Skip to content

Protection coverage

What happens to tickets that are still pending my review in the Actionboard when my free trial expires and I continue to use CoroFree?

As part of our security monitoring, tickets are generated by Coro the same across all of our plans, including Coro Free. Coro Free only comes with monitoring, however, and so the difference is that it allows for neither automatic nor supervised remediation actions - which are features included in our paid plans.

Does Coro scan SharePoint and OneDrive for malicious executable files (EXE, MSI, etc.)?

Yes, Coro scans all file types for malware. The entire file's content is checked for malware/ransomware.

Can Coro detect malicious scripts embedded in Word, PDF, PPT, and other documents?

Yes, Coro detects malicious scripts embedded in Word, PDF, PPT, and other documents.

How does Coro resolve malicious software detected on an endpoint or device?

Coro monitors all ALL processes and terminates them if suspicious behavior is detected.

Advanced Threat Control mentions that it blocks processes that are not specifically allowlisted. How do I add a process to the allowlisted?

There is an action within the respective ticket which enables you to allowlist a process.

Does Coro support Linux endpoint protection?

Linux endpoint protection is currently not supported.

What monitoring and protection does Coro provide for Salesforce?

Coro Salesforce protection includes malware/ransomware detection and remediation, as well as user account access and activity control.

Does Coro provide protection for Chromebooks as endpoints?

No, Coro does not provide protection for Chromebooks.

Is Coro compatible with Spark?

Yes, Coro is compatible with Spark.

What monitoring and protection does Coro provide for Slack?

Coro protects Slack user account access while also monitoring and controlling user activity.

As a Coro SOC client, if my organization is targeted by a cyberattack, how will Coro notify me?

This is determined by the information that you provided on your Coro SOE Engagement Form . Coro will either phone or email the designated point of contact, depending on the preferred method of communication (call , email , do not contact).

What protection is offered to O365 users that are not using Outlook?

Support is provided for all protection except email-based detections.

Does Coro detect DLP of information within CAD files?

No, Coro does not detect DLP of information within CAD files.

How does Coro's malware detection and execution process work

The anti-malware agent of Coro's next generation is capable of detecting multiple variants of malware, PUA trojans, and other suspicious files. An inspection is performed each time a file is accessed that has not previously been scanned.

If the inspection indicates that the file (or an item within an archived file) is infected or suspicious (with high potential), Coro's reactive mechanism is activated. If the malware is extremely persistent and well-hidden, the algorithm will either quarantine it or delete it.


Coro does not clean infected files.

The action of quarantine involves encapsulating the file so that it cannot be executed by renaming, but can be restored to its original location.

On cloud drives, quarantined files are moved to the Suspected folder, except for Salesforce, where the files are archived.

Does Coro detect Mass Data Downloads/Deletions on Salesforce?

Yes, Mass Data Downloads/Deletions are detected on Salesforce. With Mass Data Downloads, Coro detects when a large amount of smaller files are exported from Salesforce.

What is the difference between a Suspected Identity compromise and an Access permission violation ticket?

Suspected Identity Compromise tickets relate to suspect log-ins and abnormal user activity. Access permission violation tickets relate to someone successfully signing in from a different country.

To set up Geofencing permissions:

  • Navigate to Settings > Cloud Apps > Access Permissions.
  • Select New Permissions.
  • Select All Users or Specific Groups.
  • The New Access Permissions dialog is displayed.
  • From The access will be allowed to dropdown select Country.
  • Select the allowed countries.
  • Select Save Permissions.

There are three remediation options when an Access Permissions policy is created:

  1. None (Creates an Access Permissions Violation ticket)
  2. Suspend (suspends users from logging in from outside the defined countries and creates an Access Permissions Violation ticket)
  3. Sign in (signs out the user and creates an Access Permissions Violation ticket)


If geofencing is not set up, Coro creates a Suspected identify compromise ticket.

Can Coro retroactively remediate tickets? For example, if a ticket is generated after my Coro trial expires, and therefore no remediation is performed, will Coro perform remediation on the ticket after I purchase Coro, or extend my trial period?

No, Coro does not perform any actions retroactively.

Under what conditions does Coro create a ticket and leave it open for an admin to review and take action?

Tickets are identified and handled by Coro according to the following classifications:

Requires review: Tickets remain open until the operator explicitly closes them.

Suggested for review: Tickets remain open for a limited period of time and are automatically closed by the system when the respective time window for review is over, whether the operator reviewed them or not.

A**utomatically closed**: Tickets are closed immediately by Coro, either following their resolution or because the related issues only need to be monitored and logged for compliance audits.

