Skip to content

Endpoint Security

What level of Windows User Account Control (UAC) must be enabled for Coro to enforce a UAC Notification Missing policy?

Coro enforces the UAC Notification Missing policy when Windows User Account Control settings are set to:

  • Default

  • Low

  • Medium

UAC Settings


Windows UAC is considered vulnerable when set to Low or Medium.

For more information, see UAC Notification.

If an admin user configures a Remote Password & Session Locking policy on my workspace, how does the Coro agent detect how old my existing password is?

The Coro agent is capable of extracting user profile information directly from your device to determine the age of your existing password.

For more information, see Remote password and session locking.

Does Coro have the capability to auto-enforce hard drive encryption without allowing the end user to disable it?

While Coro can perform hard drive encryption, there is no method to ensure this functionality is auto-enforced. It is a manual remediation action performed by an admin user in the Coro console, either from the Devices page or from the Ticket Log.


Hard drive encryption can be performed on Windows endpoint devices.

For more information, see Encryption for endpoints with Windows operating systems

For specific devices, how far back does Coro log recently logged in users?

Coro maintains a record of the last three users.

If I am running another Antivirus (AV) product, and it detects and quarantines a potentially malicious file, will Coro still detect this already quarantined file?

No, if a potentially malicious file has already been quarantined by another AV product, Coro does not detect it.

Where are encryption keys stored?

Encryption keys are stored on both the device (by Bitlocker) and on the Coro servers.

Additionally, Bitlocker recovery keys are displayed for all encrypted drives on a device. The recovery key is displayed within the Drives section of the Devices page:

Recovery key

For more information, see Encryption for endpoints with Windows operating systems

When an employee or contractor leaves the company, can an admin user remove the endpoint linked to that employee, or does Tamper Protection prevent this?

Yes, an admin user can remove the endpoint linked to that employee after disabling Tamper Protection.

Tamper Protection is typically used to prevent the Coro Security Platform from being corrupted or uninstalled on the devices of users. The setting is shared by the entire workspace. If clients want their employees to uninstall the app on their own, an admin must disable Tamper Protection for the specific device rather than the entire workspace.

To disable Tamper Protection on an endpoint device:

  1. Select Devices from the Toolbar:


  2. Locate the desired device.

  3. Select Actions > Disable Tamper Protection.

    After the set Heartbeat Interval, this device's Tamper Protection will be disabled. The Coro application can now be uninstalled by the user.


    Tamper Protection is disabled on the specific device until the first reboot. Rebooting the device will re-enable Tamper Protection.


    Admin users can disable Tamper Protection.

For more information, see Device actions.

How do I disable Coro app notifications?

Although app notifications cannot be configured directly from the Coro Console, they can be configured from the device itself as follows.


  1. Select Apple menu > System Settings.
  2. Select Notifications in the sidebar. (You may need to scroll down).
  3. Select the app or website on the right.
  4. Disable Allow notifications.

Notifications are disabled and are not received until Allow notifications is re-enabled.


  1. Open Windows Settings by pressing the Win + I keys simultaneously.
  2. From the System page, select Notifications.
  3. Disable the Notifications toggle for the app.

Notifications are disabled and are not received until Allow notifications is re-enabled.

Does Coro detect Data Loss Prevention (DLP) of information within Computer aided design (CAD) files?

No, Coro does not detect DLP of information within CAD files.

Can Coro retroactively remediate tickets? For example, if a ticket is generated after my Coro trial expires, and therefore no remediation is performed, will Coro perform remediation on the ticket after I purchase Coro, or extend my trial period?

No, Coro does not perform any actions retroactively.

Under what conditions does Coro create a ticket and leave it open for an admin user to review and take action?

Coro employs adaptive data-driven or artificial intelligence (AI) driven decisions for detection, alerting, and remediation.

For more information, see Tickets in Coro.

Is it safe to use Coro alongside other installed Antivirus (AV) products?

It is not advised to install Coro alongside other antivirus software, as the performance of both products will be negatively impacted. Windows Defender is, however, fully compatible with Coro.

How does Coro resolve malicious software detected on an endpoint or device?

Coro monitors all processes and terminates them if suspicious behavior is detected.

When Advanced Threat Control is enabled, Coro monitors active processes for known and potential threats, and blocks processes (that are not explicitly allowlisted) that exhibit suspicious behavior.

How do I add a process to the Allow/Block list?

The Endpoint Security and EDR module Allow/Block lists allow you to manage your processes by allowing those that are safe to be accessed.

For more information, see:

Does Coro support Linux endpoint protection?

Linux endpoint protection is currently not supported.

Does Coro provide protection for Chromebooks as endpoints?

No, Coro does not provide protection for Chromebooks.

Is Coro compatible with Spark?

Yes, Coro is compatible with Spark.

Can Coro detect malicious scripts embedded in Word, PDF, PPT, and other documents?

Yes, Coro detects malicious scripts embedded in Word, PDF, PPT, and other documents.

What gets backed up within secure shadow backup snapshots?

The entire hard drive of the device is backed up.

For further information, see VSS backup protection.

Where are secure shadow backup snapshots stored?

Secure shadow backup snapshots are stored in the System Volume Information folder (hidden by default), and can be managed in the device's 'System Protection' configuration settings.

For further information, see VSS backup protection.

How do I restore secure shadow backup snapshots?

For instructions on how to restore secure shadow backup snapshots, see Restoring secure shadow backup snapshots.

What does the USB Lockdown device posture policy do?

The USB Lockdown device posture policy blocks mass storage devices on macOS devices. For Windows devices, this extends to block both mass storage and other USB-connected devices, such as media players and smartphones.

I'm traveling outside my usual Wi-Fi network area, and when I try to connect my device to a public Wi-Fi network, the Coro Agent displays a notification: "Connection to <network> is not permitted by your administrator". What should I do?

Your device has a Wi-Fi connection policy enabled. Wi-Fi connection policies prevent devices from connecting to public Wi-Fi networks, only allowing connections to secure, password protected networks.

Admin users can allow the connection by ensuring no device labels that enforce this Wi-Fi connection policy are assigned to your device. Alternatively, they can remove the Wi-Fi connection policy from all devices.

Your device must first connect to a secure network to update its policy. After the policy update, your device is able to connect to public Wi-Fi networks.


The time taken for the Wi-Fi connection policy to update depends on your workspace's heartbeat interval.

For more information, see Configuring Wi-Fi connectivity policies.