The EDR Detection Method That Makes the Endpoint and the Network Check Each Other

Every EDR and XDR vendor sells "detection," but the hard part is not spotting something suspicious — it is being right about it. A sensor that cries wolf trains analysts to ignore it. A FireEye patent family attacks exactly this, and it is worth reading at the claim level rather than from the product brochure.

The grant US10462173B1, "Malware detection verification and enhancement by coordinating endpoint and malware detection systems" (issued October 2019), describes a method where a detection at one vantage point — say, an endpoint agent flagging a process — is verified against a second system, such as a network-level malware detector. Classified under H04L 63/1433, the subclass for network intrusion detection responses, the claim ties the final verdict to the corroboration between the two systems rather than either one acting alone.

The detection method claimed has a clear logical shape, and that is what makes it interesting one sensor proposes, another confirms. An endpoint sees a behavior; the network detector independently assesses the related traffic or the sample; agreement raises confidence, disagreement triggers further analysis instead of a blind alert. This maps directly to the product reality of modern XDR, which stitches together endpoint, network, and other telemetry — the patent is the method underneath that marketing category.

This is a family with a notable corporate trail, and that is part of the story. The 2019 FireEye grant is carried forward in US12166786B1 (December 2024), now assigned to Musarubra US LLC — the entity associated with Trellix, the security business that emerged from the FireEye/McAfee Enterprise combination. The same coordinated-detection claim surviving through a corporate restructuring and re-granted in 2024 tells you the position was treated as worth maintaining through the ownership changes.

A different assignee stakes an adjacent idea worth noting. Forcepoint's US11632382B2 ("Anomaly detection using endpoint counters," 2023) claims detecting anomalies from counters maintained at the endpoint — a complementary approach where the endpoint itself carries detection signal rather than only forwarding raw events. Different mechanism, same problem make endpoint detection trustworthy.

The discipline this desk insists on: this is a granted method, not proof of which shipping product implements it, and the claim covers the specific coordination mechanism, not the entire idea of combining sensors. But it does map cleanly to a real, shipping feature category — cross-telemetry verification in EDR/XDR — and the FireEye-to-Trellix trail is a small case study in how a detection patent outlives the company that filed it.