US Patent 12113814 User device agent event detection and recovery

A method involves receiving a plurality of security rules from a remote management platform at an endpoint detection and response (EDR) module at a user device. The EDR module subscribes to one or more event types at the user device. The EDR module receives a notification of an event corresponding to one of the subscribed event types. Upon determining that the event is associated with a file stored at the user device, the EDR module instantiates an event tracer tree that is associated with the file. The EDR module generates a file hash value for the file using the event tracer tree. Upon determining that the file hash value satisfies a security rule, the EDR module quarantines the file and reports that the file has been quarantined.