reset the behavior, you
can set the capture_device
back to the value of the Guardian
interface.
Local ARP table
This lets you enable/disable the ability to use the local address resolution protocol (ARP) table to confirm media access control (MAC) addresses. The Use static entries checkbox lets you enable/disable the use of static entries in the ARP table. Static entries are user-defined. You should only use them if they can be trusted.
Log level
This dropdown lets you select the verbosity level for the log files. The options are:
- Debug
- Info
- Warning
- Error
- Error: Creates a minimalistic log, only unexpected errors are logged
- Warning: Creates extra errors that might show on some operating system (OS)s, but that are generally considered as acceptable
- Info: Logs relevant successful events, it shows the program’s progress (recommended)
- Debug: Logs extra events that are normally useful for debugging purposes. Given its verbosity it is best to activate it only when debugging activities are involved