This article provides a technical overview of Trio EDR, explaining how endpoint threats are detected, classified, responded to, and governed across supported platforms. Each section corresponds to a tab in the EDR interface and describes both system behavior and administrative operations.
Overview
The Overview tab presents a consolidated view of the organization’s endpoint security posture. It aggregates detection telemetry, response actions, and device exposure to provide near–real-time situational awareness.
Key components include:
Overall Endpoint Security Posture: A calculated security score derived from unresolved threats, EDR coverage, and response modes.
Threats by Category: Distribution of detected events across malware, suspicious behavior, and potentially unwanted programs (PUPs).
Response Effectiveness: Breakdown of automated and manual responses, including auto-blocked, quarantined, pending review, and actions requiring administrator intervention.
Threat Exposure by Device State: Visibility into devices that are protected, at risk, or exposed due to inactive or limited EDR coverage.
Recent EDR Activity: A chronological log of recent detections and actions taken by the agent or administrators.
This view is intended for continuous monitoring and high-level risk assessment.
Threats
The Threats tab lists all detected security events across endpoints. It includes both file-based detections and behavioral detections.
Each threat entry provides:
Threat name and classification (Malware, PUP, Benign, Unknown)
Detection timestamp
Affected device
Current status (Blocked, Quarantined, Alerted)
Action origin (Agent or Admin)
Filters and search allow administrators to scope threats by classification, status, device, date, and risk level. Expanding a threat entry reveals additional context used for investigation and response decisions.
This tab serves as the primary investigation surface for security operations.
Devices
The Devices tab shows EDR coverage and health at the endpoint level.
For each device, the table displays:
Platform and device name
EDR status (Active, Inactive, Limited)
Device group association
Total detected threats
Last synchronization time
Administrators can quickly identify devices with inactive or limited protection and correlate exposure with threat volume. This view supports remediation planning and coverage validation.
Settings
The Settings tab defines how EDR detects and responds to threats. Configuration is divided into logical control groups.
Malicious Files
Controls how known malware and potentially unwanted programs are handled.
Malware Response Mode: Determines whether malware is only detected and logged or automatically blocked/quarantined.
PUP Response Mode: Defines handling of potentially unwanted programs.
Suspicious Behavior
Enables behavioral monitoring for abnormal process, memory, and runtime activity.
Behavior Response Mode: In Detect mode, events are logged and alerted. In Protect mode, malicious behavior is blocked in real time.
User Alerts
Controls whether end users are notified when threats are detected or blocked on their device.
Changes must be explicitly saved and are applied to endpoints based on policy and agent sync.
Allow / Block List
The Allow / Block List defines explicit detection exceptions that override default EDR behavior.
Administrators can create rules to:
Allow known-safe files or paths
Block specific files, hashes, or directories
Each rule includes:
Action (Allow or Block)
Rule name
Rule type (for example, file hash)
Path or SHA-256 hash value
Current status (Allowed, Blocked, Staged)
Creating a rule
Select Create new
Choose Allow or Block
Provide a unique rule name
Select the rule type and supply the required value
Optionally scan for existing detections to release quarantined files
Select Add to save the rule
Rules are enforced by the EDR agent and audited as part of security governance.
Operational notes
EDR coverage and behavior depend on agent health and platform support
Automated actions reduce response time, while manual actions preserve administrative control
All detections, actions, and configuration changes are audit-logged
Trio EDR is designed to provide continuous detection, controlled response, and operational visibility without relying on external security tooling.