Ticket types for Endpoint Security
Coro generates tickets for protected devices when it identifies the following security vulnerabilities:
- Apple mobile file integrity disabled
- Development mode enabled
- Device password missing
- Firewall disabled
- Gatekeeper disabled
- Infected process
- Malware on endpoint
- System integrity protection disabled
- UAC notification missing
- Unencrypted endpoint drive
- VSS backup protection
- Non-genuine Windows Copy
- Forbidden Wi-Fi Connection
- WiFi Phishing
Apple mobile file integrity disabled
Coro detected that Apple Mobile File Integrity (AMFI) is disabled on the device. AMFI helps ensure the integrity and security of executable code and system files on Apple devices. When AMFI is disabled, applications can be compromised with malicious code.
A ticket is remediated according to the selected policy action. For further information, see Creating a new Apple Mobile File Integrity Disabled policy.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enable Apple Mobile File Integrity | Enable Apple Mobile File Integrity on this device and close ticket. |
Development mode enabled
Coro detected that Development mode is enabled on the device. Development mode is a device configuration that is intended for use by developers and advanced users. Enabling Development mode can expose the device to potential security vulnerabilities.
Development mode enabled is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
A ticket remains open until either the admin user closes it manually or the vulnerability is observed by the Coro endpoint Agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Disable developer mode | Remotely disables Development mode on the device. |
Device password missing
Coro detected the password is missing on the device.
Device password missing is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
A ticket remains open until either the admin user closes it manually or the vulnerability is observed by the Coro endpoint Agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
When a ticket is generated, admin users configured to receive notifications are sent an email with ticket details and options to remediate the event. For more information about receiving notifications, see notifications.
When an action is selected, you are taken to the Coro console to review and confirm the action. The actions include:
- ADD POSTURE POLICY - Add the Remote password and session locking policy for Windows or macOS, depending on the device in the ticket. Close this and related open tickets for the device.
- DISREGARD AND CLOSE - Close this and related open tickets for the device without further action.
Firewall disabled
Coro detected that the firewall on the device is disabled. A firewall is a software or hardware-based security mechanism that monitors and controls network traffic on a device, based on predefined security rules. Firewall disabled refers to a state in which the firewall on a device is not active.
Firewall disabled is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
A ticket is remediated according to the selected policy action. For further information, see Creating a new Firewall disabled policy.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enable firewall | Coro closes the ticket and enables the firewall on the device. A record is added to the Activity Log: "Firewall on <device name> of user <user> was re-enabled" |
When a ticket is generated, admin users configured to receive notifications are sent an email with ticket details and options to remediate the event. For more information about receiving notifications, see notifications.
When an action is selected, you are taken to the Coro console to review and confirm the action. The actions include:
- ADD POSTURE POLICY - Add the Firewall disabled policy for Windows or macOS, depending on the device in the ticket. Close this and related open tickets for the device.
- ENABLE FIREWALL - Enable the firewall on the device. Close this and related open tickets for the device.
- DISREGARD AND CLOSE - Close this and related open tickets for the device without further action.
Gatekeeper disabled
Coro detected that Gatekeeper is disabled on the device. Gatekeeper is a security technology that helps ensure only trusted software runs on the device.
A ticket is remediated according to the selected policy action. For further information, see Creating a new Gatekeeper Disabled policy.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enable Gatekeeper | Enable Gatekeeper on this device and close ticket. |
Infected process
Coro detected a potential malicious process on the device. Processes detected as malicious are terminated immediately and no further action is required. However, admin users have the option to review the ticket and choose to approve the process group. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
| Approve process group | When a process group is approved by an admin user, the Coro Agent approves it on all devices in the same workspace. Identical process groups are also considered safe and not terminated. A record is added to the Activity Log: "Process group <process group> as it was detected on device <device name> of user <user> will be considered safe and thus will not be terminated" |
note
A process group is approved based on the collective processes it contains, not on the order of the processes within the group.
Malware on endpoint
Coro detected potential malware on the device. Files detected as malicious are automatically moved to a quarantine folder and no further action is required. However, admin users have the option to review the ticket and choose to approve the files. They can also configure Coro's malware scan to ignore the original folder in which the flagged file resides. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" Additionally, a message is added to the notifications tab in the Agent app on the device to inform end users that a scan has been remotely initiated. |
| Approve this file | When a file is approved by an admin user, the Coro Agent approves it on all devices in the same workspace. The file is removed from quarantine (if applicable). Future identical files are not quarantined. The admin user has the option of immediately closing the current ticket and all related tickets. |
| Exclude folder from malware scan | Future malware and ransomware scans will not include the folder specified in the ticket. The admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: "File <filepath> on the device <device name> of User is excluded from malware inspection for as long as it remains unchanged" |
System integrity protection disabled
Coro detected that System Integrity Protection (SIP) is disabled on the device. SIP is a security technology that helps protect the device from malicious software that could modify protected files and folders. It restricts the root user account and limits the actions that the root user can perform on protected parts of the operating system.
