Detect a potential security threat

This topic introduces you to EPM's threat protection policies.


Threat protection policies enable you to detect and block specific application threats to your system's security. CyberArk provides a number of specific threat protection policies, which guard against threats to Microsoft Windows operating systems, Web browsers, remote access and IT applications.

Microsoft retains passwords and credentials in many locations. These are used to assist the user, especially in single sign-on (SSO) situations, which allow users to authenticate at a single location and access a range of services without re-authenticating. The threat protection policies protect the key assets in Microsoft against attacks, stopping attackers from escalating and moving laterally in the system.

For a list of rules that EPM deploys to protect Microsoft assets, see Threat protection rules.

Guard against threats

The threat protection policies guard against threats to Chrome and Opera, which retain user passwords that are often similar to the users' corporate passwords. Attackers can steal these passwords without needing Administrator privileges, giving them an easy path to achieve lateral movement.

Remote access and IT applications protected by the threat protection policies are those used by IT personnel to manage the critical infrastructure of an organization, such as WinSCP and mRemoteNG. These applications save the credentials of these privileged users, who can run code remotely and connect almost everywhere in the organization. Attackers use password stealing malware to access these credentials, giving them privileged access to the most sensitive parts of the organization.

Risk analysis

The EPM Threat Intelligence module enables you to use CyberArk's own risk analysis service or third-party services to check whether specific applications constitute a threat to your system's security.

CyberArk Application Risk Analysis Service (ARA) automatically uncovers sophisticated APTs (Advanced Persistent Threats), zero-day attacks, and targeted threats.

EPM offers several third-party services to check applications for potential security threats. By default, NSRL is enabled, and you can generate a full report in


Users of EPM, who are also customers of the companies that manufacture the relevant products, can use the services listed below, which are only visible only if they are configured in the EPM management console.

  • Palo Alto WildFire
  • Check Point ThreatCloud

After the check proves that an application is malicious, the application appears with a red color. Additional important information, like the application source, related applications, and so on can be used to reveal other potential threats.

You can easily block the malicious applications in the Manage events page.


If the blocking is applied to the specific executable by its checksum, the selected executable will always be blocked, regardless of other parameters such as the file’s location, digital signature, and version information. In this case, we recommend analyzing the discovered threat further to avoid polymorphic malware.