Taasera Licensing LLC v. Musarubra US LLC

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Taasera Licensing LLC (Texas)
  • Defendant: MUSARUBRA US LLC, D/B/A TRELLIX (Delaware)
  • Plaintiff’s Counsel: Fabricant LLP; TRUELOVE LAW FIRM, PLLC
• Case Identification: 2:22-cv-00427, E.D. Tex., 10/31/2022
• Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Texas because Defendant maintains a regular and established place of business in Plano, Texas, within the district, and has committed acts of infringement in the district.
• Core Dispute: Plaintiff alleges that Defendant’s endpoint and network security products infringe nine patents related to endpoint security, application attestation, risk detection, and access control.
• Technical Context: The technology concerns cybersecurity systems designed to protect computer endpoints and networks by monitoring applications, detecting threats, and controlling access based on security policies and vulnerability assessments.
• Key Procedural History: The complaint alleges that Defendant Trellix obtained the accused product lines from McAfee, LLC, following the divestiture of McAfee's enterprise business to Symphony Technology Group (STG) in July 2021. This transfer of ownership is central to the allegation that Trellix is the infringing party.

Case Timeline

Date	Event
2002-01-04	Priority Date for '137 Patent
2005-12-21	Priority Date for '038, '997, '918 Patents
2010-03-02	Issue Date for '137 Patent
2011-02-17	Priority Date for '441 Patent
2011-07-01	Priority Date for '518 Patent
2012-05-01	Priority Date for '517, '948, '616 Patents
2012-12-04	Issue Date for '441 Patent
2014-09-30	Issue Date for '517 Patent
2015-02-10	Issue Date for '038 Patent
2015-03-24	Issue Date for '948 Patent
2015-06-30	Issue Date for '518 Patent
2015-07-28	Issue Date for '616 Patent
2017-03-28	Issue Date for '997 Patent
2018-03-20	Issue Date for '918 Patent
2021-07-27	McAfee divests enterprise business to Symphony Technology Group (STG)
2022-01-18	Defendant applies for TRELLIX trademark
2022-10-31	Complaint Filing Date

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,673,137 - System and Method for the Managed Security Control of Processes on a Computer System, issued March 2, 2010

The Invention Explained

• Problem Addressed: The patent describes the challenge of protecting computer systems from malicious software ("malware") that is not a traditional, easily detectable virus. Conventional security approaches based on analyzing data packets in real-time often fail to detect harmful activities until after damage has occurred. (’137 Patent, col. 2:3-10, col. 2:60-67).
• The Patented Solution: The invention proposes a two-phase, kernel-level protector system. In the first phase ("pre-execution"), the system rapidly validates whether a new program attempting to load has been previously approved and is unaltered, for example by checking a checksum against a database (’137 Patent, col. 3:25-37; FIG. 1). If not validated, the system enters a second phase where it monitors the program's activities at the operating system kernel level, intercepting triggers and system calls to detect and respond to suspicious behavior before it can cause harm (’137 Patent, col. 4:6-17).
• Technical Importance: This approach aimed to provide faster and more efficient security by minimizing interruptions for known-good programs while applying deep, kernel-level monitoring to unknown or unvalidated programs before they execute. (’137 Patent, col. 3:25-32).

Key Claims at a Glance

• The complaint asserts at least independent claim 1. (Compl. ¶40).
• Claim 1 breaks down into the following essential elements:
  • A pre-execution module for receiving notice from the OS that a new program is being loaded.
  • A validation module for determining if the program is valid.
  • A detection module for intercepting a trigger from the OS.
  • An execution module for monitoring the program at the operating system kernel in response to the intercepted trigger.

U.S. Patent No. 8,327,441 - System and Method for Application Attestation, issued December 4, 2012

The Invention Explained

• Problem Addressed: In distributed computing environments like cloud computing, it is difficult to attest to the security and integrity of applications running on remote platforms. Traditional security is often based on static, topology-based rules rather than dynamic, context-aware business logic. (’441 Patent, col. 1:19-24, col. 1:41-47).
• The Patented Solution: The invention describes a method where an "attestation server" remotely assesses a running application. The server receives a "runtime execution context" (including executable file binaries and loaded components) and a "security context" (including an execution analysis) from the remote platform. (’441 Patent, col. 14:14-25; FIG. 8). Based on this information, the server generates and sends back an "attestation result," which is a report indicating security risks associated with the application. (’441 Patent, col. 14:26-34).
• Technical Importance: This method provides a way to dynamically verify the trustworthiness of an application in real-time, enabling more intelligent access control in complex, virtualized environments. (’441 Patent, col. 1:39-47).

