Skip to content

Endpoint agent

Does Coro endpoint agent require an internet connection at all times?

Coro Endpoint Protection agent is fully autonomous and does not require connectivity for its operation. Occasional networking is needed to report findings to Coro servers, as well as to get updated on any changes to device posture policy and threats database.

How much disk space is required by the Coro endpoint agent?

Approximately 1.5GB, of which over 1.2GB is devoted to the security knowledge base, which allows the client to operate autonomously.

How much memory does the Coro endpoint agent consume?

The amount of memory consumed under normal conditions is approximately 400MB. During scanning, memory usage is determined by the size of the files to be scanned.

What is Tamper Protection?

Coro agent Tamper Protection prevents malicious software from terminating or interfering with the Coro agent, thereby disabling protection. Tamper Protection settings can be found in the Coro Console by navigating to Control Panel > Devices > Settings.

Tamper protection

Can I run Windows Defender alongside Coro?

Windows Defender is not required when using Coro. If Windows Defender is running alongside Coro, the Enhanced EDR Block Mode option in the Coro Console under Devices > Settings must be selected.

Is it possible to remove the Coro device client from multiple users in bulk, or is this done manually, one at a time?

Yes, this is possible using an external mass deployment tool that can be used to uninstall the agent from all devices. Tamper Protection must be disabled on all the devices first.

What happens when you remove a user from protection? Does it also remove the agent from their devices?

No, when a user is removed from protection, only email and cloud apps are no longer protected. The device is not removed, and vulnerabilities are still detected, reported, and remediated. To remove the device, either disable Tamper Protection on the device so that the user can uninstall it or click Disable protection on the device from the Devices view. This prevents the endpoint client from detecting and reporting any device vulnerabilities.

As a ransomware detection and remediation tool, what advantages does Coro have over other traditional EDR tools?

Unlike traditional EDRs, Coro provides extended protection, including device posture monitoring. Coro can assist in preventing such threats by ensuring users have firewalls installed, passwords set on their devices, and data encryption enabled.

A recent test of the Coro Windows Agent was conducted by SE Labs ( and Coro received an overall score of 97%, giving it an AAA rating.

Can Coro detect when a file has been deleted?

Yes, Coro detects deleted files.

Does Coro indicate which folder was affected when a file is deleted from a folder?

Yes, when larger files are deleted, Coro details and organizes them by folder.

Does Coro provide the ability to disconnect a device from all internet activity and log in to the device using remote monitoring and management (RMM) software in order to diagnose?

No, Coro does not provide the ability to disconnect a device from all internet activity and log in to the device using RMM.

When Coro encrypts a drive on a device, is the Bitlocker recovery key automatically stored in Azure as well as in Coro?

After encryption, the recovery key is stored in Coro only. The recovery key for accessing the encrypted data for a specific device is displayed in the Activity Log as well as in the Device details pane under Devices.

Encrypted drives

Can an endpoint device be connected to more than one workspace?

No, a device can only be linked to a single workspace. The installation process will fail if you attempt to install an agent from a different workspace on a device that already has Coro installed.

What is the average size of a definition/signature update received by the Coro Endpoint agent from the Bitdefender servers?

On average the Bitdefender engine downloads 60-70 MB a day.

Can the Coro endpoint agent be uninstalled through the Coro Console?

No, currently, the Coro endpoint agent cannot be uninstalled through the Coro Console.The user can uninstall the agent only after Tamper Protection has been disabled on a device by an administrator.

When a client approves a file via the endpoint agent that's flagged as malware, does it apply to all endpoint devices?

The file is approved for all devices within the same workspace.

I am attempting to configure two-factor authentication (2FA), but I am not prompted to sign in with 2FA the next time I login to Coro

You can only use 2FA if you log in with a username and password. Social logins (Microsoft 365 or Google Workspace) do not require the use of 2FA. The user's 2FA will be disabled in the Admin Users section of the Control Panel. 2FA can only be configured for social accounts directly from your Google or Microsoft account.