A ticket remains open until either the admin user closes it manually or the vulnerability is observed by the Coro endpoint Agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
UAC notification missing
Coro detected missing UAC (User Access Control) notifications on the device.
UAC notification missing is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
A ticket is remediated according to the selected policy action. For further information, see Creating a new UAC Notification Missing policy.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enforce UAC notification | The Coro Agent enables UAC on the machine. The admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: UAC notification on <device name> of user <user> was re-enabled |
When a ticket is generated, admin users configured to receive notifications are sent an email with ticket details and options to remediate the event. For more information about receiving notifications, see notifications.
When an action is selected, you are taken to the Coro console to review and confirm the action. The actions include:
- ADD POSTURE POLICY - Add the UAC notifications disabled policy for Windows or macOS, depending on the device in the ticket. Close this and related open tickets for the device.
- ENABLE UAC NOTIFICATIONS - Enable UAC on the device. Close this and related open tickets for the device.
- DISREGARD AND CLOSE - Close this and related open tickets for the device without further action.
Unencrypted endpoint drive
Coro detected an unencrypted drive on the device.
Unencrypted endpoint drive is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
A ticket remains open until either the admin user closes it manually or the vulnerability is observed by the Coro endpoint Agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Encrypt drive | Encrypts the hard drive of the device. A record is added to the Activity Log: "Drive encryption was requested on <device name> of user <user> (drive: '<drive >')" When drive encryption is complete, a record is added to the Activity Log: "Drive was encrypted on <device name> by <user>" Encryption keys are stored on both the device (by BitLocker) and on the Coro servers. |
| Allow no encryption | The hard drive of the device is allowlisted, and is treated as not containing any sensitive data that requires disc encryption. The admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: Hard drive '<drive >' on the device <device name> of user <user> has been allowlisted for not being encrypted |
When a ticket is generated, admin users configured to receive notifications are sent an email with ticket details and options to remediate the event. For more information about receiving notifications, see notifications.
When an action is selected, you are taken to the Coro console to review and confirm the action. The actions include:
- ENCRYPT DRIVE - Encrypt the device hard drive. Close this and related open tickets for the device.
- ALLOW NO ENCRYPTION - Allowlist the device hard drive. Close this and related open tickets for the device.
- DISREGARD AND CLOSE - Close this and related open tickets for the device without further action.
VSS backup protection
When VSS (Volume Shadow Copy Service) backup protection is enabled, Coro enforces backup snapshots every four hours and blocks processes that exhibit risks to the backup (see Using VSS backup protection on your Windows endpoints). Tickets are suggested for review with a review time of two weeks. The Suspected malicious process header within the ticket displays the process attempting to manipulate the VSS backup files:
note
Coro does not support Identifying the process responsible for attempting to manipulate the VSS backup files on the following operating systems (OS):
- Windows 7
- Windows Server 2012
- Windows Server 2016
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
Non-genuine Windows Copy
Coro detected a non-genuine copy of Windows on the device.
Non-genuine Windows Copy is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
A ticket remains open until either the admin user closes it manually or the vulnerability is observed by the Coro endpoint Agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Forbidden Wi-Fi Connection
Coro detected a blocked public Wi-Fi network. A device is forbidden from connecting to a blocked public Wi-Fi network.
After the policy is configured and you attempt to connect to a public Wi-Fi, the connection attempt fails and a Forbidden Wi-Fi Connection ticket is created which is auto-closed, and no actions are available.
A record is added to the Activity Log: "Connection of device <device name> to WiFi network <Wi-fi network name> has been blocked."
Forbidden Wi-Fi Connection is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
WiFi Phishing
Coro detected a connection from the device to a Wi-Fi network that might be unsafe and potentially involved in phishing or man-in-the-middle attacks. No auto-remediation is performed and a ticket is raised and classified as requiring review. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopen this ticket for admin user intervention and manual remediation. |
| Un-log and remove from audit reports | (Closed tickets only) Remove this ticket from your Workspace status update emails. Note: Un-logged tickets include a Log and reference for audit reports action to re-include the ticket in your update emails. |