The correct answers are C and D. Static attack object groups are manually defined groups. Juniper states that custom attack groups are static in nature because the attacks are explicitly specified in the group; therefore, those attack groups do not change when the security database is updated. This is the key difference between static groups and dynamic groups. Dynamic groups use matching criteria and can automatically update membership when the signature database changes, but static groups do not behave that way.

Option C is correct because updating the IPS/IDP signature database does not automatically add or remove members from a static attack group. Option D is correct because the administrator must explicitly add the desired attack objects to the custom static group. Option A describes dynamic matching behavior, not static group behavior. Option B is also dynamic-group behavior; Juniper Security Director documentation says dynamic group membership is automatically updated during signature updates based on the group’s matching criteria. Static groups are intentionally deterministic: they include only the attacks manually selected by the administrator. Reference topics: IDP attack objects, static attack groups, custom attack groups, dynamic attack groups, IPS signature database updates.