# Risk Assessment Administration

EPM includes a multi-signal risk assessment system that assigns a numeric risk score to actions before policy controls are applied. Policies can use risk scores as an additional condition — for example, requiring MFA only when the risk score is above a threshold, or automatically denying actions that score critically high.

This page explains how risk scores are calculated, what each signal measures, how to configure risk assessment jobs, and how to use risk scores in policies.

## How Risk Scoring Works

When a privilege elevation or file access request is evaluated, the risk assessment system calculates a composite risk score (0.0–10.0) from four independent signals:

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="196.3333740234375">Signal</th><th width="147.66668701171875">Default weight</th><th>What it measures</th></tr></thead><tbody><tr><td><strong>File (Application) Risk</strong></td><td>40%</td><td>Whether the file being executed is known, signed, and clean according to threat intelligence</td></tr><tr><td><strong>Location Risk</strong></td><td>30%</td><td>Whether the file is executing from a high-risk path (user writable) vs. a low-risk path (system directory)</td></tr><tr><td><strong>User Risk</strong></td><td>15%</td><td>Whether the requesting user is a standard user or has administrative privileges</td></tr><tr><td><strong>Machine Risk</strong></td><td>15%</td><td>Whether the machine has active antivirus software installed</td></tr></tbody></table>

The composite score is calculated as a weighted average:

```
Composite = (File × 0.40) + (Location × 0.30) + (User × 0.15) + (Machine × 0.15)
```

### **Score interpretation:**

<table data-header-hidden="false" data-header-sticky><thead><tr><th>Score range</th><th>Risk level</th><th>Typical policy response</th></tr></thead><tbody><tr><td>0.0 – 3.0</td><td>Low</td><td>Allow</td></tr><tr><td>3.1 – 6.0</td><td>Medium</td><td>Require justification or MFA</td></tr><tr><td>6.1 – 8.0</td><td>High</td><td>Require approval</td></tr><tr><td>8.1 – 10.0</td><td>Very High</td><td>Deny</td></tr></tbody></table>

These thresholds are defaults — you configure the exact thresholds and responses in your policy.

## Risk Signal Details

**File risk** examines the binary being executed. For signed executables from known publishers, the score is typically low (1.0–2.0). For unsigned executables, unsigned scripts, or files that return a threat verdict from an integrated threat intelligence vendor, the score rises toward 8.0–10.0. If no threat intelligence vendor is configured, file risk is based on code signature validation alone.

**Location risk** evaluates where the file lives on the filesystem. Files in system directories (`C:\Windows\System32`, `/usr/bin`, `/Applications`) receive a low score. Files executing from user-writable locations — the user's Downloads folder, Temp directory, or Desktop — receive a high score regardless of what the file is. This signal catches the most common malware delivery pattern (user downloads and runs an executable) without requiring any threat intelligence integration.

Location risk is configured via path mappings in the `location-risk-assessment.json` job file. The default mapping covers the most common risk locations on Windows, macOS, and Linux.

**User risk** is binary in the default configuration: standard users receive a low score (1.0) and administrative users receive a higher score (7.0) because an admin elevating further is a higher-risk event than a standard user requesting their first elevation. The scores are configurable.

**Machine risk** checks whether antivirus software is present on the machine. A machine with active AV receives a low score (1.0); a machine with no detectable AV receives a high score (8.0). If the check is inconclusive, a medium score (5.0) is used. Detection uses process inspection, package manager checks, and service enumeration — it does not require integration with specific AV products.

