Endpoint Security allowlist and blocklist

The Coro Endpoint Security allowlist and blocklist enable admin users with sufficient permissions to manage the access of files and folders deemed safe and block the execution of unsafe processes on a device. This allows admin users more control over what Coro monitors by:

  • Suppressing possible false positive detections of files and folders considered safe by your organization.
  • Excluding folders from being scanned by the Coro Agent in order to improve the Agent's performance.
  • Blocking identified malicious processes from executing.

This article discusses the following topics:

Managing Endpoint Security and EDR allowlists and blocklists

There are separate allowlists and blocklists for Endpoint Security and Endpoint Detection and Response (EDR). The EDR allowlist prevents process and telemetry collection, while the Endpoint Security allowlist excludes files or folders from Coro Agent scanning to prevent ticket triggers. Both EDR and Endpoint Security blocklists prevent unsafe process execution.

The following table outlines the differences between adding records to the Endpoint Security allowlist and blocklist, and adding records to the Endpoint Detection and Response (EDR) allowlist and blocklist:

Record type Add to Endpoint Security allowlist Add to Endpoint Security blocklist Add to EDR allowlist Add to EDR blocklist
File Prevents ticket triggering by excluding the file from Coro Agent scanning N/A Prevents process and telemetry collection for the file N/A
Folder Prevents ticket triggering by excluding the folder from Coro Agent scanning N/A Prevents process and telemetry collection for the folder N/A
Process N/A Blocks unsafe process execution N/A Blocks unsafe process execution

You can add records to the allowlist and blocklist individually, or as a list contained in a CSV file.

Accessing the Endpoint Security allowlist and blocklist

To access the Endpoint Security allowlist and blocklist:

  1. Sign into the Coro console .
  2. Select Control Panel :

    Control Panel

  3. Select Endpoint Security :

    Endpoint Security

  4. Select the Allow/Block tab:

    Endpoint Security Allow/Block tab

    The Allow/Block page appears:

    Endpoint Security Allow/Block page

    The Allow/Block page displays a list of allowed file and folder records as well as blocked process records. The list contains the following columns:

    • Symbol : Specifies the record type:
      • File : Add file records to the allowlist.

        File symbol

      • Folder : Add folder records to the allowlist.

        Folder symbol

      • Process : Add process records to the blocklist.

        Process symbol

    • Value : The value of the record, based on the record type above. This value must be one of the following:
      • File path
      • Folder path
      • Process hash
    • List : Specifies whether the record is displayed on the allowlist or blocklist.
    • Description ( optional ): A short description of the record. When no value is specified, "N/A" is displayed.

Adding allowlist and blocklist records

You can add allowlist or blocklist records individually or import them in bulk from a CSV file.

Adding records individually

To add a new allowlist or blocklist record to the list:

  1. Select + ADD from the Allow/Block page.
  2. Select the type of record to add:

    Add allow/block list record

  3. After adding records, enable the following options to apply the rules to all child workspaces:
    note

    The Apply allow/block rules for files and folders to all child workspaces and Apply allow/block rules for processes to all child workspaces options apply to channel workspaces only.

    • Apply allow/block rules for files and folders to all child workspaces : Applicable to file and folder records.
    • Apply allow/block rules for processes to all child workspaces : Applicable to process records.

    Apply to all child workspaces

Adding a file record

To add a new file record to the allowlist or blocklist:

  1. Select + ADD > Add file record :

    Add file record

    The Add new file record dialog appears:

    Add new file record dialog

  2. Enter a file path value into the Add file path field.
  3. ( Optional ) Enter a description for the new file record into the Add description field.
  4. Select SAVE .

    Coro creates the new file record, adds it to the allowlist, and attaches a timestamp indicating when the file was allowed:

    File added

    After a file is added to the allowlist, Coro stops creating tickets related to that file.

    note

    Admin users can only add file records to the allowlist.

    note

    Admin users can also add a file to the allowlist directly from Malware on Endpoint tickets using the Approve this file action. For further information, see Malware on endpoint

Adding a folder record

To add a new folder record to the allowlist:

  1. Select + ADD > Add folder record :

    Add folder record

    The Add new folder record dialog appears:

    Add new folder record dialog

  2. Enter a folder path value into the Add folder field.
  3. ( Optional ) Enter a description for the new folder record into the Add description field.
  4. Select SAVE .

