EDR allowlist and blocklist
The Coro Endpoint Detection and Response (EDR) blocklist enables admin users with sufficient permissions to block the execution of unsafe processes on a device. Blocking the execution of unauthorized or suspicious processes prevents malware and other malicious software from running on the device. This acts as a defense mechanism, protecting the device from infections and data breaches.
You can also allow specified processes and process image folder paths from the EDR allowlist, thereby preventing the excessive collection of process and telemetry information related to trusted tools and software.
This article discusses the following topics:
- Managing EDR and Endpoint Security allowlists and blocklists
- Accessing the EDR allowlist and blocklist
- Adding allowlist and blocklist records
- Deleting allowlist and blocklist records
- Searching and filtering allowlist and blocklist records
Managing EDR and Endpoint Security allowlists and blocklists
Coro's EDR and Endpoint Security modules use separate allowlists and blocklists. The EDR allowlist prevents EDR tickets from triggering by marking non-system processes and folders as safe, stopping process and telemetry collection for them. The Endpoint Security allowlist excludes specific files or folders from Coro Agent scanning to prevent Endpoint Security ticket triggers. Both EDR and Endpoint Security blocklists actively block the execution of unsafe or non-trusted processes.
The following table outlines the differences between adding records to the EDR allowlist and blocklist, and adding records to the Endpoint Security allowlist and blocklist:
Record type | Add to EDR allowlist | Add to EDR Blocklist | Add to Endpoint Security allowlist | Add to Endpoint Security blocklist |
---|---|---|---|---|
File | N/A | N/A | Prevents Endpoint Security tickets from triggering by excluding the file from Coro Agent scanning | N/A |
Folder | Prevents process execution and telemetry collection for the folder | N/A | Prevents Endpoint Security tickets from triggering by excluding the folder from Coro Agent scanning | N/A |
Process | Prevents EDR tickets from triggering by marking the non-system process as safe. Related process information is not collected in the EDR Telemetry and Process tabs | Blocks unsafe process execution | N/A | Blocks unsafe process execution |
You can add records to the allowlist and blocklist individually, or as a list contained in a CSV file.
note
Blocked process details are displayed on both the Endpoint Security blocklist as well as the EDR blocklist.
Accessing the EDR allowlist and blocklist
To access the EDR allowlist and blocklist:
- Sign into the Coro console
-
Select
Control Panel
:
-
Select
EDR
:
-
Select the
Allow/Block
tab:
The Allow/Block tab displays a list of allowed process file hash and folder records as well as blocked process records. The list contains the following columns:
-
Symbol
: Specifies the record type:
- : Process image folder record.
- : Process hash record.
-
Value
: The value of the record, based on the record type above. This value must be one of the following:
- Process image folder path
- Process file hash
note
A process file hash is a fixed-size alphanumeric string representing file content, generated using cryptographic functions. Coro supports:
- SHA-256 : A cryptographic hash function that generates a 256-bit hash from any input, commonly used for data integrity, digital signatures, and encryption.
- CDHash : A cryptographic hash function specific to Apple's code signing, derived from an app's Code Directory, often using SHA-256. It ensures executable files haven't been altered.
- List : Specifies to which list the process record belongs.
- Description ( optional ): A short description of the process record.
-
Symbol
: Specifies the record type:
Adding allowlist and blocklist records
You can add allowlist or blocklist records individually or import them in bulk from a CSV file.
Adding records individually
To add an allowlist or blocklist record:
- Select the list to which to add the record:
note
Admin users can add non-system process records to the allowlist and both non-system and system process records to the blocklist.
Admin users can also add folder records to the allowlist.
-
After adding records, enable the following options to apply the rules to all child workspaces:
note
The Apply allow/block rules for files and folders to all child workspaces and Apply allow/block rules for processes to all child workspaces options apply to channel workspaces only.
- Apply allow/block rules for files and folders to all child workspaces : Applicable to file and folder records.
- Apply allow/block rules for processes to all child workspaces : Applicable to process records.
