Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-20 are presented for examination.
This is a first action on the merits based on Applicant’s claims submitted 4/23/2019.                     

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 4/29/2019, 7/28/2020, 11/17/2020, 12/17/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - Examiner's Note
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102


A person shall be entitled to a patent unless -
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 11-12, 16-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Palliyil et al. (US 2009/0019547 A1, hereinafter “Palliyil”)


Regarding claim 11, Palliyil teaches:
A system for repairing user devices infected with malicious code (fig. 2), the system comprising: 
a memory (Fig. 4, 400, par 53; i.e. repository 400) storing a plurality of files within a remote file storage system (Fig. 4, F1-F4, par 53; i.e. the memory is in the pool server 60) accessible by a plurality of user devices (par 53; i.e. the pool server’s repository 400 stores data on behalf of data processing systems 70, see also Fig. 4); and
an electronic processor configured to (i.e. the coordinator program 100 running on central server 60, see par. 38, and Figs. 4-5), in response to detection of (par 67; i.e. specific files have been found to be contaminated), 
determine a user device included in the plurality of user devices interacting with the infected file (par 67; the client antivirus program running on C4 (i.e. the data processing system 70) is alerted of the contaminated files by the coordinator program), 
determine antivirus software installed locally on the user device (par 67, antivirus program 90, Figs. 1, 4), 
prompt a user (i.e. client antivirus program) associated with the user device (i.e. data processing system) to approve remote initiation of the antivirus software (i.e. antivirus software ran by the antivirus program in local devices to scan files, see par 5) installed locally on the user device (par 67: “prompts the client antivirus program 90 on system C.sub.4 to perform 350 quarantining or decontamination”; Examiner notes that the term remote is implied on fig. 4-5, where coordinator program is remotely located from the client device.  Examiner also notes that the antivirus software is installed locally as paragraph 5, 38 in Palliyil teaches), and 
in response to receiving approval of the remote initiation of the antivirus software (par 67, prompting the user), remotely initiate the antivirus software installed locally on the user device (par 67, client antivirus program running on the local system C4 (in this particular case) performs quarantining or decontamination, see also par 50 “The quarantining and ”).  

Regarding claim 12, Palliyil teaches:
The system of claim 11, wherein the electronic processor is configured to determine the user device interacting with the infected file (Palliyil: par 67, i.e. client antivirus program performs quarantining or decontamination; Examiner notes that such actions imply an interacting with the infected file) by determining the user device uploading the infected file to the remote file storage system (Palliyil: par 50: “The quarantining and decontamination ... may be performed at the pool server on behalf of a number of systems in the network and a copy of the decontaminated version of the resource may be sent to the other systems”) or determining the user device modifying the infected file within the remote file storage system.  

Regarding claim 16, claims are set forth and rejected as discussed in claim 11.

Regarding claim 17, the claims are set forth and rejected as discussed in claim 12.

Regarding claim 18, Palliyil teaches:
The non-transitory computer-readable medium of claim 16, wherein determining antivirus software installed locally on the user device includes accessing registration (Palliyil: par 16-17: hash values are computed on local computer system on which resource is stored and then sent to repository at a pool server system… the identifiers represent the particular data processing systems).  


	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.
Claims 1-4, 19 rejected under 35 U.S.C. 103 as being unpatentable over Palliyil et al. (US 2009/0019547 A1, hereinafter “Palliyil”) in view of Voronkov et al. (US 8,839, 234 B1, hereinafter “Voronkov”).

Regarding claim 1, Palliyil teaches:
A method for repairing user devices infected with malicious code (fig. 2), the method comprising: 
storing registration information for each of a plurality of user devices accessing a remote file storage system (fig. 4, repository 400, hashes MD are stored, see also par 11), the registration information for each of the plurality of user devices including a unique identifier of each user device (par 16-17: hash values are computed on local computer system on which resource is stored and then sent to repository at a pool server system… the identifiers represent the particular data processing systems); and 
in response to detecting an infected file within the remote file storage system (par 67; i.e. specific files have been found to be contaminated),

