EDR allowlist and blocklist
The Coro Endpoint Detection and Response (EDR) blocklist enables admin users with sufficient permissions to block the execution of unsafe processes on a device. Blocking the execution of unauthorized or suspicious processes prevents malware and other malicious software from running on the device. This acts as a defense mechanism, protecting the device from infections and data breaches.
You can also allow specified process image files and folders from the EDR allowlist, thereby preventing the excessive collection of process and telemetry information related to trusted tools and software.
This article discusses the following topics:
- Managing EDR and Endpoint Security allowlists and blocklists
- Accessing the EDR allowlist and blocklist
- Adding allowlist and blocklist records
- Deleting allowlist and blocklist records
- Searching and filtering allowlist and blocklist records
Managing EDR and Endpoint Security allowlists and blocklists
There are separate allowlists and blocklists for EDR and Endpoint Security. The EDR allowlist prevents process and telemetry collection, while the Endpoint Security allowlist excludes files or folders from Coro Agent scanning to prevent Endpoint Security ticket triggers. Both EDR and Endpoint Security blocklists prevent unsafe process execution.
The following table outlines the differences between adding records to the EDR allowlist and blocklist, and adding records to the Endpoint Security allowlist and blocklist:
Record type | Add to EDR allowlist | Add to EDR Blocklist | Add to Endpoint Security allowlist | Add to Endpoint Security blocklist |
---|---|---|---|---|
File | Prevents process and telemetry collection for the file | N/A | Prevents Endpoint Security tickets from triggering by excluding the file from Coro Agent scanning | N/A |
Folder | Prevents process and telemetry collection for the folder | N/A | Prevents Endpoint Security tickets from triggering by excluding the folder from Coro Agent scanning | N/A |
Process | N/A | Blocks unsafe process execution | N/A | Blocks unsafe process execution |
You can add records to the allowlist and blocklist individually, or as a list contained in a CSV file.
note
Blocked process details are displayed on both the Endpoint Security blocklist as well as the EDR blocklist.
Accessing the EDR allowlist and blocklist
To access the EDR allowlist and blocklist:
- Sign into the Coro console
-
Select
Control Panel
:
-
Select
EDR
:
-
Select the
Allow/Block
tab:
The Allow/Block tab displays a list of allowed process image file and folder records as well as blocked process records. The list contains the following columns:
-
Symbol
: Specifies the record type:
-
File
: You can add process image file records to the allowlist.
-
Folder
: You can add process image folder records to the allowlist.
-
Process
: You can add process records to the blocklist.
-
File
: You can add process image file records to the allowlist.
-
Value
: The value of the record, based on the record type above. This value must be one of the following:
- Process image file path
- Process image folder path
- Process hash
-
List
: Specifies to which list the process record belongs.
note
Admin users can only add process records to the blocklist.
- Description ( optional ): A short description of the process record.
-
Symbol
: Specifies the record type:
Adding allowlist and blocklist records
You can add allowlist or blocklist records individually or import them in bulk from a CSV file.
Adding records individually
To add a new allowlist or blocklist record:
- Select the type of record to add:
-
After adding records, enable the following options to apply the rules to all child workspaces:
note
The Apply allow/block rules for files and folders to all child workspaces and Apply allow/block rules for processes to all child workspaces options apply to channel workspaces only.
- Apply allow/block rules for files and folders to all child workspaces : Applicable to file and folder records.
- Apply allow/block rules for processes to all child workspaces : Applicable to process records.
Adding a file record
To add a new file record to the allowlist or blocklist:
-
Select
+ ADD
>
Add file record
:
The Add new file record dialog appears:
-
Enter the following information:
- Add file path : Enter a valid process image file path.
- Add description ( Optional ): Enter a suitable file record description.
-
Select
SAVE
.
Coro creates the new file record, adds it to the allowlist, and attaches a timestamp indicating when the process image file was allowed:
After a file is added to the allowlist, Coro treats the process image file as trusted and stops collecting corresponding process and telemetry information for it.
note
Admin users can only add file records to the allowlist.
