| CPC H04L 63/1416 (2013.01) [H04L 63/145 (2013.01)] | 18 Claims |
|
1. A method, comprising:
receiving, from a remote management platform, a plurality of security rules at an endpoint detection and response (EDR) module at a user device;
subscribing, by the EDR module, to one or more event types at the user device;
receiving, at the EDR module, a notification of an event corresponding to one of the subscribed event types;
upon determining, by the EDR module, that the event is associated with a file stored at the user device, instantiating, by an event tracer module, an event tracer tree that is associated with the file;
identifying, by the EDR module, a plurality of files in a file system at the user device to be scanned;
for each identified file, instantiating, by the EDR module, a respective sequential file reading thread;
upon receiving file data from each associated sequential file reading thread by a plurality of hash function threads at the EDR module, generating a plurality of file hash values by calculating a plurality of hash functions concurrently for each sequential file reading thread;
generating, by the EDR module, a file hash value of the plurality of file hash values for the file using the event tracer tree;
upon determining, by the EDR module, that the file hash value satisfies a security rule, quarantining the file; and
reporting to a management platform that the file has been quarantined.
|