DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are pending and herein considered.

Claim Rejections - 35 USC § 101
Claims 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claims 16-20 recite a “machine-readable storage medium” comprising instructions to perform the listed method steps. The specification, while providing a definition for “computer-readable storage media” that excludes transitory signals (par. 64), it does not provide a definition for the claimed “machine-readable storage medium”. In the absence of a definition, the term “machine-readable storage medium” may be a transitory signal. However, a “signal per se does not fit any of the 4 statutory categories of patent eligible subject matter”. See In re Nuijten 500 F.3d 1346.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Oberheide et al. US 2009/0044024 A1 (hereinafter Oberheide) in view of Yumer US 2016/0366167 A1 (hereinafter Yumer) and further in view of McDougal US 2016/0269422 A1 (hereinafter McDougal).
Regarding claim 9, Oberheide substantially discloses:
A method, comprising (A method, system and computer/machine readable medium for analyzing files to identify, evaluate and mitigate malware (Oberheide: par. 34-35, 39, 75-81); the “proposed method enables the use of file access history to identify all the users, hosts, and applications that may be previously access that suspicious file” and to “identify…all devices that had accessed this file”, such that a suspicious file points to users/devices potentially infected by the suspicious file, or a file points to malicious users/devices that (misused the file and) potentially infected the file (Oberheide: par. 82, 96, 101); the system including a database (storage system) to perform the method (Oberhide: par. 5-6, 16, 27, 82)):
obtaining, by a device operatively coupled to a processor, user identities that are associated with having made at least one modification to a first file stored on a data storage system, resulting in a group of modifying user identities (“Historical data may consist of previous accesses or modifications to the file, the user which performed them, and when they were performed and may be tracked and archived over time by the host agent”, where historical data is built at least in part from “filesystem metadata” and is stored in a file (access) history database (Oberheide: par. 27, 28, 96, 99). File usage information stored in a file usage database tracks the files access by “different users and computers”, as well as “the misuse of files”; hence, file usage information “can be 
Oberheide does not expressly disclose how intruders (malicious users) that access (and use) files are identified, i.e. he does not expressly disclose a group of malicious user identities. However, Yumer discloses a “method for determining malicious-download risk based on user behavior” that classifies users downloading/updating files as belonging to a group of high risk (malicious) users, or to a group of low risk users; the classification of the users is dynamic and is periodicaly re-assessed by collecting and analyzing additional user behavior data, which may result in “identifying a new set of users [group of malicious users] that are at high risk for malicious downloads” (Yumer: e.g. par. 4, 6-8, 31, 35, 51). In response to classifying the “user as high-risk”, a number of security actions are performed, including scheduling “more frequent anti-virus scans”, where “the high-risk pattern of download behavior” of the user is used as a predictor of malware infections (Yumer: par. 52-55). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Oberheide and Yumer. One would have done so at least because the high risk pattern of download behavior is a predictor of of malware infections requiring security measures, e.g. restricting “traffic from computing device 504 in order to prevent malware from spreading to the rest of the organization”, and performing more frequent anti-virus scans (Yumer: par. 53-54), i.e. scans performed as soon as possible to prevent spreading of the malware. Moreover, in the context of Oberheide modified, the files historical data (Oberheide, above) and user classification group of malicious users] that are at high risk for malicious downloads (Yumer, above). Advantageously, this procedure also identifies the files that need to be scanned (as soon as possible) more frequently (only those that were accessed by malicious users), thus performing more efficient and economic scanning. Accordingly, Oberhide in view of Yumer discloses:       
comparing, by the device, respective modifying user identities of the group of modifying user identities to respective malicious user identities of a group of malicious user identities (as outlined above); and
in response to identifying at least one match between a modifying user identity of the group of modifying user identities and a malicious user identity of the group of malicious user identities (performing a scan, as outlined above).
 Oberheide as modified above discloses more frequent scans (as soon as possible), but does not expressly disclose scan priorities. However, McDougal teaches a malware analysis module that “queue the files to be analyzed for malware” and performs the malware analysis of the files in the queue in the background, while they are not used; files that are required to be analyzed in a short time (e.g. to be used), are “prioritized and skip ahead in the queue” (McDougal: par. 15, 40). Moreover, to further speed up the analysis of a requested file, the file is analyzed in real time (McDougal: par. 38). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Oberheide as modified above 
assigning, by the device, a first scan priority to the first file (the file accessed by at least one malicious user skips “ahead in the queue”) that is higher than a second scan priority assigned to a second file (a file not accessed by a malicious user is queued and is analyzed in the background according to the order it was inserted in the queue)  stored on the data storage system that is different than the first file.
The aforementioned covers all the limitations of claim 9.
	
