Ticket types for Endpoint Security¶
Coro generates tickets for protected devices when it identifies the following security vulnerabilities:
- Apple mobile file integrity disabled
- Development mode enabled
- Device password missing
- Firewall disabled
- Gatekeeper disabled
- Infected process
- Malware on endpoint
- System integrity protection disabled
- UAC notification missing
- Unencrypted endpoint drive
- VSS backup protection
- Non-genuine Windows Copy
- Forbidden Wi-Fi Connection
Apple mobile file integrity disabled¶
Coro detected that Apple Mobile File Integrity (AMFI) is disabled on the device. AMFI helps ensure the integrity and security of executable code and system files on Apple devices. When AMFI is disabled, applications can be compromised with malicious code.
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enable Apple Mobile File Integrity | Enable Apple Mobile File Integrity on this device and close ticket. |
Development mode enabled¶
Coro detected that Development mode is enabled on the device. Development mode is a device configuration that is intended for use by developers and advanced users. Enabling Development mode can expose the device to potential security vulnerabilities.
Development mode enabled is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Disable developer mode | Remotely disables Development mode on the device. |
Device password missing¶
Coro detected the password is missing on the device.
Device password missing is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
The following policy action can be applied:
- Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Firewall disabled¶
Coro detected that the firewall on the device is disabled. A firewall is a software or hardware-based security mechanism that monitors and controls network traffic on a device, based on predefined security rules. Firewall disabled refers to a state in which the firewall on a device is not active.
Firewall disabled is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enable firewall | Coro closes the ticket and enables the firewall on the device. A record is added to the Activity Log: "Firewall on <device name> of user <user> was re-enabled" |
Gatekeeper disabled¶
Coro detected that Gatekeeper is disabled on the device. Gatekeeper is a security technology which helps ensure that only trusted software runs on the device.
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enable Gatekeeper | Enable Gatekeeper on this device and close ticket. |
Infected process¶
Coro detected a potential malicious process on the device. Processes detected as malicious are terminated immediately and no further action is required. However, Admin users have the option to review the ticket and choose to approve the process group. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
| Approve process group | When a process group is approved by an Admin user, the Coro Agent approves it on all devices in the same workspace. Identical process groups are also considered safe and not terminated. A record is added to the Activity Log: "Process group <process group> as it was detected on device <device name> of user <user> will be considered safe and thus will not be terminated" |
Note
A process group is approved based on the collective processes it contains, not on the order of the processes within the group.
Malware on endpoint¶
Coro detected potential malware on the device. Files detected as malicious are automatically moved to a quarantine folder and no further action is required. However, Admin users have the option to review the ticket and choose to approve the files. They can also configure Coro's malware scan to ignore the original folder in which the flagged file resides. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
| Approve this file | When a file is approved by an Admin user, the Coro Agent approves it on all devices in the same workspace. The file is removed from quarantine (if applicable). Future identical files are not quarantined. The Admin user has the option of immediately closing the current ticket and all related tickets. |
| Exclude folder from malware scan | Future malware and ransomware scans will not include the folder specified in the ticket. The Admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: "File <filepath> on the device <device name> of User is excluded from malware inspection for as long as it remains unchanged" |
System integrity protection disabled¶
Coro detected that System Integrity Protection (SIP) is disabled on the device. SIP is a security technology that helps protect the device from malicious software that could modify protected files and folders. It restricts the root user account and limits the actions that root user can perform on protected parts of the operating system.
The following policy action can be applied:
- Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
UAC notification missing¶
Coro detected missing UAC (User Access Control) notifications on the device.
UAC notification missing is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enforce UAC notification | The Coro Agent enables UAC on the machine. The Admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: UAC notification on <device name> of user <user> was re-enabled |
Unencrypted endpoint drive¶
Coro detected an unencrypted drive on the device.
Unencrypted endpoint drive is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
The following policy action can be applied:
- Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Encrypt drive | Encrypts the hard drive of the device. A record is added to the Activity Log: "Drive encryption was requested on <device name> of user <user> (drive: '<drive >')" When drive encryption is complete, a record is added to the Activity Log: "Drive was encrypted on <device name> by <user>" Encryption keys are stored on both the device (by BitLocker) and on the Coro servers. |
| Allow no encryption | The hard drive of the device is allowlisted, and is treated as not containing any sensitive data that requires disc encryption. The Admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: Hard drive '<drive >' on the device <device name> of user <user> has been allowlisted for not being encrypted |
VSS backup protection¶
When VSS (Volume Shadow Copy Service) backup protection enabled, Coro enforces backup snapshots every four hours and blocks processes that exhibit risks to the backup (see Coro Help and Documentation Using VSS backup protection on your Windows endpoints). Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
Non-genuine Windows Copy¶
Coro detected a non-genuine copy of Windows on the device.
Non-genuine Windows Copy is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):
The following policy action can be applied:
- Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Forbidden Wi-Fi Connection¶
Coro detected a blocked public Wi-Fi network. A device is forbidden from connecting to a blocked public Wi-Fi network.
After the policy is configured and you attempt to connect to a public Wi-Fi, the connection attempt fails and a Forbidden Wi-Fi Connection ticket is created which is auto-closed, and no actions are available.
A record is added to the Activity Log: "Connection of device <device name> to WiFi network <Wi-fi network name> has been blocked."
Forbidden Wi-Fi Connection is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Device posture configuration):