Key Claims at a Glance

• The complaint asserts at least independent claim 1. (Compl. ¶54).
• Claim 1 breaks down into the following essential method steps performed by an attestation server:
  • Receiving a runtime execution context indicating attributes of an application at runtime.
  • Receiving a security context providing security information about the application.
  • Generating a report indicating security risks based on the received contexts.
  • Sending the report as an attestation result associated with the application.

Multi-Patent Capsule: U.S. Patent No. 8,850,517

• Patent Identification: ’517 Patent, "Runtime Risk Detection Based on User, Application, and System Action Sequence Correlation," issued September 30, 2014.
• Technology Synopsis: The patent addresses the need to detect advanced security threats by correlating sequences of user, application, and system actions over time. The invention provides a system with rules and policy databases to identify risky action sequences and assign a "behavior score" to an application based on its runtime activities. (Compl. ¶28; ’517 Patent, Abstract).
• Asserted Claims: At least Claim 13. (Compl. ¶68).
• Accused Features: The McAfee/Trellix Enterprise Security Manager with Advanced Correlation Engine is alleged to use correlation rules and assessment policies to assess runtime risk for applications executing on endpoints. (Compl. ¶¶68-69).

Multi-Patent Capsule: U.S. Patent No. 8,955,038

• Patent Identification: ’038 Patent, "Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities," issued February 10, 2015.
• Technology Synopsis: The technology relates to centrally managing endpoint compliance by using a remote computing system to configure policies, monitor operating conditions on the endpoint via software agents, and initiate actions based on the endpoint's compliance state. This allows for remote enforcement of security policies based on real-time endpoint status. (Compl. ¶29; ’038 Patent, Abstract).
• Asserted Claims: At least Claim 12. (Compl. ¶82).
• Accused Features: The McAfee/Trellix ePolicy Orchestrator and Policy Auditor are accused of providing a remote user interface to configure policies, using agents to monitor endpoint conditions, and initiating actions based on the endpoint's compliance state. (Compl. ¶¶82-84).

Multi-Patent Capsule: U.S. Patent No. 8,990,948

• Patent Identification: ’948 Patent, "Systems and Methods for Orchestrating Runtime Operational Integrity," issued March 24, 2015.
• Technology Synopsis: The patent describes providing real-time operational integrity for an application by using sensory inputs to monitor network dialogs, system operations, and resource utilization. The system correlates this data to classify threats and displays real-time status indications on administrative dashboards. (Compl. ¶30; ’948 Patent, Abstract).
• Asserted Claims: At least Claim 1. (Compl. ¶99).
• Accused Features: McAfee/Trellix MVISION EDR with Application and Change Control is alleged to monitor endpoint activity via sensory inputs, correlate threat classifications using frameworks like MITRE ATT&CK, and display real-time status on dashboards. (Compl. ¶¶100-104).

Multi-Patent Capsule: U.S. Patent No. 9,071,518

• Patent Identification: ’518 Patent, "Rules Based Actions for Mobile Device Management," issued June 30, 2015.
• Technology Synopsis: The invention relates to managing a diverse fleet of mobile devices, each with different operating systems. It proposes a server-based system that gathers real-time data about device attributes, evaluates that data against administrator-defined rules that apply uniformly across operating systems, and automatically initiates actions if a device is out of compliance. (Compl. ¶31; ’518 Patent, Abstract).
• Asserted Claims: At least Claim 17. (Compl. ¶114).
• Accused Features: McAfee/Trellix MVISION Mobile is accused of using a server (e.g., ePolicy Orchestrator) to gather real-time data from mobile devices (e.g., iOS and Android), evaluate attributes against rules, and initiate actions if a device is out of compliance. (Compl. ¶¶114-121).

Multi-Patent Capsule: U.S. Patent No. 9,092,616

• Patent Identification: ’616 Patent, "Systems and Methods for Threat Identification and Remediation," issued July 28, 2015.
• Technology Synopsis: The technology describes a system for providing runtime operational integrity using a trust orchestration server, a network trust agent, and an endpoint trust agent. The system analyzes endpoint events and third-party assessments to generate temporal events, which are then correlated to create an integrity profile for the system. (Compl. ¶32; ’616 Patent, Abstract).
• Asserted Claims: At least Claim 1. (Compl. ¶131).
• Accused Features: McAfee/Trellix MVISION EDR, comprising the ePolicy Orchestrator (trust orchestration server) and endpoint agents, is alleged to receive dynamic context from endpoints, analyze events, incorporate third-party data (e.g., MITRE ATT&CK), and generate integrity profiles. (Compl. ¶¶132-139).

Multi-Patent Capsule: U.S. Patent No. 9,608,997

• Patent Identification: ’997 Patent, "Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities," issued March 28, 2017.
• Technology Synopsis: This patent is related to the ’038 Patent and describes a system for remotely controlling an endpoint's operation. A remote system uses a data store of policies and receives status information from software services on the endpoint to determine a compliance state and initiate a remedial action carried out by the endpoint's hardware processor. (Compl. ¶33; ’997 Patent, Abstract).
• Asserted Claims: At least Claim 21. (Compl. ¶149).
• Accused Features: The McAfee/Trellix ePolicy Orchestrator with Policy Auditor is alleged to provide a remote interface and policy data store to determine endpoint compliance and remotely initiate actions to ensure that compliance. (Compl. ¶¶150-155).

Multi-Patent Capsule: U.S. Patent No. 9,923,918

• Patent Identification: ’918 Patent, "Methods and Systems for Controlling Access to Computing Resources Based on Known Security Vulnerabilities," issued March 20, 2018.
• Technology Synopsis: This patent, also related to the ’038 and ’997 patents, describes a system for controlling endpoint operation that uses both endpoint status information and user information to determine a compliance state. Based on this state, the remote system authorizes the endpoint's access to a network computing resource. (Compl. ¶34; ’918 Patent, Abstract).
• Asserted Claims: At least Claim 1. (Compl. ¶165).
• Accused Features: McAfee/Trellix ePolicy Orchestrator with Policy Auditor is alleged to receive status and user information from an endpoint, determine a compliance state based on that information and stored policies, and authorize network access in response to that state. (Compl. ¶¶166-171).

III. The Accused Instrumentality

Product Identification

• The complaint identifies a suite of security products, referred to under both McAfee and Trellix branding, including at least McAfee/Trellix Endpoint Security, Application Control, EDR, XDR, ePolicy Orchestrator, Enterprise Security Manager, Advanced Correlation Engine, Policy Auditor, and Trellix Mobile Security (McAfee MVISION Mobile). (Compl. ¶35).

Functionality and Market Context

• The accused products form an integrated enterprise security platform designed to protect endpoints (e.g., desktops, servers, mobile devices) from cybersecurity threats. (Compl. ¶35).
• The complaint alleges these products operate by deploying agents on endpoints, which collect data and enforce policies managed by a central server, such as the ePolicy Orchestrator (ePO). (Compl. ¶48, ¶62, ¶132).
• The platform is alleged to provide functionalities such as application whitelisting, threat behavior analysis, memory overflow prevention, and risk-based access control. (Compl. ¶42, ¶43, ¶55, ¶69).
• The complaint provides a diagram describing the architecture of the McAfee ePO platform, showing how endpoint agents communicate with a central server that manages policies and analyzes threat data. (Compl. p. 13, Figure 1).

IV. Analysis of Infringement Allegations

’137 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a pre-execution module operable for receiving notice from the computing device’s operating system that a new program is being loaded onto the computing device	McAfee Application Control's Execution Control feature receives notice from the endpoint's operating system when a user attempts to execute a file.	¶41	col. 4:1-5
a validation module coupled to the pre-execution monitor operable for determining whether the program is valid	McAfee Application Control checks if the program is on an approved whitelist or originates from a trusted updater to validate it.	¶42	col. 4:5-9
a detection module coupled to the pre-execution monitor operable for intercepting a trigger from the computing device’s operating system	McAfee Application Control is alleged to detect and prevent memory buffer overflow attacks, which are triggered by program execution.	¶43	col. 4:10-13
an execution module coupled to the detection module and operable for monitoring, at the operating system kernel of the computing device, the program in response to the trigger intercepted by the detection module	McAfee Endpoint Security’s Kernel Exploit Prevention allegedly continues to monitor the new program after the trigger is detected. The complaint provides a diagram showing Kernel Mode Drivers as part of the accused product's architecture. (Compl. p. 13, Figure 1).	¶44	col. 4:13-17

• Identified Points of Contention (’137 Patent):
  • Scope Questions: A central question may be whether the accused product's architecture, which includes distinct components like "Application Control" and "Kernel Exploit Prevention," maps onto the claimed system structure of four distinct but coupled "modules."
  • Technical Questions: What evidence does the complaint provide that the detection of "memory buffer overflow attacks" constitutes "intercepting a trigger from the computing device's operating system" as specifically required by the claim, rather than a more general post-execution monitoring function?