    Coro creates the new folder record, adds it to the allowlist, and attaches a timestamp indicating when the folder was allowed:

    Folder added

    After an admin user adds the folder to the allowlist, Coro stops creating tickets for the folder.

    note

    Folder records cannot be added to the blocklist. Admin users can only add folder records to the allowlist.

Adding a process record

To add a new process record to the blocklist:

  1. Select + ADD > Add process record :

    Add process record

    The Add new process record dialog appears:

    Add new process record dialog

  2. Enter a process hash value into the Add hash field.
  3. ( Optional ) Enter a description for the new process record into the Add description field.
  4. Select SAVE .

    Coro creates the new process record, adds it to the blocklist, and attaches a timestamp indicating when the process was blocked:

    Process added

    After an admin user adds the process to the blocklist, Coro blocks the execution of the process.

    note

    Admin users are only able to add process records to the blocklist.

    info

    If you have the EDR module enabled, you can also block a process from the EDR Processes page using the Block Process action. Process entries are shared between the blocklists of EDR and Endpoint Security.

Importing records from a csv file

Admin users are able to add records to the allowlist or blocklist by importing a CSV file containing a list of records.

Entries in your CSV file must follow the pattern:

<Type>,<Value>,<List>,<Description>

Each entry must be on a separate line, with the following possible values in each field:

Field Description Allowed values
<Type> The item type. File or Folder or Process
<Value> A file/folder path or a process hash. Examples: c:\users\downloads\test.txt, c:\dev\ or 986e27a1e6a4cbae373d28337ac3759325163ffb
<List> Specifies whether to allow or block the item. Allowed or Blocked
<Description> (Optional) A short description of the record. When no value is provided, a default value of N/A is applied during file upload. A test file or An allowed process

Files must abide by the following rules:

  • You must specify valid values in all four columns. Coro ignores entries with extra columns or invalid values.
  • The maximum file size is 1 MB.
  • The CSV import filename must be in lowercase.
  • A single CSV import file can contain a maximum of 200 records.
  • When Type is Process :
    • Value must be a valid CD hash or SHA256 hash.
    note

    CD hash values have a maximum string length of 40 characters.

    SHA256 hash values have a maximum string length of 64 characters.

  • When Type is File or Folder :
    • Value must be a valid file or folder path.
    • Value must not contain "'", "?", "//", or "|".
    • Value must not contain ":" if it contains "/".
    • Value has no character limitation.
  • Apply Allowed when Type is Folder or File .
  • Apply Blocked when Type is Process .

To facilitate creating a valid CSV file, Coro provides a link to a template in the Upload a CSV file dialog:

CSV template file link

To import new records to the Endpoint Security allowlist or blocklist from a CSV file:

  1. Select + ADD :

    Add record

  2. Select Import from CSV :

    Import from CSV

    The Import CSV to allow / block list dialog appears:

    Import CSV dialog

  3. Select Click to upload :

    Click to upload

  4. Select the CSV file:

    Select CSV file

    The CSV file in this example has two records:

    • One process record.
    • One folder record.

    CSV file example data

    After you select the CSV file, the filename appears in the file area of the Import CSV to allow / block list dialog:

    Selected CSV file

    note

    Alternatively, drag and drop the selected CSV file into the Import CSV to allow / block list dialog.

  5. Select IMPORT :

    Import CSV file

    A confirmation dialog appears to inform you that the import is in progress.

  6. Select GOT IT :

    Import in progress

  7. Navigate back to the Allow/Block page.

    The imported process record appears in the blocklist:

    Import success

Deleting allowlist and blocklist records

To delete a record from the allowlist or blocklist:

  1. Select the three-dot menu to the right of the record:
  2. Select Delete record .

    Delete record

    The record is deleted from the allowlist or blocklist.

Searching and filtering allowlist and blocklist records

You can filter and search the EDR allowlist and blocklist to find specific entries. The Type filter allows you to filter allowlist and blocklist records by:

  • Folder
  • Process
  • File

Type filter

You can also perform a free text search search across the Value and Description columns:

Search Allow/Block list