Risk Assessment Administration

EPM includes a multi-signal risk assessment system that assigns a numeric risk score to actions before policy controls are applied. Policies can use risk scores as an additional condition — for example, requiring MFA only when the risk score is above a threshold, or automatically denying actions that score critically high.

This page explains how risk scores are calculated, what each signal measures, how to configure risk assessment jobs, and how to use risk scores in policies.

How Risk Scoring Works

When a privilege elevation or file access request is evaluated, the risk assessment system calculates a composite risk score (0.0–10.0) from four independent signals:

The composite score is calculated as a weighted average:

Composite = (File × 0.40) + (Location × 0.30) + (User × 0.15) + (Machine × 0.15)

Score interpretation:

These thresholds are defaults — you configure the exact thresholds and responses in your policy.

Risk Signal Details

File risk examines the binary being executed. For signed executables from known publishers, the score is typically low (1.0–2.0). For unsigned executables, unsigned scripts, or files that return a threat verdict from an integrated threat intelligence vendor, the score rises toward 8.0–10.0. If no threat intelligence vendor is configured, file risk is based on code signature validation alone.

Location risk evaluates where the file lives on the filesystem. Files in system directories (C:\Windows\System32, /usr/bin, /Applications) receive a low score. Files executing from user-writable locations — the user's Downloads folder, Temp directory, or Desktop — receive a high score regardless of what the file is. This signal catches the most common malware delivery pattern (user downloads and runs an executable) without requiring any threat intelligence integration.

Location risk is configured via path mappings in the location-risk-assessment.json job file. The default mapping covers the most common risk locations on Windows, macOS, and Linux.

User risk is binary in the default configuration: standard users receive a low score (1.0) and administrative users receive a higher score (7.0) because an admin elevating further is a higher-risk event than a standard user requesting their first elevation. The scores are configurable.

Machine risk checks whether antivirus software is present on the machine. A machine with active AV receives a low score (1.0); a machine with no detectable AV receives a high score (8.0). If the check is inconclusive, a medium score (5.0) is used. Detection uses process inspection, package manager checks, and service enumeration — it does not require integration with specific AV products.

Risk Assessment Job Files

Risk assessment is implemented as a set of job executables in the Jobs/ directory. The following job files are present in a standard KEPM installation:

Configuring Location Risk Mappings

The location risk job maps path patterns to risk scores. The default configuration covers standard system and user paths on all platforms. To add or modify a location mapping, edit Jobs/location-risk-assessment.json:

json

Path values support path variables. User-specific paths (like {downloads}) automatically expand to match any user's folder — you do not need a separate entry per user. The defaultRiskScore applies when a file path doesn't match any configured mapping.

Configuring Score Weights

To change the weighting of each signal, edit the composite-risk-evaluation.json job file:

json

Weights must sum to 1.0 — the system normalizes them automatically if they don't, but explicit correct values are clearer. Changes take effect after the service reloads the job configuration.

Using Risk Scores in Policies

Policies can reference risk scores in two ways:

RiskLevel filter — A policy with a RiskLevel filter only matches requests where the risk score meets or exceeds the configured level. This lets you apply different controls to the same application depending on how risky the request appears:

json

This policy applies only when the composite risk score is 6.0 or higher, requiring approval for high-risk actions while leaving lower-risk actions governed by other policies.

TargetRiskScore custom filter — A policy with a TargetRiskScore in its extension triggers the full composite risk evaluation pipeline at policy evaluation time and passes only if the composite score is at or below the target. This is useful for allow policies that should only fire for genuinely low-risk requests:

json

This policy allows the action automatically, but only when all four risk signals combine to a composite score of 3.0 or below.

Integrating Threat Intelligence Vendors

File risk assessment supports optional integration with external threat intelligence APIs. When a vendor is configured, KEPM submits file hashes to the vendor API and incorporates the threat verdict into the file risk score.

Supported integrations: ReversingLabs, VirusTotal

Vendor integration is configured in Jobs/file-risk-assessment.json. Contact Keeper for configuration details and API credential requirements.

Risk Scores in the Audit Log

Every composite risk evaluation generates an audit event containing the composite score and the contribution of each signal. These events can be filtered in the Admin Console event log by searching for AgentRiskScoreComputed. The event record includes:

• Composite score

• Per-signal scores and weights

• Risk level band (Low / Medium / High / Very High)

• Whether the evaluation passed or failed the policy's target threshold