Endpoint Agent

Does the Coro Agent require an internet connection at all times?

The Coro Agent is fully autonomous and does not require connectivity for its operation. The Agent occasionally connects to the network to report findings to Coro servers and retrieve updates to the device posture policy and threat database.

How much disk space is required by the Coro Agent?

The Agent requires approximately 1.5 GB of disk space, with over 1.2 GB allocated to the security knowledge base to enable autonomous operation.

How much memory does the Coro Agent consume?

Under normal conditions, the Agent uses approximately 400 MB of memory. During scanning, memory usage depends on the size of the files scanned.

What is tamper protection?

Tamper protection prevents malicious software from terminating or interfering with the Coro Agent, thereby disabling protection.

Can I run Windows Defender alongside Coro?

Coro advises against running another antivirus (AV) product alongside the Coro Agent. Upon installation, Coro registers as the primary AV software for the device and is listed as an authorized provider in Windows Security Center (WSC). This automatically disables Windows Defender.

For more information, see Running other antivirus software with Coro.

Can the Coro Agent be removed from multiple users in bulk?

Yes, you can use an external mass deployment tool to uninstall the Coro Agent from multiple devices simultaneously. First, enable Allow agent uninstallation in the workspace of the affected devices.

For more information, see Agent settings.

What happens when you remove a user from protection? Does it also remove the Coro Agent from their devices?

No, removing a user from protection only disables Coro protection for email and cloud apps. It does not uninstall the Agent from the device. Coro continues to detect, report, and remediate vulnerabilities. To remove the device, either enable Allow agent uninstallation in the device's workspace so the user can uninstall it, or select Disable protection on the device from the Devices view. This prevents the endpoint client from detecting and reporting device vulnerabilities.

As a ransomware detection and remediation tool, what advantages does Coro have over other traditional Endpoint Detection and Response (EDR) tools?

Coro offers advantages over traditional antivirus (AV) software products by offering advanced protection features, such as device posture monitoring. It ensures critical security measures are in place, including firewalls, password-protected devices, and data encryption, to help detect and remediate ransomware threats.

Can an endpoint device be connected to more than one workspace?

No, a device can only link to a single workspace. Installing an Agent from a different workspace on a device with Coro already installed causes the installation to fail.

What is the average size of a definition/signature update received by the Coro Agent from the Bitdefender servers?

On average the Bitdefender engine downloads approximately 60-70 MB a day.

Can the Coro Agent be uninstalled through the Coro console?

No.

When a client approves a file via the Coro Agent that's flagged as malware, does it apply to all endpoint devices?

Coro approves the file for all devices within the same workspace.

How do I uninstall the Coro Agent from my device?

First, an admin user must enable Allow agent uninstallation from the affected device's workspace to uninstall the Coro Agent. After enabling Allow agent uninstallation, users can uninstall the Coro Agent from their device.

For more information, see Uninstalling the endpoint agent.

Can an admin user remotely remove the Coro Agent from a device?

Yes, an admin user can remotely remove the Coro Agent from a device using supported remote monitoring and management (RMM) tools. These include, but are not limited to, Atera, Windows Server GPO, JAMF Pro, and JumpCloud.

What port number does the Coro Agent use?

Coro uses port 443. Non-standard ports are not supported.

What is Visibility Mode?

Enabling Control Panel > Devices > Settings > Visibility Mode causes the Coro Agent to generate events and send notifications to end users, but it does not perform automatic remediation (such as quarantine or process kill).

What should I do if my existing antivirus on the device is preventing the installation of Coro?

If you already have another antivirus (AV) software running on a device, pause the AV protection for a few minutes while you install the Coro Agent.

Important

Coro advises against running another AV product alongside the Coro Agent. For more information, see Running other antivirus software with Coro.

For more information, see:

Is there a way to see when Coro Agent updates occur from the console?

Yes, you can see the available Coro Agent versions from the Devices section of the Control Panel.

For further information, see Agent deployment.

How does Coro manage the transition to a new version of the Agent, and does this process involve any system downtime?

Coro updates a device by uninstalling the old Agent version and installing the latest stable release. The update briefly interrupts the Coro service.

How do I disconnect an endpoint device from an expired trial workspace?

When a workspace becomes inactive after a trial period, Coro enables Allow agent uninstallation, allowing you to uninstall the Agent from protected devices within the workspace.

note

Allow agent uninstallation is disabled by default when the workspace status is not Inactive.

For more information, see: Uninstalling the Coro Agent.

Can I assign device posture policies to a group of users or devices during a mass Agent deployment?

