US 12,277,251 B1
Agent functionality extensions using surveyors
Alejandro Espinoza, San Marcos, CA (US); Robert Bushner, Homeland, CA (US); Matthew Gosline, Austin, TX (US); Kristen Lamb, Austin, TX (US); Seagen Levites, Oregon City, OR (US); Clark Lindsey, Loudon, TN (US); Jonathan Miller, Poway, CA (US); Ryan Smith, Austin, TX (US); and Vu Ta, Fellbach (DE)
Assigned to Halcyon Tech, Inc., Austin, TX (US)
Filed by Halcyon Tech, Inc., Austin, TX (US)
Filed on Nov. 14, 2024, as Appl. No. 18/948,343.
Int. Cl. G06F 21/56 (2013.01); G06F 21/62 (2013.01)
CPC G06F 21/6272 (2013.01) [G06F 21/565 (2013.01); G06F 21/566 (2013.01)] 21 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, by a cloud-based monitoring platform, a request to deploy a surveyor to an agent-executing on an endpoint computing device, the request further comprising information characterizing (i) a list of encrypted files and (ii) key material used in encrypting each of the files in the list of encrypted files;
generating, by the cloud-based monitoring platform in response to the request, a surveyor package comprising an executable for updating the agent to address a security event and metadata characterizing the surveyor package, the surveyor package comprising decryptor logic to decrypt the files in the list of encrypted files; and
causing, by the cloud-based monitoring platform, the surveyor package to be deployed to the agent, the agent unpacking the surveyor package to access and execute the executable to address the security event.
 
10. A method comprising:
receiving, by a cloud-based monitoring platform, a request to deploy a surveyor to an agent executing on an endpoint computing device, the request comprising information characterizing a security event, the information identifying a plurality of files encrypted as part of a ransomware attack and corresponding key material used when encrypting each of the files, wherein first key material was used to encrypt a first subset of the identified plurality of files and second, different key material was used to encrypt a second subset of the identified plurality of files;
generating, by the cloud-based monitoring platform and based on the received information, a surveyor package comprising an executable comprising decryptor logic to decrypt at least a portion of the files;
causing the surveyor package to be deployed to the agent;
unpacking, by the agent, the surveyor package;
executing, by the agent, the executable to decrypt at least a portion of the files; and
transporting the decrypted files to a safe computing environment.
 
14. A method comprising:
sending, by way of an application programming interface (API) to a cloud-based monitoring system, a request to deploy a surveyor to an agent executing on an endpoint computing device, the request identifying a security event and including a command to execute a surveyor and content files for the surveyor to execute, a first of the content files being a list of files to decrypt and a second of the content files comprising key materials for the list of files to decrypt;
downloading, by the agent in response to the request received by the cloud-based monitoring system, a surveyor package from a download repository comprising an executable for updating the agent to address the security event and metadata characterizing an surveyor to be updated using the surveyor package, the surveyor package comprising decryptor logic to decrypt the files in the list of files to decrypt;
unpacking, by the agent, the surveyor package; and
executing, by the agent, the executable to initiate one or more remediation actions to address the security event.