’441 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving, by the attestation server...a runtime execution context indicating attributes of the application at runtime, wherein the attributes comprise one or more executable file binaries of the application and loaded components...	McAfee/Trellix ePolicy Orchestrator (the alleged attestation server) receives process attributes and context information, such as a "Story Graph" showing process execution, from endpoints. A "Story Graph" visual depicts the runtime process tree of an executable. (Compl. p. 18, Figure 2).	¶56	col. 14:14-20
and a security context providing security information about the application, wherein the security information comprises an execution analysis...	The ePolicy Orchestrator allegedly receives and processes behavior analyses for detected threats based on the received context information.	¶56	col. 14:20-25
generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result	The ePolicy Orchestrator is alleged to generate alerts and reports for detected threats, which function as the claimed report. An example "Threat Event Log" is provided. (Compl. p. 19).	¶57	col. 14:26-31
sending, by the attestation server, the attestation result associated with the application	The ePolicy Orchestrator allegedly sends notification of the threat by saving it in the threat events log and notifying administrators.	¶58	col. 14:32-34

• Identified Points of Contention (’441 Patent):
  • Scope Questions: Does the ePolicy Orchestrator, which acts as a central management server, meet the claim definition of an "attestation server" whose purpose is to provide an "attestation service"?
  • Technical Questions: Does the combination of "process attributes" and "behavior analyses" received by the ePolicy Orchestrator constitute the distinct "runtime execution context" and "security context" required by the claim, or are they a single, undifferentiated stream of threat data?

V. Key Claim Terms for Construction

For the ’137 Patent:

• The Term: "at the operating system kernel"
• Context and Importance: This term is critical because it defines the specific location and privilege level where the "monitoring" must occur. Defendant may argue its monitoring occurs at a different layer of the operating system or application stack, while Plaintiff will likely contend that components like its "Kernel Exploit Prevention" operate at this fundamental level.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The patent states that the protector system's drivers are "linked to the system call hooks 175 within the kernel," suggesting that any monitoring function connected to these hooks could qualify. (’137 Patent, col. 7:1-3).
  • Evidence for a Narrower Interpretation: The detailed description of the architecture shows the "Behavior Monitors" and "Detect Drivers" residing within a distinct "Kernel space 107" of the "Operating System (kernel) 180," which may suggest the monitoring itself, not just the triggers, must physically operate within that specific space. (’137 Patent, FIG. 1).

For the ’441 Patent:

• The Term: "runtime execution context"
• Context and Importance: The infringement allegation hinges on whether the information sent from the endpoint to the ePolicy Orchestrator (e.g., process attributes, story graphs) meets the definition of a "runtime execution context." Practitioners may focus on this term because the patent defines it as comprising "one or more executable file binaries...and loaded components," which may be a more specific requirement than simply sending process metadata.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification describes the context as representing the "level of contextual trustworthiness, at near real time, of a running application," which could support an argument that any data conveying real-time application status qualifies. (’441 Patent, Abstract).
  • Evidence for a Narrower Interpretation: The claim explicitly requires the context to comprise "one or more executable file binaries of the application and loaded components." This language could be construed to require the transmission of the actual binary files or their direct components, rather than just metadata or graphical representations of their execution. (’441 Patent, col. 14:18-20).

VI. Other Allegations

• Indirect Infringement: For each asserted patent, the complaint alleges induced infringement. The allegations are based on Defendant providing the accused products along with instruction and installation manuals, customer service, technical support, and training that allegedly instruct and encourage end-users to install and use the products in an infringing manner. (Compl. ¶¶45-48, 59-62, 73-76, 90-93, 105-108, 122-125, 140-143, 156-159, 172-175).
• Willful Infringement: The complaint does not contain a separate count for willful infringement. However, for each patent, it alleges that Defendant acted "with knowledge" of the patent "at least as of the date of this Complaint" and "knowingly and intentionally induced" infringement. This suggests an allegation of willfulness based on post-suit knowledge. (Compl. ¶¶46, 60, 74, 91, 106, 123, 141, 157, 173).

VII. Analyst’s Conclusion: Key Questions for the Case

• A central issue will be one of architectural mapping: can the collection of distinct software products and features in the accused Trellix platform be mapped onto the specific multi-module system structures required by the claims of patents like the ’137 Patent, or is there a fundamental mismatch in how the systems are designed and operate?
• A key evidentiary question will be one of data content: do the data streams sent from endpoints to the central Trellix server (such as process metadata and "Story Graphs") contain the specific information—for example, "executable file binaries" as required by the ’441 Patent—or do they merely convey higher-level abstractions of runtime events?
• A cross-cutting legal question will be one of continuity of infringement: how will the transfer of the accused product lines from McAfee to Trellix impact the timeline and scope of infringement, particularly concerning allegations of knowledge and intent for inducement and potential willfulness?