The Coro Agent is fully autonomous and does not require connectivity for its operation. The Agent occasionally connects to the network to report findings to Coro servers and retrieve updates to the device posture policy and threat database.
The Agent requires approximately 1.5 GB of disk space, with over 1.2 GB allocated to the security knowledge base to enable autonomous operation.
Under normal conditions, the Agent uses approximately 400 MB of memory. During scanning, memory usage depends on the size of the files scanned.
Coro's internal tamper protection stops malware or unauthorized users from altering security configurations or terminating the Agent.
Coro advises against running another antivirus (AV) product alongside the Coro Agent. Upon installation, Coro registers as the primary AV software for the device and is listed as an authorized provider in Windows Security Center (WSC). This automatically disables Windows Defender.
For more information, see Running other antivirus software with Coro.
Yes, you can use an external mass deployment tool to uninstall the Coro Agent from multiple devices simultaneously. First, enable Allow agent uninstallation in the workspace of the affected devices.
Admin users can also trigger remote Agent uninstallations for Windows devices directly from the Coro console.
For more information, see Uninstalling Windows devices from the Coro console.
No, removing a user from protection only disables Coro protection for email and cloud apps. It does not uninstall the Agent from the device. Coro continues to detect, report, and remediate vulnerabilities. To remove the device, either enable Allow agent uninstallation in the device's workspace so the user can uninstall it, or select Disable protection on the device from the Devices view. This prevents the endpoint client from detecting and reporting device vulnerabilities.
Coro offers advantages over traditional antivirus (AV) software products by offering advanced protection features, such as device posture monitoring. It ensures critical security measures are in place, including firewalls, password-protected devices, and data encryption, to help detect and remediate ransomware threats.
No, a device can only link to a single workspace. Installing an Agent from a different workspace on a device with Coro already installed causes the installation to fail.
On average the Bitdefender engine downloads approximately 60-70 MB a day.
Yes. Admin users can trigger remote Agent uninstallations for Windows devices directly from the Coro console.
For more information, see Uninstalling Windows devices from the Coro console.
Coro approves the file for all devices within the same workspace.
First, an admin user must enable Allow agent uninstallation from the affected device's workspace to uninstall the Coro Agent. After enabling Allow agent uninstallation, users can uninstall the Coro Agent from their device.
For more information, see Uninstalling the endpoint agent.
Yes, an admin user can remotely remove the Coro Agent from a device using supported remote monitoring and management (RMM) tools. These include, but are not limited to, Atera, Windows Server GPO, JAMF Pro, and JumpCloud.
Coro uses port 443. Non-standard ports are not supported.
Enabling Control Panel > Devices > Settings > Visibility Mode causes the Coro Agent to generate events and send notifications to end users, but it does not perform automatic remediation (such as quarantine or process kill).
If you already have another antivirus (AV) software running on a device, pause the AV protection for a few minutes while you install the Coro Agent.
Coro advises against running another AV product alongside the Coro Agent. For more information, see Running other antivirus software with Coro.
For more information, see:
Yes, you can see the available Coro Agent versions from the Devices section of the Control Panel.
For further information, see Agent deployment.
Coro updates a device by uninstalling the old Agent version and installing the latest stable release. The update briefly interrupts the Coro service.
When a workspace becomes inactive after a trial period, Coro enables Allow agent uninstallation, allowing you to uninstall the Agent from protected devices within the workspace.
Coro disables Allow agent uninstallation by default unless the workspace status is set to Inactive.
For more information, see: Uninstalling the Coro Agent.
No, you must configure device posture policies from the Coro console after deploying the Agent.
The Coro service utilizes a Bitdefender Software Development Kit (SDK). To avoid conflicts that may interfere with the installation of the Coro Agent, Coro recommends uninstalling Bitdefender and any other antivirus (AV) software prior to installing the Coro Agent. For more details, see Running other antivirus software with Coro.
Run the following powershell command to verify that the Coro Agent is registered as an authorized WSC provider:
Get-WmiObject -Namespace "root\SecurityCenter2" -Class "AntiVirusProduct"To register Coro as an authorized WSC provider, your device must have:
- Coro Agent v3.2 (beta 2.5.65.1) or later installed.
- Windows 10 or later installed.
For more information, see Downloading and installing the Agent.
The operating system's (OS) language on the installed device determines the Coro Agent UI language.
The Coro Agent UI supports the following languages:
- English
- French (Canada)
- French (France)
- Italian (Italy)
- Spanish (Spain)
The Agent officially supports the following Linux distributions:
- Debian 12 (Bookworm)
- Debian 11 (Bullseye)
- Ubuntu 24.04 LTS (Noble Numbat)
- Ubuntu 23.10 (Mantic Minotaur)
- Ubuntu 23.04 (Lunar Lobster)
- Ubuntu 22.10 (Kinetic Kudu)
- Ubuntu 22.04 LTS (Jammy Jellyfish)
No, the Coro Agent treats the local device and VM as separate devices. To ensure full protection, install and deploy the Agent on both the local device and the VM individually.
Coro provides deployment scripts for installing the Agent on Windows and macOS devices. It also offers a NinjaOne RMM PowerShell script to verify that the Agent is installed, running, and up-to-date on managed devices.
For more information, see:
Using PowerShell to deploy the Coro Agent to Windows devices.
Using NinjaOne to check your managed endpoint devices for Coro Agent.
Yes, you can deploy the Coro Agent on macOS devices via Mosyle. Contact Coro support at: support@coro.net.
Yes, the Windows Coro Agent is recognized by Windows Security Center (WSC) as antivirus software.
For more information, see: Deploying Coro on Windows devices.
Yes, to enable the Agent to silently auto-update to the newest stable version, include your macOS device in the Allow self-update to the latest stable version device setting. For more information, see Device protection settings.
Coro tests every release extensively before deployment. Each version undergoes regression, smoke, and beta testing, followed by internal validation. Updates roll out gradually with rollback options to prevent disruptions. This process ensures reliable updates that improve security without affecting operations.
No.
Yes, Coro is compatible with VDI environments, including Horizon.
No, the Coro Agent only supports 64-bit OSs.
When you enable Allow self-update to the latest stable version in a workspace, Coro initiates a gradual rollout. It randomly selects eligible devices across workspaces and upgrades them in batches. This controlled approach helps minimize risk and maintain system stability.
Coro performs the upgrade when all of the following conditions are met:
An admin user has enabled Allow self-update to the latest stable version in the workspace.
The device is online and actively communicating with Coro servers.
The device has reached its designated place in the rollout schedule.
Coro displays Not Protected in the following situations:
An admin user disables protection for a device. You can confirm this action in the Activity Log.
After installation on Windows devices, Coro temporarily shows Not Protected while the Agent downloads threat definitions and activates its services. This process usually completes within a minute.
On macOS devices, Coro continues to show Not Protected until the user approves system extensions and grants Full Disk Access (FDA).
If the Coro service stops running, the Agent displays Not Protected. Submit device logs to Coro Support at: support@coro.net for investigation.
Yes. Coro monitors device connectivity and detects when a device goes offline after two days of no communication.
You can confirm that the Coro Agent is installed and running by checking its status on your device:
Linux Open a terminal and run:
systemctl status coro-agentIf the output shows active (running), the Coro Agent is running correctly.
macOS: Check the menu bar for the Coro Agent to confirm the Agent is active.
Windows: Check the system tray for the Coro Agent to confirm the Agent is active. The Agent also appears as the primary antivirus provider in the Virus & threat protection section of Windows Security.
For additional information, see: