Blocking processes¶
The Coro EDR blocklist enables admin users with sufficient permissions to block the execution of unsafe processes on a device. Blocking the execution of unauthorized or suspicious processes prevents malware and other malicious software from running on the device. This acts as a defense mechanism, protecting the device from infections and data breaches. You can add process records to the blocklist individually, or as a list contained in a CSV file.
When a blocked process attempts to execute on a device, the Coro Agent displays a notification to alert the user:
Note
Coro EDR imports file, folder, and process records from a list contained in a CSV file. Imported blocked process records are displayed on the EDR blocklist. File and folder records are displayed on the Endpoint Security allowlist and blocklist. To view file and folder records, the Endpoint Security module must be enabled. For further information, see Endpoint Security allowlist and blocklist.
Note
Blocked process details are displayed on both the Endpoint Security allowlist and blocklist as well as the EDR blocklist.
This article discusses the following topics:
Accessing the EDR blocklist¶
To manage your EDR blocklist, use the EDR Allow/Block page.
Info
Add processes to the EDR blocklist by using the Block Process action on the EDR Processes page.
To access the EDR blocklist:
-
Select Control Panel from the toolbar:
-
Select EDR:
-
Select the Allow/Block tab:
The Allow/Block page appears:
The Allow/Block page displays the EDR blocklist that contains a list of blocked processes. The EDR blocklist contains the following columns:
-
Value: The process hash of the record.
-
List: Specifies to which list the process record belongs.
Note
Process records cannot be added to the allowlist. Coro EDR automatically adds all process records to the blocklist by default.
-
Description (optional): A short description of the process record. When no value is specified, "N/A" is displayed.
-
Adding blocked process records¶
Add processes to the EDR blocklist individually or import them in bulk from a CSV file.
Note
Coro EDR imports file, folder, and process records from a list contained in a CSV file. Imported blocked process records are displayed on the EDR blocklist. File and folder records are displayed on the Endpoint Security allowlist and blocklist. To view file and folder records, the Endpoint Security module must be enabled. For further information, see Endpoint Security allowlist and blocklist.
Adding process records individually¶
To add a new process record to the EDR blocklist:
-
Select + ADD:
-
Select Add process record:
The Add new process record dialog appears:
-
Enter a process hash value into the Add hash field.
-
(Optional) Enter a description for the new process record into the Add description field.
-
Select SAVE.
Coro EDR creates the new process record, adds it to the EDR blocklist, and attaches a timestamp indicating when the process was blocked:
-
Enable Apply allow/block rules for processes to all child workspaces to apply process rules to all child workspaces:
Note
Channel workspaces display the Apply allow/block rules for processes to all child workspaces option.
Importing records from a CSV file¶
Admin users are able to add processes to the EDR blocklist by importing a CSV file containing a list of blocked process records.
Note
With the Endpoint Security module enabled, you can import CSV files that include allowed file and folder records. You can view the imported file and folder records from the Endpoint Security Allow/Block page. For further information on allowing files and folders, see Endpoint Security allowlist and blocklist.
Entries in your CSV file must follow the pattern:
<Type>,<Value>,<List>,<Description>
Each entry must be on a separate line, with the following possible values in each field:
Field | Description | Allowed values |
---|---|---|
<Type> | The item type. | File or Folder or Process |
<Value> | A file/folder path or a process hash. | Examples: c:\users\downloads\test.txt , c:\dev\ or 986e27a1e6a4cbae373d28337ac3759325163ffb |
<List> | Specifies whether to allow or block the item. | Allowed or Blocked |
<Description> | (Optional) A short description of the record. When no value is provided, a default value of N/A is applied during file upload. | A test file or An allowed process |
Files must abide by the following rules:
-
You must specify valid values in all four columns. Coro EDR ignores entries with extra columns or invalid values.
-
The maximum file size is 1 MB.
-
The CSV import filename must be in lowercase.
-
A single CSV import file can contain a maximum of 200 records.
-
When Type is File or Process:
-
Value has a maximum string length of 32 characters.
-
Value only accepts lowercase letters and numbers.
-
-
When Type is Folder:
-
Value has no limitation in string length.
-
Value has no character limitation.
-
-
Apply Allowed when Type is Folder or File.
-
Apply Blocked when Type is Process.
To facilitate creating a valid CSV file, Coro EDR provides a link to a template in the Upload a CSV file dialog:
To import new process records to the EDR blocklist from a CSV file:
-
Select + ADD:
-
Select Import from CSV:
The Import CSV to allow / block list dialog appears:
-
Select Click to upload:
-
Select the CSV file:
The CSV file in this example has two records:
-
One process record.
-
One folder record.
After you select the CSV file, the filename appears in the file area of the Import CSV to allow / block list dialog:
Note
Alternatively, drag and drop the selected CSV file into the Import CSV to allow / block list dialog.
-
-
Select IMPORT:
A confirmation dialog appears to inform you that the import is in progress.
-
Select GOT IT:
-
Navigate back to the EDR Allow/Block page.
The imported process record appears in the EDR blocklist:
Reminder
The EDR blocklist displays blocked process records. File and folder records are displayed on the Endpoint Security allowlist and blocklist. To view file and folder records, the Endpoint Security module must be enabled. For further information, see Endpoint Security allowlist and blocklist.
Deleting blocked process records¶
To delete a process record from the EDR blocklist:
-
Select the three-dot menu to the right of the record:
-
Select Delete record.
The record is deleted from the EDR blocklist.
Searching blocked process records¶
The Search field allows you to search and filter EDR blocklist process records using a free search. A free text search allows you to search the Value and Description columns.
Note
The free text search functionality finds items that begin with a specific sequence of characters. By entering the initial characters, the system displays relevant results, saving time and improving efficiency in locating desired information.