Regarding claims 10-15, the rejection of claim 9 under 35 U.S.C 103 is incorporated herein. In addition, Oberheide in view of Yumer and McDougal discloses:
(10) Recording, by the device, the group of modifying user identities as an attribute of the first file, wherein the obtaining the user identities comprises obtaining the group of modifying user identities via the attribute of the first file (Oberhide: par. 27-28, 96, 99; and as outlined for the rejection of claim 9).
(11) Generating, by the device, a malware scan queue that includes the first file and the second file; and directing, by the device, a first malware scan of the first file and a second malware scan of the second file in an order defined by the malware scan queue (The queue disclosed by McDougal and outlined for the rejection of claim 9).
(12) The assigning the first scan priority comprises moving the first file ahead of the second file in the malware scan queue (files that are required to be analyzed in a 
(13) The directing the malware scans comprises directing the first malware scan of the first file in response to identifying the at least one match, and wherein the method further comprises: removing, by the device, the first file from the malware scan queue in response to completion of the first malware scan (Like in any processing queue, the file is processed when it is at the head of the queue and is removed from the queue after processing to allow the next file in the queue to be moved at the head of the queue and to be processed).
(14) Identifying, by the device, a third file in the malware scan queue that has been modified by the malicious user identity, wherein the third file is different from the first file and the second file, and wherein the assigning the first scan priority comprises assigning the first scan priority to the third file in response to the identifying the third file (When a third file that has been modified by the malicious user is identified, the process described by McDougal (par. 15, 40; and per claim 12) is repeated).
(15) The first scan priority comprises a real-time scan priority and the second scan priority comprises a scheduled scan priority (The first scan is a real-time scan, and the second scan is a background queue ordered scan, as outlined for the rejection of claim 9).

Regarding claims 1-2 and 4-8, they correspond to claims 9-15 respectively, and claims 1-2 and 4-8 do not disclose beyond the features of claims 9-15. Therefore, claims 1-2 and 4-8 are rejected under 35 U.S.C 103, as being unpatentable over 

Regarding claim 3, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. In addition, Oberheide in view of Yumer and McDougal discloses:
The file tracking component clears the set of modifying users in response to a malware scan of the first file indicating that the first file does not contain malware (When the file is a clean file, the file history must be reset (a new history of the file accesses is started), otherwise the file is scanned again based on the old history, as any person of ordinary skill in the art would have understood and would have implemented. Similar to a flag set to perform an action, and cleared after the action is performed, i.e. basic programing knowledge).

Regarding claims 16-20, they correspond in part to claims 9 and 11-14 respectively, and claims 16-20 do not disclose beyond the features of claims 9 and 11-14. Therefore claims 16-20 are rejected under 35 U.S.C 103, as being unpatentable over Oberheide in view of Yumer and McDougal for the same reasons outlined for the rejection of claims 9 and 11-14.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Coronado et al. US 2016/0294847 A1

Nachenberg et al. US 2009/0282476 A1

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/ADRIAN STOICA/Examiner, Art Unit 2494                                                                                                                                                                                                        

/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        2-16-2021