Skip to content

Blocking processes

The Coro EDR blocklist enables admin users with sufficient permissions to block the execution of unsafe processes on a device. Blocking the execution of unauthorized or suspicious processes prevents malware and other malicious software from running on the device. This acts as a defense mechanism, protecting the device from infections and data breaches. You can add process records to the blocklist individually, or as a list contained in a CSV file.

When a blocked process attempts to execute on a device, the Coro Agent displays a notification to alert the user:

Agent notification for blocked process

Note

Coro EDR imports file, folder, and process records from a list contained in a CSV file. Imported blocked process records are displayed on the EDR blocklist. File and folder records are displayed on the Endpoint Security allowlist and blocklist. To view file and folder records, the Endpoint Security module must be enabled. For further information, see Endpoint Security allowlist and blocklist.

Note

Blocked process details are displayed on both the Endpoint Security allowlist and blocklist as well as the EDR blocklist.

This article discusses the following topics:

Accessing the EDR blocklist

To manage your EDR blocklist, use the EDR Allow/Block page.

Info

Add processes to the EDR blocklist by using the Block Process action on the EDR Processes page.

To access the EDR blocklist:

  1. Sign into the Coro console

  2. Select Control Panel from the toolbar:

    Control Panel

  3. Select EDR:

    EDR

  4. Select the Allow/Block tab:

    EDR Allow/Block tab

    The Allow/Block page appears:

    EDR Allow/Block page

    The Allow/Block page displays the EDR blocklist that contains a list of blocked processes. The EDR blocklist contains the following columns:

    • Value: The process hash of the record.

    • List: Specifies to which list the process record belongs.

      Note

      Process records cannot be added to the allowlist. Coro EDR automatically adds all process records to the blocklist by default.

    • Description (optional): A short description of the process record. When no value is specified, "N/A" is displayed.

Adding blocked process records

Add processes to the EDR blocklist individually or import them in bulk from a CSV file.

Note

Coro EDR imports file, folder, and process records from a list contained in a CSV file. Imported blocked process records are displayed on the EDR blocklist. File and folder records are displayed on the Endpoint Security allowlist and blocklist. To view file and folder records, the Endpoint Security module must be enabled. For further information, see Endpoint Security allowlist and blocklist.

Adding process records individually

To add a new process record to the EDR blocklist:

  1. Select + ADD:

    Add Block list process record

  2. Select Add process record:

    Add process record

    The Add new process record dialog appears:

    Add new process record dialog

  3. Enter a process hash value into the Add hash field.

  4. (Optional) Enter a description for the new process record into the Add description field.

  5. Select SAVE.

    Coro EDR creates the new process record, adds it to the EDR blocklist, and attaches a timestamp indicating when the process was blocked:

    Process added

  6. Enable Apply allow/block rules for processes to all child workspaces to apply process rules to all child workspaces:

    Process added

    Note

    Channel workspaces display the Apply allow/block rules for processes to all child workspaces option.

Importing records from a CSV file

Admin users are able to add processes to the EDR blocklist by importing a CSV file containing a list of blocked process records.

Note

With the Endpoint Security module enabled, you can import CSV files that include allowed file and folder records. You can view the imported file and folder records from the Endpoint Security Allow/Block page. For further information on allowing files and folders, see Endpoint Security allowlist and blocklist.

Entries in your CSV file must follow the pattern:

<Type>,<Value>,<List>,<Description>

Each entry must be on a separate line, with the following possible values in each field:

Field Description Allowed values
<Type> The item type. File or Folder or Process
<Value> A file/folder path or a process hash. Examples: c:\users\downloads\test.txt, c:\dev\ or 986e27a1e6a4cbae373d28337ac3759325163ffb
<List> Specifies whether to allow or block the item. Allowed or Blocked
<Description> (Optional) A short description of the record. When no value is provided, a default value of N/A is applied during file upload. A test file or An allowed process

Files must abide by the following rules:

  • You must specify valid values in all four columns. Coro EDR ignores entries with extra columns or invalid values.

  • The maximum file size is 1 MB.

  • The CSV import filename must be in lowercase.

  • A single CSV import file can contain a maximum of 200 records.

  • When Type is File or Process:

    • Value has a maximum string length of 32 characters.

    • Value only accepts lowercase letters and numbers.

  • When Type is Folder:

    • Value has no limitation in string length.

    • Value has no character limitation.

  • Apply Allowed when Type is Folder or File.

  • Apply Blocked when Type is Process.

To facilitate creating a valid CSV file, Coro EDR provides a link to a template in the Upload a CSV file dialog:

CSV template file link

To import new process records to the EDR blocklist from a CSV file:

  1. Select + ADD:

    Add blocked process record

  2. Select Import from CSV:

    Import from CSV

    The Import CSV to allow / block list dialog appears:

    Import CSV dialog

  3. Select Click to upload:

    Click to upload

  4. Select the CSV file:

    Select CSV file

    The CSV file in this example has two records:

    • One process record.

    • One folder record.

    CSV file example data

    After you select the CSV file, the filename appears in the file area of the Import CSV to allow / block list dialog:

    Selected CSV file

    Note

    Alternatively, drag and drop the selected CSV file into the Import CSV to allow / block list dialog.

  5. Select IMPORT:

    Import CSV file

    A confirmation dialog appears to inform you that the import is in progress.

  6. Select GOT IT:

    Import in progress

  7. Navigate back to the EDR Allow/Block page.

    The imported process record appears in the EDR blocklist:

    Import success

    Reminder

    The EDR blocklist displays blocked process records. File and folder records are displayed on the Endpoint Security allowlist and blocklist. To view file and folder records, the Endpoint Security module must be enabled. For further information, see Endpoint Security allowlist and blocklist.

Deleting blocked process records

To delete a process record from the EDR blocklist:

  1. Select the three-dot menu to the right of the record:

  2. Select Delete record.

    Delete record

    The record is deleted from the EDR blocklist.

Searching blocked process records

The Search field allows you to search and filter EDR blocklist process records using a free search. A free text search allows you to search the Value and Description columns.

Search Allow/Block list

Note

The free text search functionality finds items that begin with a specific sequence of characters. By entering the initial characters, the system displays relevant results, saving time and improving efficiency in locating desired information.