NGAV Local Update Server

For larger deployments, you can optionally install an NGAV Local Update server to deliver the Anti-Malware Signatures DB updates.

If your organization has a large number of endpoints, you can optionally choose to install an NGAV Local Update server (or servers) in your network to deliver Anti-Malware signature updates to endpoints more quickly. This option also helps to minimize potential traffic issues on the external network, and is especially useful during the initial installation of Anti-Malware on sensors due to the size of the full signature database (~1.2 GB) that requires deployment to each endpoint.

Sensors download their first-time signatures update and subsequent updates from the NGAV Local Update server. This conserves network usage for your organization by avoiding direct communication from your machines with an external server. You can also control how frequently the Local Update server receives signature updates from the Global update server. We recommend setting the update frequency to between a few hours to up to two days, for optimal security value. Ask Technical Support for assistance to configure this setting.

If the sensor cannot connect to the NGAV Local Update server, it connects to the NGAV Global Update server at

NGAV Local update server types

Server type

Main capabilities


Supported OS


How to configure

VM-based Local update server

  • Uses a mirroring technology, which allows separation between the Anti-Malware signature update request and retrieval process, which significantly reduces sensor latency during updates and reduces load for the sensor.

  • Your organization can now use a proxy to access the Global Update server, which allows you to restrict access to external domains, or to reduce the traffic and consumed resources on endpoints during downloads of Anti-Malware signature updates.

  • The server is provided as a pre-built VM based on a Linux OS.

Cybereason fully maintains this server.


This is the recommended option. To get access to this server, contact Technical Support.

How to Configure a VM-Based Local update server

Windows-based Local Update server

Caches signature updates from the NGAV Global Update server. Does not support downstream proxy access to the Global Update server.

Important: This server type is no longer supported.


We recommend that you use the more capable VM-based Local update server.

How to Install and Configure the Local update server (Windows)

Install the NGAV Local Update server

You install the NGAV Local Update server on premises.

Cybereason is responsible for providing the configuration of the NGAV Local Update server. You are responsible for installing, monitoring, and maintaining this server. Contact Technical Support for assistance with this server’s configuration.

For details on how to install a Local Update server, see:

Use multiple NGAV Local Update servers

You can install multiple NGAV Local Update servers if necessary (for example, one per geographical region). Cybereason recommends the following steps:

  1. From the Cybereason UI System > Policies management screen, create or edit a policy and, in the Anti-Malware tab, set the Local Update server parameter of all sensors in your organization to the same domain (for example,

  2. On your DNS server for each region, redirect the domain to the IP address of the Local Update server in that region (for example: 14400 IN A