Yes, you can use blocklists to stop unauthorized or suspicious processes and applications from running on protected devices.
For more information, see EDR allowlist and blocklist.
When Coro isolates a device that a malicious process has infected, the device cannot communicate with any network or internet resource. However, the Coro process stays active, allowing the device to maintain communication with the Coro server for diagnostic purposes.
For more information, see EDR processes.
Yes. From the Devices list, select Isolate from network to disconnect the device from all network access while maintaining a connection to the Coro server. Then select Open remote shell to access the device remotely.
For more information, see Device information and options.
Yes. You can add non-system processes to the EDR allowlist to prevent Coro from generating EDR tickets for them. This action marks the process as safe and stops related telemetry collection.
For more information, see EDR allowlist and blocklist.
No. You must purchase the Endpoint Security module to use EDR.
No other Coro modules require EDR.
EDR requires the Endpoint Security module and the Coro Agent. Coro also recommends removing third-party antivirus software.
For more information, see Running other antivirus software with Coro.
Endpoint Security protects devices with Antivirus (AV), Next Generation Antivirus (NGAV), and policy enforcement to defend against malware and Wi-Fi phishing.
EDR detects, investigates, and responds to advanced threats that bypass traditional antivirus. It uses behavioral analysis techniques to detect and identify suspicious activity.
EDR provides:
Advanced threat detection: Identify fileless malware, multi-stage attacks, and other stealthy threats.
Process allowlisting: Allow trusted processes and image paths to reduce unnecessary telemetry collection.
Process blocklisting: Prevent unauthorized or suspicious processes from executing.
Process graph: Visualize process trees to trace relationships between parent and child processes.
Remote remediation: Isolate devices, block processes, and take action directly from the platform.
Telemetry collection: Gather forensic data from Windows event logs and macOS logs for investigation.
You can use EDR on endpoint devices running Windows, Windows Server, or macOS.
Yes. EDR aggregates process and telemetry data across devices to improve threat detection.
Coro automatically closes EDR tickets after 48 hours unless similar threats reappear. Admin users can also close tickets manually.
For more information, see Ticket types for EDR.
You can bulk import blocked processes to the blocklist using a CSV file. Coro does not support importing allowed processes.
Telemetry appears only when a process interacts with a monitored source. Go to Control Panel > EDR > Telemetry to view telemetry information.
No, EDR alerts you to threats so you can take manual action, such as isolating a device or blocking a process.
A process graph visualizes the lifecycle of a process, highlighting its parent and child relationships. It helps admin users monitor and track threats within their device by providing insights and forensic information in a clear tree structure. This aids investigations, supports incident response, and allows for faster assessments of processes to determine if they are malicious.
For more information, see Process graph.
A process graph provides detailed process and file properties, such as the command-line arguments, execution time, related telemetry records, user and file information, and an action menu to allow or block the process.
For more information, see Process graph.
The process graph displays up to three levels of parent and child relationships for the malicious process mentioned in the associated ticket. Additionally, it shows up to 15 child processes for each process.
Yes, you can block or allow processes directly from the process graph.
For more information, see Process graph.
EDR creates a ticket when it detects a suspicious process. Tickets include process details, device info, MITRE mappings, and, if available, a process graph.
For more information, see Ticket types for EDR.
Yes, EDR collects and analyzes scheduled tasks and registry keys to help identify persistence threats.
No.