Endpoint Security allowlist and blocklist¶

The Coro Endpoint Security allowlist and blocklist enable admin users with sufficient permissions to manage the access of files and folders deemed safe and block the execution of unsafe processes on a device. This allows admin users more control over what Coro monitors by:

Suppressing possible false positive detections of files and folders considered safe by your organization.
Excluding folders from being scanned by the Coro Agent in order to improve the Agent's performance.
Blocking identified malicious processes from executing.

You can add records to the allowlist and blocklist individually, or as a list contained in a CSV file.

This article discusses the following topics:

Accessing the Endpoint Security allowlist and blocklist
Adding allowlist and blocklist records
Deleting allowlist and blocklist records
Filtering allowlist and blocklist records
Searching allowlist and blocklist records

Accessing the Endpoint Security allowlist and blocklist¶

To access the Endpoint Security allowlist and blocklist:

Sign into the Coro console.
Select Control Panel:
Select Endpoint Security:
Select the Allow/Block tab:

The Allow/Block page appears:

The Allow/Block page displays a list of allowed file and folder records as well as blocked process records. The list contains the following columns:
- Symbol: Specifies the record type:
  - File: Add file records to the allowlist.
  - Folder: Add folder records to the allowlist.
  - Process: Add process records to the blocklist.
- Value: The value of the record, based on the record type above. This value must be one of the following:
  - File path
  - Folder path
  - Process hash
- List: Specifies whether the record is displayed on the allowlist or blocklist.
- Description (optional): A short description of the record. When no value is specified, "N/A" is displayed.

Adding allowlist and blocklist records¶

You can add allowlist or blocklist records individually or import them in bulk from a CSV file.

Adding records individually
Importing records from a CSV file

Adding records individually¶

To add a new allowlist or blocklist record to the list:

Select + ADD from the Allow/Block page.
Select the type of record to add:
After adding records, enable the following options to apply the rules to all child workspaces:
- Apply allow/block rules for files and folders to all child workspaces: Applicable to file and folder records.
- Apply allow/block rules for processes to all child workspaces: Applicable to process records.
Note

Channel workspaces display the Apply allow/block rules for files and folders to all child workspaces and Apply allow/block rules for processes to all child workspaces options.

Adding a file record¶

To add a new file record to the allowlist or blocklist:

Select + ADD > Add file record:

The Add new file record dialog appears:
Enter a file path value into the Add file path field.
(Optional) Enter a description for the new file record into the Add description field.
Select SAVE.

Coro creates the new file record, adds it to the allowlist, and attaches a timestamp indicating when the file was allowed:

Note

Admin users can only add records to the allowlist. After a file is added to the allowlist, Coro stops creating tickets related to that file.

Note

Admin users can also add a file to the allowlist directly from Malware on Endpoint tickets using the Approve this file action. For further information, see Malware on endpoint

Adding a folder record¶

To add a new folder record to the allowlist:

Select + ADD > Add folder record:

The Add new folder record dialog appears:
Enter a folder path value into the Add folder field.
(Optional) Enter a description for the new folder record into the Add description field.
Select SAVE.

Coro creates the new folder record, adds it to the allowlist, and attaches a timestamp indicating when the folder was allowed:

Note

Admin users are only able to add folder records to the allowlist. After an admin user adds the folder to the allowlist, Coro stops creating tickets for the folder.

Adding a process record¶

To add a new process record to the blocklist:

Select + ADD > Add process record:

The Add new process record dialog appears:
Enter a process hash value into the Add hash field.
(Optional) Enter a description for the new process record into the Add description field.
Select SAVE.

Coro creates the new process record, adds it to the blocklist, and attaches a timestamp indicating when the process was blocked:

Note

Admin users are only able to add process records to the blocklist. After an admin user adds the process to the blocklist, Coro blocks the execution of the process.

Info

If you have the EDR module enabled, you can also block a process from the EDR Processes page using the Block Process action. Process entries are shared between the blocklists of EDR and Endpoint Security.

Importing records from a csv file¶

Admin users are able to add records to the allowlist or blocklist by importing a CSV file containing a list of records.

Entries in your CSV file must follow the pattern:

<Type>,<Value>,<List>,<Description>

Each entry must be on a separate line, with the following possible values in each field:

Field	Description	Allowed values
<Type>	The item type.	`File` or `Folder` or `Process`
<Value>	A file/folder path or a process hash.	Examples: `c:\users\downloads\test.txt`, `c:\dev\` or `986e27a1e6a4cbae373d28337ac3759325163ffb`
<List>	Specifies whether to allow or block the item.	`Allowed` or `Blocked`
<Description>	(Optional) A short description of the record. When no value is provided, a default value of `N/A` is applied during file upload.	`A test file` or `An allowed process`

Files must abide by the following rules:

You must specify valid values in all four columns. Coro ignores entries with extra columns or invalid values.
The maximum file size is 1 MB.
The CSV import filename must be in lowercase.
A single CSV import file can contain a maximum of 200 records.
When Type is File or Process:
- Value has a maximum string length of 32 characters.
- Value only accepts lowercase letters and numbers.
When Type is Folder:
- Value has no limitation in string length.
- Value has no character limitation.
Apply Allowed when Type is Folder or File.
Apply Blocked when Type is Process.

To facilitate creating a valid CSV file, Coro provides a link to a template in the Upload a CSV file dialog:

To import new records to the Endpoint Security allowlist or blocklist from a CSV file:

Select + ADD:
Select Import from CSV:

The Import CSV to allow / block list dialog appears:
Select Click to upload:
Select the CSV file:

The CSV file in this example has two records:
- One process record.
- One folder record.
After you select the CSV file, the filename appears in the file area of the Import CSV to allow / block list dialog:

Note

Alternatively, drag and drop the selected CSV file into the Import CSV to allow / block list dialog.
Select IMPORT:

A confirmation dialog appears to inform you that the import is in progress.
Select GOT IT:
Navigate back to the Allow/Block page.

The imported process record appears in the blocklist:

Deleting allowlist and blocklist records¶

To delete a record from the allowlist or blocklist:

Select the three-dot menu to the right of the record:
Select Delete record.

The record is deleted from the allowlist or blocklist.

Filtering allowlist and blocklist records¶

The Allow/Block page records can be filtered by using the Type filter:

Type filter¶

The Type filter allows you to filter allowlist and blocklist records by:

Folder
Process
File

Searching allowlist and blocklist records¶

The Search field allows you to search and filter allowlist and blocklist records using a free search. A free search allows you to search the Value and Description columns.

Note

The free search functionality finds items that begin with a specific sequence of characters. By entering the initial characters, the system displays relevant results, saving time and improving efficiency in locating desired information.