Detect a Potential Security Threat

Threat Detection Policies enable you to detect and block specific application threats to your system's security. CyberArk provides a number of specific Threat Detection Policies.

The Threat Detection Policies guard against threats to Microsoft Windows operating systems, Web browsers, remote access and IT applications.

Microsoft retains passwords and credentials in many locations. These are used to assist the user, especially in Single Sign-On (SSO) situations, which allow users to authenticate at a single location and access a range of services without re-authenticating. The Threat Detection Policies protect the key assets in Microsoft against attacks, stopping attackers from escalating and moving laterally in the system.

For a list of rules that EPM deploys to protect Microsoft assets, see Threat detection rules.

Guard against threats

The Threat Detection Policies guard against threats to Chrome, Firefox, and Opera, which retain user passwords that are often similar to the users' corporate passwords. Attackers can steal these passwords without needing Administrator privileges, giving them an easy path to achieve lateral movement.

Remote access and IT applications protected by the Threat Detection Policies are those used by IT personnel to manage the critical infrastructure of an organization, such as WinSCP and mRemoteNG. These applications save the credentials of these privileged users, who can run code remotely and connect almost everywhere in the organization. Attackers use password stealing malware to access these credentials, giving them privileged access to the most sensitive parts of the organization.

Risk analysis

The EPM Threat Intelligence module allows you to use CyberArk's own risk analysis service or third-party services to check whether specific applications constitute a threat to your system's security.

CyberArk Application Risk Analysis Service (ARA) automatically uncovers sophisticated APTs (Advanced Persistent Threats), zero-day attacks, and targeted threats.

EPM offers third-party services for checking an application for a potential security threat. By default, VirusTotal is enabled.

Users of EPM, who are also customers of the companies that manufacture the relevant products, can use the services listed below. They are only visible only if they are configured in EPM management console.

  • Palo Alto WildFire
  • Check Point ThreatCloud
  • FireEye AX

NSRL was deprecated in v11.5.5.

After the check proves that the Application is malicious, the Application appears with a red color. Additional important information, like the Application Source, related Applications, and so on can be used to reveal other potential threats.

The malicious Applications can be easily blocked from the Privilege Management Inbox, Application Control Inbox, or Application Catalog.


If the blocking is applied to the specific Executable by its checksum, the selected Executable will always be blocked, regardless of other parameters such as the file’s location, digital signature, and version information. In this case, we recommend analyzing the discovered threat further to avoid polymorphic malware.