## Risk Assessment Job Files

Risk assessment is implemented as a set of job executables in the `Jobs/` directory. The following job files are present in a standard KEPM installation:

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="289.3333740234375">Job file</th><th>Purpose</th></tr></thead><tbody><tr><td><code>file-risk-assessment.json</code></td><td>Evaluates file integrity and threat intelligence</td></tr><tr><td><code>location-risk-assessment.json</code></td><td>Maps file paths to risk levels</td></tr><tr><td><code>user-risk-assessment.json</code></td><td>Evaluates user privilege level</td></tr><tr><td><code>machine-risk-assessment.json</code></td><td>Checks for active antivirus</td></tr><tr><td><code>composite-risk-evaluation.json</code></td><td>Orchestrates all four signals and calculates the composite score</td></tr></tbody></table>

## Configuring Location Risk Mappings

The location risk job maps path patterns to risk scores. The default configuration covers standard system and user paths on all platforms. To add or modify a location mapping, edit `Jobs/location-risk-assessment.json`:

json

```json
{
  "id": "location-risk-assessment",
  "settings": {
    "locationMappings": [
      { "path": "{downloads}", "riskScore": 8.0, "locationType": "UserDownloads" },
      { "path": "{temp}",      "riskScore": 8.0, "locationType": "TempDirectory" },
      { "path": "{desktop}",   "riskScore": 7.0, "locationType": "UserDesktop" },
      { "path": "{system32}",  "riskScore": 1.0, "locationType": "SystemDirectory" },
      { "path": "{windows}",   "riskScore": 1.0, "locationType": "SystemDirectory" }
    ],
    "defaultRiskScore": 5.0
  }
}
```

Path values support [path variables](/keeperpam/endpoint-privilege-manager/policies/path-variables.md). User-specific paths (like `{downloads}`) automatically expand to match any user's folder — you do not need a separate entry per user. The `defaultRiskScore` applies when a file path doesn't match any configured mapping.

## Configuring Score Weights

To change the weighting of each signal, edit the `composite-risk-evaluation.json` job file:

json

```json
{
  "id": "composite-risk-evaluation",
  "settings": {
    "riskScoreWeights": {
      "applicationWeight": 0.40,
      "locationWeight":    0.30,
      "userWeight":        0.15,
      "machineWeight":     0.15
    }
  }
}
```

Weights must sum to 1.0 — the system normalizes them automatically if they don't, but explicit correct values are clearer. Changes take effect after the service reloads the job configuration.

## Using Risk Scores in Policies

Policies can reference risk scores in two ways:

**RiskLevel filter** — A policy with a `RiskLevel` filter only matches requests where the risk score meets or exceeds the configured level. This lets you apply different controls to the same application depending on how risky the request appears:

json

```json
{
  "Extension": {
    "RiskLevel": 6.0
  },
  "Actions": {
    "OnSuccess": {
      "Controls": ["APPROVAL"]
    }
  }
}
```

This policy applies only when the composite risk score is 6.0 or higher, requiring approval for high-risk actions while leaving lower-risk actions governed by other policies.

**TargetRiskScore custom filter** — A policy with a `TargetRiskScore` in its extension triggers the full composite risk evaluation pipeline at policy evaluation time and passes only if the composite score is at or below the target. This is useful for allow policies that should only fire for genuinely low-risk requests:

json

```json
{
  "Extension": {
    "TargetRiskScore": 3.0
  },
  "Actions": {
    "OnSuccess": {
      "Controls": ["ALLOW"]
    }
  }
}
```

This policy allows the action automatically, but only when all four risk signals combine to a composite score of 3.0 or below.

## Integrating Threat Intelligence Vendors

File risk assessment supports optional integration with external threat intelligence APIs. When a vendor is configured, KEPM submits file hashes to the vendor API and incorporates the threat verdict into the file risk score.

Supported integrations: **ReversingLabs**, **VirusTotal**

Vendor integration is configured in `Jobs/file-risk-assessment.json`. Contact Keeper for configuration details and API credential requirements.

## Risk Scores in the Audit Log

Every composite risk evaluation generates an audit event containing the composite score and the contribution of each signal. These events can be filtered in the Admin Console event log by searching for `AgentRiskScoreComputed`. The event record includes:

* Composite score
* Per-signal scores and weights
* Risk level band (Low / Medium / High / Very High)
* Whether the evaluation passed or failed the policy's target threshold


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/user-guides/risk-assessment-administration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.