Next Generation Anti Virus (NGAV) settings
The NGAV tab is used to configure settings for device monitoring using the Coro Agent. These settings apply to all devices in the workspace.
note
The settings below can be applied to groups of devices using predefined or custom device labels.
Advanced threat control
When enabled, Coro monitors active processes for known and potential threats, and terminates processes that exhibit suspicious behavior.
Advanced threat control (ATC) provides an additional layer of real-time monitoring by analyzing processes for known and potential threats. ATC blocks any processes that exhibit suspicious behavior.
note
Processes that are not explicitly allowlisted are displayed on the Allow/Block list as Blocked, see Endpoint Security Allow/Block list.
You can enable a blocked process to run on a device from the respective Infected Process ticket using the Approve process group action:
note
By default, Advanced Threat Control is enabled.
To learn more, see Infected process.
Secured shadow backups
When enabled, Coro enforces backup snapshots every four hours and blocks processes that exhibit risks to the backup. the Coro Agent utilizes the Windows VSS (Volume Shadow Copy Service) mechanism to automatically save a snapshot of your device's files. Ransomware attacks typically corrupt or encrypt local files, therefore taking frequent backups of your files is essential to allow quick recovery and minimize business impact.
note
Backups created by Coro are protected. Other shadow copies, for example, those created by Windows, are still vulnerable to corruption or deletion.
note
By default, Secured Shadow Backups is enabled.
To learn more, see Using VSS backup protection on your Windows endpoints.
Enhanced EDR block mode
When Coro Endpoint Protection is used side-by-side with Windows Defender Antivirus, Coro provides added endpoint detection and response (EDR) from potential threats. Enhanced EDR block mode enforces this added protection by ensuring access to timely data that may otherwise be suppressed by the environment.
note
By default, Enhanced EDR Block Mode is enabled.
Quarantine infected containers
When enabled, if Coro detects a malicious file inside a container (archive) and is unable to remove the file, Coro quarantines the entire container and creates a Malware on endpoint ticket.
note
By default, Quarantine Infected Containers is enabled.
Enable an initial malware and ransomware scan
When enabled, a malware scan of the device is performed upon initial installation of the Coro Agent. Deeper scans can be initiated remotely at any time.
note
By default, Enable an initial malware and ransomware scan is disabled.
To learn more, see Endpoint Security ticket types.