No, you must configure device posture policies from the Coro console after deploying the Agent.

Can I install the Coro Agent on a device that is running Bitdefender?

The Coro service utilizes a Bitdefender Software Development Kit (SDK). To avoid conflicts that may interfere with the installation of the Coro Agent, Coro recommends uninstalling Bitdefender and any other antivirus (AV) software prior to installing the Coro Agent. For more details, see Running other antivirus software with Coro.

How do I verify that the Coro Agent is registered as an authorized Windows Security Center (WSC) provider?

Run the following powershell command to verify that the Coro Agent is registered as an authorized WSC provider:

Copy
Copied
Get-WmiObject -Namespace "root\SecurityCenter2" -Class "AntiVirusProduct"
Important

To register Coro as an authorized WSC provider, your device must have:

  • Coro Agent v3.2 (beta 2.5.65.1) or later installed.
  • Windows 10 or later installed.

For more information, see Downloading and installing the Agent.

What determines the language of the Coro Agent user interface (UI)?

The operating system's (OS) language on the installed device determines the Coro Agent UI language.

The Coro Agent UI supports the following languages:

  • English
  • Spanish (Spain)
  • Italian (Italy)

What distributions does the Linux Agent support?

The Agent officially supports the following Linux distributions:

  • Debian 12 (Bookworm)
  • Debian 11 (Bullseye)
  • Ubuntu 24.04 LTS (Noble Numbat)
  • Ubuntu 23.10 (Mantic Minotaur)
  • Ubuntu 23.04 (Lunar Lobster)
  • Ubuntu 22.10 (Kinetic Kudu)
  • Ubuntu 22.04 LTS (Jammy Jellyfish)

Can the Coro Agent scan both a local endpoint device and a virtual machine (VM) running on the same device as separate devices?

No, the Coro Agent treats the local device and VM as separate devices. To ensure full protection, install and deploy the Agent on both the local device and the VM individually.

What types of scripts does Coro support through NinjaOne?

Coro provides deployment scripts for installing the Agent on Windows and macOS devices. It also offers a NinjaOne RMM PowerShell script to verify that the Agent is installed, running, and up-to-date on managed devices.

For more information, see:

Is the Coro Agent deployable on macOS devices via Mosyle?

Yes, you can deploy the Coro Agent on macOS devices via Mosyle. Contact Coro support at: support@coro.net.

Is the Windows Coro Agent recognized by Windows Security Center (WSC) as antivirus software?

Yes, the Windows Coro Agent is recognized by Windows Security Center (WSC) as antivirus software.

For more information, see: Deploying Coro on Windows devices.

Does the macOS Coro Agent support automatic silent updates?

Yes, to enable the Agent to silently auto-update to the newest stable version, include your macOS device in the Allow self-update to the latest stable version device setting. For more information, see Device protection settings.

note

Coro tests every release extensively before deployment. Each version undergoes regression, smoke, and beta testing, followed by internal validation. Updates roll out gradually with rollback options to prevent disruptions. This process ensures reliable updates that improve security without affecting operations.

Can I hide the Coro Agent from my system tray or menu bar?

No.

Is Coro compatible with Virtual Desktop Infrastructure (VDI) environments, specifically Horizon VDI?

Yes, Coro is compatible with VDI environments, including Horizon.

Does the Coro Agent support 32-bit operating systems (OSs)?

No, the Coro Agent only supports 64-bit OSs.

What triggers the automatic Coro Agent upgrade?

When you enable Allow self-update to the latest stable version in a workspace, Coro initiates a gradual rollout. It randomly selects eligible devices across workspaces and upgrades them in batches. This controlled approach helps minimize risk and maintain system stability.

Coro performs the upgrade when all of the following conditions are met:

  • An admin user has enabled Allow self-update to the latest stable version in the workspace.
  • The device is online and actively communicating with Coro servers.
  • The device has reached its designated place in the rollout schedule.

Why does the Coro Agent display "Not Protected"?

Coro displays Not Protected in the following situations:

  • An admin user disables protection for a device. You can confirm this action in the Activity Log.
  • After installation on Windows devices , Coro temporarily shows Not Protected while the Agent downloads threat definitions and activates its services. This process usually completes within a minute.
  • On macOS devices , Coro continues to show Not Protected until the user approves system extensions and grants Full Disk Access (FDA).
  • If the Coro service stops running, the Agent displays Not Protected . Submit device logs to Coro Support at: support@coro.net for investigation.

Can Coro automatically detect when an endpoint device disconnects from the internet?

Yes. Coro monitors device connectivity and detects when a device goes offline after two days of no communication.