Skip to content

Next Generation Anti Virus (NGAV) settings

The NGAV tab is used to configure settings for device monitoring using the Coro Agent. These settings apply to all devices in the workspace.


The settings below can be applied to groups of devices using predefined or custom device labels.

Endpoint monitoring settings

Advanced Threat Control

When enabled, Coro monitors active processes for known and potential threats, and blocks processes that exhibit suspicious behavior.


Processes that are not explicitly allowlisted are displayed on the Allow/Block list as Blocked, see Endpoint Security Allow/Block list.

You can enable a blocked process to run on a device from the respective Infected Process ticket using the Approve process group action:

Approve process group


By default, Advanced threat control scan is enabled.

To learn more, see Infected process.

Secured Shadow Backups

When enabled, Coro enforces backup snapshots every four hours and blocks processes that exhibit risks to the backup. the Coro Agent utilizes the Windows VSS (Volume Shadow Copy Service) mechanism to automatically save a snapshot of your device's files. Ransomware attacks typically corrupt or encrypt local files, therefore taking frequent backups of your files is essential to allow quick recovery and minimize business impact.


Backups created by Coro are protected. Other shadow copies, for example, those created by Windows, are still vulnerable to corruption or deletion.


By default, Secured Shadow Backups scan is enabled.

To learn more, see Using VSS backup protection on your Windows endpoints.

Enhanced EDR block mode

When Coro Endpoint Protection is used side-by-side with Windows Defender Antivirus, Coro provides added endpoint detection and response (EDR) from potential threats. Enhanced EDR block mode enforces this added protection by ensuring access to timely data that may otherwise be suppressed by the environment.


By default, Enhanced EDR block mode scan is enabled.

Enable an initial malware and ransomware scan

When enabled, a malware scan of the device is performed upon initial installation of the Coro Agent. Deeper scans can be initiated remotely at any time.


By default, Enable an initial malware and ransomware scan is disabled.

To learn more, see Endpoint Security ticket types.