Ticket types for devices¶
Coro generates tickets for protected devices when it identifies the following security vulnerabiltiies:
- Development mode enabled
- Device password missing
- Endpoint drive with NPI
- Endpoint drive with PCI
- Endpoint drive with PHI
- Endpoint drive with PII
- Firewall disabled
- Infected process
- Malware on endpoint
- UAC notification missing
- Unencrypted endpoint drive
- VSS backup protection
- Non-genuine Windows Copy
- Forbidden Wi-Fi Connection
Development mode enabled¶
Coro detected that Development mode is enabled on the device. Development mode is a device configuration that is intended for use by developers and advanced users. Enabling Development mode can expose the device to potential security vulnerabilities.
Development mode enabled is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Managing your endpoint devices):
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Disable developer mode | Disables Development mode on the device. |
Device password missing¶
Coro detected the password is missing on the device.
Device password missing is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Managing your endpoint devices):
The following policy action can be applied:
- Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Endpoint drive with NPI¶
Coro detected unauthorized exposure of NPI (Non-Public personal information) data on the device (see Regulatory sensitive information types.) Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Encrypt drive | Encrypts the hard drive of the device. A record is added to the Activity Log: "Drive encryption was requested on <device name> of user <user> (drive: '<drive >')" When drive encrption is complete, a record is added to the Activity Log: "Drive was encrypted on <device name> by <user>" Encryption keys are stored on both the device (by Bitlocker) and on the Coro servers. |
Endpoint drive with PCI¶
Coro detected unauthorized exposure of PCI (Payment card industry) data on the device (see Regulatory sensitive information types.) Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Encrypt drive | Encrypts the hard drive of the device. A record is added to the Activity Log: "Drive encryption was requested on <device name> of user <user> (drive: '<drive >')" When drive encrption is complete, a record is added to the Activity Log: "Drive was encrypted on <device name> by <user>" Encryption keys are stored on both the device (by Bitlocker) and on the Coro servers. |
Endpoint drive with PHI¶
Coro detected unauthorized exposure of PHI (Protected health information) data on the device (see Regulatory sensitive information types.) Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Encrypt drive | Encrypts the hard drive of the device. A record is added to the Activity Log: "Drive encryption was requested on <device name> of user <user> (drive: '<drive >')" When drive encrption is complete, a record is added to the Activity Log: "Drive was encrypted on <device name> by <user>" Encryption keys are stored on both the device (by Bitlocker) and on the Coro servers. |
Endpoint drive with PII¶
Coro detected unauthorized exposure of PII (Personally identifiable information) data on the device (see Regulatory sensitive information types.) Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Encrypt drive | Encrypts the hard drive of the device. A record is added to the Activity Log: "Drive encryption was requested on <device name> of user <user> (drive: '<drive >')" When drive encrption is complete, a record is added to the Activity Log: "Drive was encrypted on <device name> by <user>" Encryption keys are stored on both the device (by Bitlocker) and on the Coro servers. |
Firewall disabled¶
Coro detected that the firewall on the device is disabled. A firewall is a software or hardware-based security mechanism that monitors and controls network traffic on a device, based on predefined security rules. Firewall disabled refers to a state in which the firewall on a device is not active.
Firewall disabled is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Managing your endpoint devices):
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enable firewall | Coro closes the ticket and enables the firewall on the device. A record is added to the Activity Log: "Firewall on <device name> of user <user> was re-enabled" |
Infected process¶
Coro detected a potential malicious process on the endpoint device. Processes detected as malicious are terminated immediately and no further action is required. However, Admin users have the option to review the ticket and choose to approve the process group. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
| Approve process group | When a process group is approved by an Admin user, the Coro Agent approves it on all devices in the same workspace. Identical process groups are also considered safe and not terminated. A record is added to the Activity Log: "Process group <process group> as it was detected on device <device name> of user <user> will be considered safe and thus will not be terminated" |
Malware on endpoint¶
Coro detected potential malware on the endpoint device. Files detected as malicious are automatically moved to a quarantined folder and no further action is required. However, Admin users have the option to review the ticket and choose to approve the files. They can also configure Coro's malware scan to ignore the folder in which the flagged file resides. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
| Approve this file | When a file is approved by an Admin user, the Coro Agent approves it on all devices in the same workspace. The file is removed from quarantine (if applicable). Future identical files are not quarantined. The Admin user has the option of immediately closing the current ticket and all related tickets. |
| Exclude folder from malware scan | Future malware and ransomware scans will not include the folder specified in the ticket. The Admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: "File <filepath> on the device <device name> of User is excluded from malware inspection for as long as it remains unchanged" |
UAC notification missing¶
Coro detected missing UAC (User Access Control) notifications on the device.
UAC notification missing is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Managing your endpoint devices):
The following policy actions can be applied:
-
Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
-
Enforce: Auto-remediation is performed, recorded in a ticket, and the ticket is auto-closed.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Enforce UAC notification | The Coro Agent enables UAC on the machine. The Admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: UAC notification on <device name> of user <user> was re-enabled |
Unencrypted endpoint drive¶
Coro detected an unencrypted drive on the device.
Unencrypted endpoint drive is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Managing your endpoint devices):
The following policy action can be applied:
- Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Encrypt drive | Encrypts the hard drive of the device. A record is added to the Activity Log: "Drive encryption was requested on <device name> of user <user> (drive: '<drive >')" When drive encrption is complete, a record is added to the Activity Log: "Drive was encrypted on <device name> by <user>" Encryption keys are stored on both the device (by Bitlocker) and on the Coro servers. |
| Allow no encryption | The hard drive of the device is allowlisted, and is treated as not containing any sensitive data that requires disc encryption. The Admin user has the option of immediately closing the current ticket and all related tickets. A record is added to the Activity Log: Hard drive '<drive >' on the device <device name> of user <user> has been allowlisted for not being encrypted |
VSS backup protection¶
When VSS (Volume Shadow Copy Service) backup protection enabled, Coro enforces backup snapshots every four hours and blocks processes that exhibit risks to the backup (see Coro Help and Documentation Using VSS backup protection on your Windows endpoints). Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Remote scan for malware | A remote malware and ransomware scan is initiated on the device. A record is added to the Activity Log: "Remote scan has been requested for the device <device name> of User" |
Non-genuine Windows Copy¶
Coro detected a non-genuine copy of Windows on the device.
Non-genuine Windows Copy is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Managing your endpoint devices):
The following policy action can be applied:
- Review: No auto-remediation is performed and a ticket is raised and classified as requiring review. The ticket remains open until either the Admin user closes it manually or the vulnerability is observed by the Coro endpoint agent as being resolved.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Forbidden Wi-Fi Connection¶
Coro detected a blocked public Wi-Fi network. A device is forbidden from connecting to a blocked public Wi-Fi network.
After the policy is configured and you attempt to connect to a public Wi-Fi, the connection attempt fails and a Forbidden Wi-Fi Connection ticket is created which is auto-closed, and no actions are available.
A record is added to the Activity Log: "Connection of device <device name> to WiFi network <Wi-fi network name> has been blocked."
Forbidden Wi-Fi Connection is a vulnerability defined in the Device Posture tab of your Endpoint Devices configuration (see Managing your endpoint devices):
See also: Using the ticket log