US 11,750,660 B2
Dynamically updating rules for detecting compromised devices
Simon Brooks, Palo Alto, CA (US); Daniel E. Zeck, Roswell, GA (US); Xinpi Du, Atlanta, GA (US); Ali Mohsin, Alpharetta, GA (US); Kishore Sajja, Atlanta, GA (US); and Nikhil Mehta, Atlanta, GA (US)
Assigned to VMware, INC., Palo Alto, CA (US)
Filed by VMware, Inc., Palo Alto, CA (US)
Filed on Sep. 9, 2021, as Appl. No. 17/470,711.
Application 17/470,711 is a continuation of application No. 16/134,542, filed on Sep. 18, 2018, granted, now 11,128,666.
Prior Publication US 2021/0409452 A1, Dec. 30, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); G06F 9/54 (2006.01); G06F 21/55 (2013.01)
CPC H04L 63/20 (2013.01) [G06F 9/542 (2013.01); G06F 21/552 (2013.01); G06F 21/554 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A system for detecting a compromised device, comprising:
a client device comprising at least one hardware processor; and
program instructions executable in the client device that, when executed, direct the client device to:
detect a launch condition associated with a threat detection runtime environment, the program instructions being embedded within the application;
retrieve one or more rules from a remotely executed service, the rules specifying how to determine that the client device has been compromised;
execute the threat detection runtime environment within the application;
register an event handler within the threat detection runtime environment based upon the rules, the event handler configured to detect a condition specified by the rules indicating a compromised state; and
detect, using the event handler, the condition by listening for a response to a command executed on the client device that is initiated by the threat detection runtime, wherein the command obtains a property of a file stored on the client device.