EDR allowlist and blocklist

The Coro Endpoint Detection and Response (EDR) blocklist enables admin users with sufficient permissions to block the execution of unsafe processes on a device. Blocking the execution of unauthorized or suspicious processes prevents malware and other malicious software from running on the device. This acts as a defense mechanism, protecting the device from infections and data breaches.

You can also allow specified processes and process folder paths from the EDR allowlist, thereby preventing the excessive collection of process and telemetry information related to trusted tools and software.

Important

Managed Service Provider (MSP) admin users with sufficient permissions can also access global allowlists and blocklists to view and manage rules across channel and descendant workspaces.

This article discusses the following topics:

Managing allowlists and blocklists for Endpoint Security and EDR

Coro's EDR and Endpoint Security modules use separate allowlists but share the same blocklist. The EDR allowlist prevents EDR tickets from triggering by marking processes and folders as safe, stopping process and telemetry collection for them. The Endpoint Security allowlist excludes specific files or folders from Coro Agent scanning to prevent Endpoint Security ticket triggers. Both EDR and Endpoint Security blocklists actively block the execution of unsafe or non-trusted processes.

The following table outlines the differences between adding records to the EDR allowlist and blocklist, and adding records to the Endpoint Security allowlist and blocklist:

Record type EDR allowlist EDR Blocklist Endpoint Security allowlist Endpoint Security blocklist
File Prevents EDR tickets from triggering for the specified process file. Related process information is not collected in the EDR Telemetry and Process tabs. N/A Prevents Endpoint Security tickets from triggering by excluding the file from Coro Agent scanning. N/A
Folder Prevents EDR tickets from triggering for processes whose files are located in the specified folder. Related process information is not collected in the EDR Telemetry and Process tabs. N/A Prevents Endpoint Security tickets from triggering by excluding the folder from Coro Agent scanning. N/A
Process Prevents EDR tickets from triggering for the specified process file hash. Related process information is not collected in the EDR Telemetry and Process tabs. Blocks unsafe process execution. N/A Blocks unsafe process execution.

You can add records to the allowlist and blocklist individually, or as a list contained in a CSV file.

note

Blocked process details are displayed on both the Endpoint Security blocklist and the EDR blocklist.

Accessing the EDR allowlist and blocklist

To access the EDR allowlist and blocklist:

  1. Access EDR .
  2. Select Allow/Block :

    EDR Allow/Block tab

    The Allow/Block tab displays a list of allowed process file hash and folder records and blocked process records. The list contains the following columns:

    • Symbol : Specifies the record type:
      • Folder symbol : Process folder record.
      • Process symbol : Process hash record.
    • Value : The value of the record, based on the record type. This value must be one of the following:
      • Process folder path
      • Process file hash
      note

      A process file hash is a fixed-size alphanumeric string representing file content, generated using cryptographic functions. Coro supports:

      • SHA-256 : A cryptographic hash function that generates a 256-bit hash from any input, commonly used for data integrity, digital signatures, and encryption.
    • List : Specifies to which list the process record belongs.
    • Description : (Optional) A short description of the process record.

    EDR Allow/Block list

Adding allowlist and blocklist records

You can add allowlist or blocklist records individually or import them in bulk from a CSV file.

Adding records individually

To add an allowlist or blocklist record:

  1. Select + ADD from the Allow/Block page.
  2. Select Add to allowlist or Add to blocklist :

    Add list record

note

Admin users can add non-system process records to the allowlist and both non-system and system process records to the blocklist.

Admin users can also add folder records to the allowlist.

Adding a record to the allowlist

To add a record to the allowlist:

  1. Select + ADD > Add to allowlist :

    Add to allowlist

    Coro displays the Add to allowlist dialog.

  2. Select Process Hash , File path or Folder path , then enter a valid SHA-256 hash or process file or folder path.
    note

    A process file path is the directory path of the executable file that started a process. For example: /Applications/Google Chrome.app/Contents/MacOS/Google Chrome (macOS) C:\Program Files\app\app.exe (Windows)

    Important

    SHA-256 hash values have a maximum string length of 64 characters.