How it works:

Once created in the system, tickets are sorted and assigned to their relevant area:

  1. Email
  2. Data
  3. Devices
  4. Users
  5. Cloud apps

Tickets are classified according to the unique logic for that area.

If a closed ticket is explicitly re-opened by the operator, it is automatically re-classified independent of its initial classification by the system.

Email ticket logic

Email security issues are handled as follows: Tickets associated with user phishing/safe feedback provided via Coro add-ins, spoofing of important domains (including customer’s domains), and impersonation of specific users of the customer - these tickets are classified as Suggested for review. They are automatically closed after the review period of two weeks.

All other flagged incoming emails are deleted or removed from the Inbox and moved to the Suspected folder, and are automatically closed.

Device posture screen

Data ticket logic

Ticket logic for data violations attempts to find the balance between the need to:

  • Detect and log everything for audit that might constitute a privacy/compliance breach
  • Primarily focus on particularly problematic private information exposures.

Accordingly, data governance tickets are classified as follows:

Detections that, according to the best practices of data governance regulations (GDPR, HIPAA, SOC2, etc.), require the attention of the data compliance officers - tickets are classified as Suggested for review, with a review time window of two weeks

All other tickets are automatically closed by the system

Device ticket logic

Coro detects files and processes on the endpoint devices suspected as malicious, as well as various vulnerabilities in the security posture of the devices.

All files detected as malicious are automatically quarantined and all processes detected as suspicious are automatically terminated; no further remediation actions on the side of the operator are required. At the same time, after examining the ticket, the operator may decide to approve the respective file or even exclude the folder in which the flagged file resided from malware scans by Coro. Therefore, all tickets are Suggested for review, with a review time window of two weeks.

The classification of the device vulnerability tickets depends on the Device Posture settings for each environment and it depends on the vulnerability that is introduced, and can be one of the following:

Review. No auto-remediation is performed, and the ticket requires review. The ticket remains open until either the operator closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.

Enforce. Auto-remediation is performed, recorded in the ticket, and the ticket is automatically closed.

User ticket logic

Access Permission violations for which an operator has already explicitly specified an auto-remediaton action are automatically closed.

All other user tickets are Suggested for review, with time windows of 1-2 weeks.

At this time, Suspected Bot Attack and Abnormally Massive Download tickets are currently automatically closed, however, Coro is currently evaluating this logic and considering aligning them with the other tickets in the Users category.

Cloud app ticket logic

All files detected as malicious are automatically moved to a dedicated quarantine folder; no further remediation action on the operator's part is required. At the same time, after examining the ticket, the operator may decide to approve the respective file or to permanently delete it. Therefore, all cloud app malware tickets Suggested for review (G2), with a review time window of two weeks.

Suspected Identity Compromise and Abnormal Admin Activity tickets are Suggested for review (G2), and are automatically closed after the review period of two and four weeks, respectively.

Suspected Bot Attack tickets are automatically closed and logged immediately.

Is it safe to use Coro alongside other installed AV products?

It is not advised to install Coro alongside other antivirus software, as the performance of both products will be negatively impacted. Windows Defender is however fully compatible with Coro.

What is monitored on Salesforce integration?

Mass downloads and deletes are monitored on Salesforce.

Can Coro alerts be delivered to a Slack channel?

Yes, an email rule can be created to forward emails from Coro notifications to a Slack channel.

If I am running another AV product, and it detects and quarantines a potentially malicious file, will Coro still detect this already quarantined file?

No, if a potentially malicious file has already been quarantined by another AV product, Coro will not detect it.

When a user is added/removed from O365/AzureAD, does the process happen in real time?

Yes, Select the Synchronize users from cloud apps now option from the Protected Users or Protected Groups tab on the Protected users page (Control Panel > Protected users) to sync all cloud app users immediately.

Protected user screen

What is flagged in a Suspicious Exposure of Certificate ticket?

Security certificates, including files with .crt or .pem extensions, are digital certificates that can be used to establish secure connections between a client and a server. These files are regarded as sensitive.

What is flagged as Abnormal Admin Activity?

Coro detects identity compromise suspicions for regular and administrative accounts by analyzing data from all customers, specific customers, and specific users behind a ticket, creating normative behavior models, and detecting anomalies from these models. The models range from simple statistical anomaly models to more complex models that cross-correlate data from various sensors throughout the system to uncover evidence of abnormal behavior.

For example, Coro can detect suspicious Admin Login due to the fact that activity took place on a user's account from different IP's in close time proximity.