EDR
Can Endpoint Detection and Response (EDR) block suspicious processes or applications
Yes, you can use blocklists to stop unauthorized or suspicious processes and applications from running on protected devices.
For more information, see EDR allowlist and blocklist.
How does Endpoint Detection and Response (EDR) isolate an infected device from a network?
When Coro isolates a device that a malicious process has infected, the device cannot communicate with any network or internet resource. However, the Coro process stays active, allowing the device to maintain communication with the Coro server for diagnostic purposes.
For more information, see EDR processes.
Can Endpoint Detection and Response (EDR) isolate a device and provide remote access?
Yes. From the Devices list, select Isolate from network to disconnect the device from all network access while maintaining a connection to the Coro server. Then select Open remote shell to access the device remotely.
For more information, see Device information and options.
Can I add processes to the Endpoint Detection and Response (EDR) allowlist?
Yes. You can add non-system processes to the EDR allowlist to prevent Coro from generating EDR tickets for them. This action marks the process as safe and stops related telemetry collection.
For more information, see EDR allowlist and blocklist.
Can I purchase Endpoint Detection and Response (EDR) without the Endpoint Security module?
No. You must purchase the Endpoint Security module to use EDR.
Which Coro add-ons and modules are dependent on Endpoint Detection and Response (EDR)?
No other Coro modules require EDR.
On which services, add-ons, and modules is Endpoint Detection and Response (EDR) dependent?
EDR requires the Endpoint Security module and the Coro Agent. Coro also recommends removing third-party antivirus software.
For more information, see Running other antivirus software with Coro.
What is the difference between the Endpoint Detection and Response (EDR) and Endpoint Security modules?
Endpoint Security protects devices with Antivirus (AV), Next Generation Antivirus (NGAV), and policy enforcement to defend against malware and Wi-Fi phishing.
EDR detects, investigates, and responds to advanced threats that bypass traditional antivirus. It uses behavioral analysis techniques to detect and identify suspicious activity.
What are the key features of Endpoint Detection and Response (EDR)?
EDR provides:
- Advanced threat detection : Identify fileless malware, multi-stage attacks, and other stealthy threats.
- Process allowlisting : Allow trusted processes and image paths to reduce unnecessary telemetry collection.
- Process blocklisting : Prevent unauthorized or suspicious processes from executing.
- Process graph : Visualize process trees to trace relationships between parent and child processes.
- Remote remediation : Isolate devices, block processes, and take action directly from the platform.
- Telemetry collection : Gather forensic data from Windows event logs and macOS logs for investigation.
What operating systems does Endpoint Detection and Response (EDR) support?
You can use EDR on endpoint devices running Windows, Windows Server, or macOS.
Does Endpoint Detection and Response (EDR) aggregate data from multiple endpoint devices?
Yes. EDR aggregates process and telemetry data across devices to improve threat detection.
When are Endpoint Detection and Response (EDR) tickets closed?
Coro automatically closes EDR tickets after 48 hours unless similar threats reappear. Admin users can also close tickets manually.
For more information, see Ticket types for EDR.
Can I bulk import allowed and blocked processes using a CSV file?
You can bulk import blocked processes to the blocklist using a CSV file. Coro does not support importing allowed processes.
Why does telemetry data only show for certain processes?
Telemetry appears only when a process interacts with a monitored source. Go to Control Panel > EDR > Telemetry to view telemetry information.
Does Endpoint Detection and Response (EDR) perform automatic threat mitigation?
No, EDR alerts you to threats so you can take manual action, such as isolating a device or blocking a process.
How does a process graph help detect potential threats?
A process graph visualizes the lifecycle of a process, highlighting its parent and child relationships. It helps admin users monitor and track threats within their device by providing insights and forensic information in a clear tree structure. This aids investigations, supports incident response, and allows for faster assessments of processes to determine if they are malicious.
For more information, see Process graph.
What information does a process graph provide?
A process graph provides detailed process and file properties, such as the command-line arguments, execution time, related telemetry records, user and file information, and an action menu to allow or block the process.
For more information, see Process graph.
How many levels does the process graph display?
The process graph displays up to three levels of parent and child relationships for the malicious process mentioned in the associated ticket. Additionally, it shows up to 15 child processes for each process.
Can I take actions on processes from the process graph?
Yes, you can block or allow processes directly from the process graph.
For more information, see Process graph.
What types of alerts does Endpoint Detection and Response (EDR) generate?
EDR creates a ticket when it detects a suspicious process. Tickets include process details, device info, MITRE mappings, and, if available, a process graph.
For more information, see Ticket types for EDR.
Can Endpoint Detection and Response (EDR) detect persistence mechanisms?
Yes, EDR collects and analyzes scheduled tasks and registry keys to help identify persistence threats.
Does Endpoint Detection and Response (EDR) include honeypot or deception-based detection features?
No.