Adding a folder record
To add a new folder record to the allowlist:
-
Select
+ ADD
>
Add folder record
:
The Add new folder record dialog appears:
-
Enter the following information:
- Add folder : Enter a valid process image folder path.
- Add description ( Optional ): Enter a suitable folder record description.
-
Select
SAVE
.
Coro creates the new folder record, adds it to the allowlist, and attaches a timestamp indicating when the process image folder path was allowed:
After a folder is added to the allowlist, Coro treats the process image folder path as trusted and stops collecting corresponding process and telemetry information for it.
note
Admin users can only add folder records to the allowlist.
Adding a process record
To add a new process record to the blocklist:
-
Select
+ ADD
>
Add process record
:
The Add new process record dialog appears:
-
Enter the following information:
- Add hash : Enter a valid valid CD hash or SHA256 hash.
- Add description ( Optional ): Enter a suitable process record description.
-
Select
SAVE
.
Coro EDR creates the new process record, adds it to the EDR blocklist, and attaches a timestamp indicating when the process was blocked:
When a blocked process attempts to execute on a device, the Coro Agent displays a notification to alert the user:
note
Admin users can only add process records to the blocklist.
Importing records from a CSV file
Admin users are able to add records to the allowlist or blocklist by importing a CSV file containing a list of records.
Entries in your CSV file must follow the pattern:
<Type>,<Value>,<List>,<Description>
Each entry must be on a separate line, with the following possible values in each field:
Field | Description | Allowed values |
---|---|---|
<Type> | The item type. | File or Folder or Process |
<Value> | A file/folder path or a process hash. | Examples: c:\users\downloads\test.txt , c:\dev\ or 986e27a1e6a4cbae373d28337ac3759325163ffb |
<List> | Specifies whether to allow or block the item. | Allowed or Blocked |
<Description> | (Optional) A short description of the record. When no value is provided, a default value of N/A is applied during file upload. |
A test file or An allowed process |
Files must abide by the following rules:
- You must specify valid values in all four columns. Coro EDR ignores entries with extra columns or invalid values.
- The maximum file size is 1 MB.
- The CSV import filename must be in lowercase.
- A single CSV import file can contain a maximum of 200 records.
-
When
Type
is
Process
:
- Value must be a valid CD hash or SHA256 hash.
note
CD hash values have a maximum string length of 40 characters.
SHA256 hash values have a maximum string length of 64 characters.
-
When
Type
is
File
or
Folder
:
- Value must be a valid file or folder path.
- Value must not contain "'", "?", "//", or "|".
- Value must not contain ":" if it contains "/".
- Value has no character limitation.
- Apply Allowed when Type is Folder or File .
- Apply Blocked when Type is Process .
To facilitate creating a valid CSV file, Coro EDR provides a link to a template in the Import CSV to allow / block list dialog:
To import new process records to the EDR blocklist from a CSV file:
-
Select
+ ADD
>
Import from CSV
:
The Import CSV to allow / block list dialog appears:
-
Select
Click to upload
:
-
Select the CSV file:
The CSV file in this example has two records:
- One process record.
- One folder record.
After you select the CSV file, the filename appears in the file area of the Import CSV to allow / block list dialog:
note
Alternatively, drag and drop the selected CSV file into the Import CSV to allow / block list dialog.
-
Select
IMPORT
:
A confirmation dialog appears to inform you that the import is in progress.
-
Select
GOT IT
:
-
Navigate back to the EDR
Allow/Block
page.
The imported process record is added to the EDR blocklist and the folder record is added to the EDR allowlist:
Deleting allowlist and blocklist records
To delete a record from the allowlist or blocklist:
- Select the three-dot menu to the right of the record.
-
Select
Delete record
:
The record is deleted from the corresponding EDR allowlist or blocklist.
Searching and filtering allowlist and blocklist records
You can filter and search the EDR allowlist and blocklist to find specific entries. The Type filter allows you to filter allowlist and blocklist records by:
- Folder
- Process
- File
You can also perform a free text search search across the Value and Description columns: