A financial services firm is deploying CyberArk EPM to achieve PCI DSS compliance. A key requirement is to control and audit the use of command-line tools like `regedit.exe` and `cmd.exe` on servers handling cardholder data. The security team wants to allow specific administrators to use these tools but require a documented business justification for each use. Which EPM policy configuration is the most effective and compliant approach?
A pharmaceutical company is using EPM to manage local administrator rights. The security policy dictates that the built-in local Administrator account (SID S-1-5-....-500) must be disabled and its password vaulted, but a specific domain group, 'PharmaLab Admins', must be retained in the local Administrators group on lab workstations. When configuring the 'Remove Local Administrators' policy, which action should be taken?
During an EPM agent deployment to a set of isolated, air-gapped industrial control systems (ICS), a consultant discovers the endpoints have no network connectivity to the EPM server. A technician on-site needs to run a specific diagnostics tool that requires elevation, but no pre-existing policies on the agent allow this. Which EPM feature is designed for this specific scenario? (Select TWO)
True or False: When an EPM policy is configured to elevate an application using the 'Run with administrative privileges' action, the application's child processes will also be elevated by default.
A university is using EPM to manage student lab computers. They want to prevent students from installing unauthorized software. The IT team has created a 'Trusted Sources' policy to allow installations only from the university's software portal and network shares. A student attempts to install a legitimate, digitally signed application downloaded from the vendor's official website, but the installation is blocked. What is the most likely reason for this block?
An EPM administrator is analyzing event data and notices that a large number of 'Privilege Threat' events are being generated by a custom in-house application that performs memory scraping as part of its normal function. This is causing a high volume of false positives. What is the recommended approach to suppress these specific events without disabling threat protection for other applications?
A system administrator needs to define a flexible Application Group that includes all executables within any subfolder of `C:\Program Files\VendorTools\`. The folder structure under `VendorTools` changes frequently as new versions are released. Which parameter type should be used to define the application path to ensure all current and future tools are included?
A global retailer is deploying EPM to thousands of Point-of-Sale (POS) terminals across different geographical regions with varying network latency. To optimize performance and reduce load on the central EPM server, the administrator needs to control how frequently agents check in for policy updates and send collected events. Which TWO settings in the Agent Configuration are most relevant for this task?
**Case Study** A manufacturing company, 'RoboCorp', is implementing CyberArk EPM to secure its factory floor workstations, which run critical production software. The environment is strictly controlled, and any downtime is extremely costly. The CISO has mandated a Zero Trust, least-privilege model. **Current Situation:** Factory operators currently run as local administrators to use legacy machine control software ('ControlApp.exe'), which requires elevated rights to interact with hardware drivers. The software is old, unsigned, and its publisher is unknown. The IT team has deployed EPM agents in 'Detect' mode and has collected data for one week. **Requirements:** 1. Remove all operator accounts from the local Administrators group. 2. Allow 'ControlApp.exe' to run with the necessary elevated privileges without prompting the operator. 3. Prevent any other unauthorized applications from running. 4. Ensure the solution is highly resilient and continues to function even if the EPM server is temporarily unreachable. Which EPM policy configuration best meets all of RoboCorp's requirements?
An administrator is troubleshooting an EPM policy that is supposed to elevate `setup.exe` for a specific application. The policy uses the application's digital signature for identification. However, when a user tries to run the installer, it is not elevated. The administrator verifies the policy is active and applied to the correct computer set. The following flowchart represents the EPM agent's policy evaluation logic. Based on the diagram, what is the MOST likely cause of the failure? ```mermaid flowchart TD A[User launches setup.exe] --> B{Is application in policy?}; B -->|No| C[Apply Default Policy]; B -->|Yes| D{Does signature match?}; D -->|No| E[Block/Detect as per policy]; D -->|Yes| F{Is user/computer in scope?}; F -->|No| G[Ignore Policy Match]; F -->|Yes| H[Elevate Application]; ```