Automatic updates are the primary recommended method of keeping signature files updated. You can enable and disable automatic updates and set the frequency and randomization of updates for the signature files for the Local Scanner.

These steps impact only one policy at a time.

The local scan feature is only available for Windows sensors 2.0 and later. It is not available for the Audit and Remediation Standalone product, Linux sensors, or macOS sensors.

Note: An initial, offline Signature Pack is available for download from Endpoints > Sensor Options > Download sensor kits > AV Signature Pack. This download is for the initial deployment only, to get the first set of signatures installed with a sensor. This is not a recommended way to keep signatures updated because these packs receive infrequent updates.

Procedure

  1. On the left navigation bar, click Enforce > Policies.
  2. Select the policy and click the Local Scan tab.
  3. Click the Scanner Config drop-down menu and specify the On Access File Scan Mode:
    • Disabled - No scanning of files occurs.
    • Normal - Scans new files (exes, dlls, scripts) on the first execute of that file (determined by hash).
    • Aggressive - Scans all files on execute. The assigned reputation and policy rules apply.
  4. To turn automatic updates on or off, click the Signature Updates drop-down menu, and set the Allow Signature Updates:
    • Enabled - Enables signature updates for the scanner.
    • Disabled - Disables signature updates for the scanner.
    Note: Disabling signature updates stops sensors in the designated policy from receiving updated signature files. On the Inventory > Endpoints page, in the Sig column, the sensor signature files show as out-of-date (red triangle) one week after being disabled, until the updates are re-enabled.
  5. Set the Frequency to specify how often the sensor checks in for signature pack updates using the designated update server.. The default setting is 4 hours.
  6. Set the Staggered Update Randomization Window to avoid all sensors trying to download at the same time (per Policy). The default setting is 4 hours.
    Note: When you configure automatic updates, you must consider the Frequency and Staggered Update Randomization Window settings together. It is a best practice to set Frequency and Staggered Update Randomization Window to 2 hours and 1 hour, respectively. Setting Frequency to 4 hours and Staggered Update Randomization Window to 4 hours results in sensors not getting updated signature files until at least 8 hours elapse.
  7. Optionally specify Update Servers for local scanning signatures, or use the default Carbon Black servers.
    Note: If network bandwidth consumption during updates is a concern, set up and specify a Local Mirror Server.
    1. Update Servers for Internal Devices: Lets you add update servers for internal devices. You can use the default mirror infrastructure (http://updates.cdc.carbonblack.io/update) or use the provided field to enter your own mirror device URL.
    2. Update Servers for Offsite Devices: Lets you update servers for offsite devices. You can use the default mirror infrastructure (http://updates.cdc.carbonblack.io/update) or use the provided field to enter your own mirror device URL.
  8. Click Save.