US 12,013,936 B2
System and method of protecting client computers
Theron D. Tock, Mountain View, CA (US); and Michael P. Horn, San Carlos, CA (US)
Assigned to PROOFPOINT, INC., Sunnyvale, CA (US)
Filed by Proofpoint, Inc., Sunnyvale, CA (US)
Filed on Sep. 7, 2022, as Appl. No. 17/939,702.
Application 17/939,702 is a continuation of application No. 16/745,094, filed on Jan. 16, 2020, granted, now 11,468,167.
Application 16/745,094 is a continuation of application No. 16/186,200, filed on Nov. 9, 2018, granted, now 10,572,662, issued on Feb. 25, 2020.
Application 16/745,094 is a continuation of application No. 16/186,191, filed on Nov. 9, 2018, granted, now 10,558,803, issued on Feb. 11, 2020.
Application 16/186,200 is a continuation of application No. 14/079,565, filed on Nov. 13, 2013, granted, now 10,223,530, issued on Mar. 5, 2019.
Prior Publication US 2022/0414217 A1, Dec. 29, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/56 (2013.01)
CPC G06F 21/56 (2013.01) [H04L 2463/144 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for threat detection and response, the method comprising:
receiving, by a threat response computer, an event report from a threat detector which monitors and analyzes communications between a client computer in an enterprise computing network and a plurality of computers, wherein the threat response computer is separate from the client computer and runs on a threat response platform configured for protecting the enterprise computing network, and wherein the event report includes data identifying a suspicious communication by the client computer as a security event;
in response to the receiving of the event report by the threat response computer, temporarily, automatically, and remotely placing and activating, by the threat response computer, an agent on the client computer, the agent configured to search for potential indications of compromise (IOCs) on the client computer and self-uninstall after sending search result data to the threat response computer;
determining, by the threat response computer, whether the potential IOCs on the client computer indicate evidence of malware on the client computer in the enterprise computing network by:
comparing the potential IOCs on the client computer in the enterprise computing network and IOCs in a database local to the threat response computer, and
using a result of the comparison of the potential IOCs on the client computer in the enterprise computing network with the IOCs in the database local to the threat response computer, determining a probability of an actual malware incursion on the client computer; and
responsive to a result of the determining whether the potential IOCs on the client computer indicate evidence of malware on the client computer comprising a determination that the potential IOCs on the client computer indicate the evidence of malware on the client computer in the enterprise computing network, performing, by the threat response computer, one or more of:
updating the database local to the threat response computer to include the evidence of malware determined by the threat response computer, or
sending an instruction from the threat response computer to configure a firewall in the enterprise computing network.