Adding a record to the allowlist
To add a record to the allowlist:
-
Select
+ ADD
>
Add to allowlist
:
The Add to allowlist dialog appears:
-
Enter the following information:
-
Add Process hash or folder path
: Enter a valid SHA-256 hash, CDHash, or process image file path.
note
A process image file path is the directory path of the executable file that started a process. For example:
/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
(macOS)C:\Program Files\app\app.exe
(Windows) - Add description ( Optional ): Enter a suitable allowlist record description.
-
Add Process hash or folder path
: Enter a valid SHA-256 hash, CDHash, or process image file path.
-
Select
SAVE
.
Coro creates the allowlist record and attaches a timestamp indicating when the process hash or process image file path was allowed:
Important
When you add records to the EDR allowlist, the action prevents only EDR tickets from triggering, not Endpoint Security tickets.
Adding a record to the blocklist
To add a record to the blocklist:
-
Select
+ ADD
>
Add to blocklist
:
The Add to blocklist dialog appears:
-
Enter the following information:
- Add process hash : Enter a valid SHA-256 hash or CDHash.
- Add description ( Optional ): Enter a suitable blocklist record description.
-
Select
SAVE
.
Coro creates the process record, adds it to the EDR blocklist, and attaches a timestamp indicating when the process was blocked:
When a blocked process attempts to execute on a device, the Coro Agent displays a notification to alert the user:
Importing records from a CSV file
Admin users can add records to the allowlist or blocklist by importing a CSV file containing a list of records.
Entries in your CSV file must follow the pattern:
<Type>,<Value>,<List>,<Description>
Each entry must be on a separate line, with the following possible values in each field:
Field | Description | Allowed values |
---|---|---|
<Type> | The item type. | Folder or Process |
<Value> | A folder path or a process hash. | Examples: c:\dev\ or 986e27a1e6a4cbae373d28337ac3759325163ffb |
<List> | Specifies whether to allow or block the item. | Allowed or Blocked |
<Description> | (Optional) A short description of the record. When no value is provided, a default value of N/A is applied during file upload. |
A test file or An allowed process |
Files must adhere to the following rules:
- You must specify valid values in all four columns. Coro EDR ignores entries with extra columns or invalid values.
- The maximum file size is 10 MB.
- The CSV import filename must be in lowercase.
- A single CSV import file can contain a maximum of 500 records.
-
When
Type
is
Process
:
- Value must be a valid SHA-256 hash or CDHash.
note
CDHash values have a maximum string length of 40 characters.
SHA-256 hash values have a maximum string length of 64 characters.
-
When
Type
is
Folder
:
- Value must be a valid folder path.
- Value must not contain "'", "?", "//", or "|".
- Value must not contain ":" if it contains "/".
- Value has no character limitation.
- Apply Blocked when Type is Process .
To import process records to the EDR blocklist from a CSV file:
-
Select
+ ADD
>
Import from CSV
:
The Import CSV to allow / block list dialog appears:
-
(Optional) If you haven't created a valid CSV file, select
Download our template to avoid invalid entries
:
Use the downloaded template to ensure all required columns are completed.
-
Select
Click to upload
:
Alternatively, drag and drop the selected CSV file into the Import CSV to allow / block list dialog.
-
Select a valid CSV file:
After you select the CSV file, the filename appears in the file area of the Import CSV to allow / block list dialog:
-
(Optional) Select
Remove
to discard the selected CSV file and choose an alternative file:
-
(Optional) Select
Remove
to discard the selected CSV file and choose an alternative file:
-
Select
IMPORT
:
Coro processes the CSV file.
After Coro completes the import process, a summary appears that displays the number of successfully imported records:
If any records fail to import, the summary displays the number of invalid records out of the total number of records in the CSV file:
-
Select
Try again
to restart the import process, otherwise select
CLOSE
.
note
Selecting CLOSE does not undo previously imported valid records.
The imported records are added to the EDR allowlist/blocklist:
Deleting allowlist and blocklist records
To delete a record from the allowlist or blocklist:
- Select the three-dot menu to the right of the record.
-
Select
Delete record
:
The record is deleted from the corresponding EDR allowlist or blocklist.
Searching and filtering allowlist and blocklist records
You can filter and search the EDR allowlist and blocklist to find specific entries. The Type filter enables you to filter allowlist and blocklist records by:
- Folder
- Process
You can also perform a free text search across the Value and Description columns: