EPM-DEF Sample Questions Answers

VirusTotal

Palo Alto WildFire

CyberArk Application Risk Analysis Service

NSRL

Applications will be allowed to run and will only elevate if required.

Applications will be allowed to run and will inherit the process token from the EPM agent.

Applications will be allowed to run always in elevated mode.

Application from the defined trusted sources must be configured on a per application basis, in order to define run and elevation parameters.

End-user UI in the left panel of the console

Advanced, Agent Configurations

Default Policies

End-User UI within the policy

Elevate Application Group

Developer Applications Application Group

Elevate Trusted Applications If Necessary Advanced Policy

Elevate MacOS Policy

NSRL

Palo Alto Wildfire

VirusTotal

CyberArk Application Risk Analysis Service (ARA)

Behavior of the elevation prompt for administrators in Admin Approval Mode is set to “Prompt for Consent for non-Windows binaries”.

Agent version is incompatible.

UAC policy Admin Approval for the Built-in Administrator Account is set to “Disabled”.

UAC policy Run all administrators in Admin Approval Mode is set to “Enabled”.

An EPM admin can generate a JIT access and elevation policy with temporary access timeframe set to 120 hours

An EPM admin can generate a JIT access and elevation policy with temporary access timeframe set to 120 hours and Terminate administrative processes when the policy expires option unchecked

An EPM admin can create an authorization token for each application needed by running: EPMOPAGtool.exe -command gentoken -targetUser -filehash -timeLimit 120 -action run

An EPM admin can create a secure token for the end user's computer and instruct the end user to open an administrative command prompt and run the command vfagent.exe -UseToken

Local or AD users and groups, Azure AD User, Azure AD Group

AD Groups, Azure AD Groups

Local or AD users and groups

Local or AD users, Azure AD Users

Add trusted software to the Authorized Applications (Ransomware protection) Application Group

Add trusted software to the Allow Application Group

Add additional files, folders, and/or file extensions to be included to Ransomware Protection

Enable Detect privileged unhandled applications under Default Policies

Yes, when Audit Video recording started, when Audit Video recording stopped, and when Audit Recording video reached size limit.

Yes, when Audit Video recording started, when not enough disk space to start the video recording, and when video recording is initializing.

Yes, when Audit Video recording started, when Audit Video recording is uploaded to the EPM server, and when audit recording cannot be initialized.

No, Audit Video is only available without the possibility of having End-User dialog pop-ups.

Policy creation date

Target use group

Creator of the policy

The policy's Set name

The username should match to an existing account.

The username should have a strong password associated.

The username should not match to an existing account.

The username should match the built-in local Administrator.

Some Threat Protection policies are applicable only for Windows Servers as opposed to Workstations.

Certain Threat Protection policies apply for specific applications not found on all machines

Threat Protection policies requires an additional agent to be installed.

Threat Protection features are not available in all regions.

Trusted Sources

Authorized Applications (Ransomware Protection)

Threat Intelligence

Policy Recommendations

Verify any 3rd party security solutions have been added to EPM's Files To Be Ignored Always configuration and CyberArk EPM has also been excluded from the 3rd party security solutions.

Enable the Default Policy's Privilege Management Control, Unhandled Privileged Applications in Elevate mode.

Rerun the agent installation on the user's machine to repair the installation.

Uninstall or disable any anti-virus software prohibiting the EPM Agent functionalities.