    Process file path values must:

    • Be valid file paths.
    • Not contain ' , ? , // , or | .
    • Not contain : if they contain / .
  3. (Optional) Enter a description for the record.
  4. Select SAVE :

    Add to allowlist

    Coro adds the record to the allowlist and attaches a timestamp that shows when the record was allowed:

    Process added

Important

When you add records to the EDR allowlist, the action prevents only EDR tickets from triggering, not Endpoint Security tickets.

Adding a record to the blocklist

To add a record to the blocklist:

  1. Select + ADD > Add to blocklist :

    Add to blocklist

    Coro displays the Add to blocklist dialog.

  2. Enter a valid SHA-256 hash into the Process Hash field.
    Important

    SHA-256 hash values have a maximum string length of 64 characters.

  3. (Optional) Enter a description for the record.
  4. Select SAVE :

    Add to blocklist

    Coro adds the process to the blocklist and attaches a timestamp that shows when the process was blocked:

    Process added

    When a blocked process attempts to execute on a device, the Coro Agent displays a notification to alert the user:

    Agent notification for blocked process

Importing records from a CSV file

Admin users can add records to the allowlist or blocklist by importing a CSV file containing a list of records.

To import process records to the EDR blocklist from a CSV file:

  1. Select + ADD > Import from CSV :

    Import from CSV

    Coro displays the Import CSV to allow / block list dialog:

    Import CSV dialog

  2. (Optional) If you haven't created a valid CSV file, select Download our template to avoid invalid entries :

    CSV template file link

    Use the downloaded template to ensure all required columns are completed.

  3. Select Click to upload :

    Click to upload

    Alternatively, drag and drop the selected CSV file into the Import CSV to allow / block list dialog.

  4. Select a valid CSV file:

    Select CSV file

    After you select the CSV file, the filename appears in the file area of the Import CSV to allow / block list dialog:

    Selected CSV file

    • (Optional) Select Remove to discard the selected CSV file and choose an alternative file:

      Remove CSV file

  5. Select IMPORT :

    Import CSV file

    Coro processes the CSV file.

    After Coro completes the import process, a summary appears that displays the number of successfully imported records:

    Successfully imported records

    If any records fail to import, the summary displays the number of invalid records out of the total number of records in the CSV file:

    Invalid records

  6. Select Try again to restart the import process, otherwise select CLOSE .
    note

    Selecting CLOSE does not undo previously imported valid records.

    Coro adds the imported records to the EDR allowlist/blocklist:

    Import success

CSV file validation

Entries in your CSV file must follow the pattern:

<Type>,<Value>,<List>,<Description>

Each entry must be on a separate line, with the following possible values in each field:

Field Description Allowed values
<Type> The item type. Folder or Process
<Value> A folder path or a process hash. Examples: c:\dev\ or 986e27a1e6a4cbae373d28337ac3759325163ffb
<List> Specifies whether to allow or block the item. Allowed or Blocked
<Description> (Optional) A short description of the record. When no value is provided, a default value of N/A is applied during file upload. A test file or An allowed process

Files must adhere to the following rules:

  • You must specify valid values in all four columns. Coro ignores entries with extra columns or invalid values.
  • The maximum file size is 10 MB.
  • The CSV import filename must be in lowercase.
  • A single CSV import file can contain a maximum of 500 records.
  • When Type is Process :
    • Value must be a valid SHA-256 hash.
    note

    SHA-256 hash values have a maximum string length of 64 characters.

  • When Type is Folder , Value must:
    • Be a valid folder path.
    • Not contain ' , ? , // , or | .
    • Must not contain : if it contains / .
  • Apply Blocked when Type is Process .

Deleting allowlist and blocklist records

To delete a record from the allowlist or blocklist:

  1. Select the three-dot menu to the right of the record.
  2. Select Delete record :

    Delete record

    Coro deletes the record from the corresponding EDR allowlist or blocklist.

Searching and filtering allowlist and blocklist records

Filter and search the EDR allowlist and blocklist to find specific entries. The Type filter enables you to filter allowlist and blocklist records by:

  • Folder
  • Process

Search Allow/Block list

You can also perform a free text search across the Value and Description columns:

Search Allow/Block list