Microsoft 365 detection and remediation
Coro works in tandem with Microsoft 365 malware detection.
Coro detects malware in files as soon as they are uploaded from an external source or the user's device to cloud storage.
Microsoft 365 malware detection typically occurs 15 minutes or more after a file download. If a scan identifies a file as malicious, Microsoft 365 restricts its sharing capabilities, and OneDrive displays a warning, indicating the file cannot be shared.
Microsoft 365 does not detect certain file types. Coro detects malware in these files immediately upon upload from an external source or the user's device to cloud storage.
When Coro first detects malware, it creates a quarantine folder (named "Suspected folder"), moves the suspected malware file to the folder, and creates a ticket for the event. The quarantine folder is visible within the cloud storage service and Coro recommends that administrators restrict access in line with your organization's security policies. The admin user has the following remediation actions available:
- Approve file : The file is returned to its original location on the cloud drive. The admin user has the option of immediately closing the current ticket and all related tickets.
- Delete file : Permanently deletes the file.
Malware identified by Microsoft 365
In some cases, Microsoft 365 identifies malware before Coro detects it. When this occurs, Microsoft 365 prevents the file from being sent to Coro’s quarantine folder. Although Coro still logs the event and creates a ticket, Coro cannot take any remediation actions on the file because Microsoft 365 has already addressed the threat.
When this happens, an admin user can still review tickets raised by Coro to notify about the malware identification and can still perform actions such as suspend the user or close the ticket. However, as Microsoft 365 has already dealt with the threat, the Approve file and Delete file actions are not available.