determining, with an electronic processor remote from each of the plurality of user devices (i.e. the coordinator program 100 running on central server 60, see par. 38, and Figs. 4-5), a unique identifier (i.e. hashes are used to identify the data processing systems (i.e. user device)) of a user device included in the plurality of user devices interacting with the infected file (par 17: “identification of matches between the hash value of the first resource and stored resources, and the stored system identifiers, are used to identify systems within the plurality of data processing systems storing replicas of the first resource”) within the remote file storage (fig. 4, repository 400) system (par 67; the client antivirus program running on C4 (i.e. the data processing system 70) is alerted of the contaminated files by the coordinator program, see also Fig. 4-5),
Although Palliyil provides identification number for the user devices and the files, Palliyil does not explicitly teach, yet Voronkov suggests:
an identifier of an antivirus software installed locally on each user device (i.e. list of devices where security agents (antivirus software) are installed; col. 9 lines 4-12)
(i.e. list of devices) to identify, based on the unique identifier of the user device interacting with the infected file within the remote file storage system (i.e. targeted devices that need protection), an identifier of antivirus software installed locally (i.e. security agents and the version of the program) on the user device “the administrator defines the list of devices and/or groups of devices on which it is needed to install the security agents, and the version of the program being installed, to which a certain set of installation files correspond. The administrator can specify a list of users and/or groups of users in addition to, or instead of, a group of devices as the targets for installation.” (col. 9 lines 4-12), and
remotely initiating (Fig. 3A, step 325), with the electronic processor, the antivirus software installed locally on the user device based on the identifier of the antivirus software (Fig. 3, step 310 “Install security agent”, step 325 “launch security agent on the device”).  
	Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have implemented a mechanism to identify the antivirus software installed on each user device and use registration information related to the user device to access the identifier for the antivirus software, as taught by Voronkov, to Palliyil’s invention. The motivation to do so would have been “to produce a plurality of different specially-configured software installation packages, (Voronkov: Abstract). 
Regarding claim 2, the combination of Palliyil and Voronkov teach:
The method of claim 1, further comprising presenting a user interface prompting a user (i.e. client antivirus program) of the user device (i.e. data processing system)  to approve remote initiation of the antivirus software (i.e. antivirus software ran by the antivirus program in local devices to scan files, see par 5) locally installed on the user device (par 67: “prompts the client antivirus program 90 on system C.sub.4 to perform 350 quarantining or decontamination”; Examiner notes that the term remote is implied on fig. 4-5, where coordinator program is remotely located from the client device.  Examiner also notes that the antivirus software is installed locally as paragraph 5, 38 in Palliyil suggests), and 
wherein remotely initiating the antivirus software installed locally on the user device includes remotely initiating the antivirus software installed locally on the user device  in response to receiving approval to remotely initiate the antivirus software through the user interface (Palliyil: par 67: “prompts the client antivirus program 90 on system C.sub.4 to perform 350 quarantining or decontamination”).  
Regarding claim 3, the combination of Palliyil and Voronkov teach:
The method of claim 1, wherein the registration information further includes at least one selecting from a group consisting of an operating system installed locally on each of the (Palliyil: par 17: “the system identifiers identify particular systems within the plurality of data processing systems at which the resources are stored”), a version of the operating system installed locally on each of the plurality of user devices, and a device type of each of the plurality of user devices.  

Regarding claim 4, the combination of Palliyil and Voronkov teach:
The method of claim 1, wherein determining the unique identifier of the user device included in the plurality of user devices interacting with the infected file within the remote file storage  system (Palliyil: par 67, i.e. client antivirus program performs quarantining or decontamination; Examiner notes that such actions imply an interacting with the infected file) includes determining the unique identifier of the user device uploading the infected file to the remote file storage system (Palliyil: par 50: “The quarantining and decontamination ... may be performed at the pool server on behalf of a number of systems in the network and a copy of the decontaminated version of the resource may be sent to the other systems”) or determining the unique identifier of the user device modifying the infected file within the remote file storage system.  

Regarding claim 19, Palliyil does not explicitly teach yet Voronkov suggests:
The non-transitory computer-readable medium of claim 16, wherein determining antivirus software installed locally on the user device includes receiving information associated with the antivirus software from a synchronization client installed locally on (Voronkov: col. 9 lines 62-64 “The groups of users, devices and other network objects on the administration server and in the directory service can be synchronized”).  
Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have implemented a mechanism to receive information from the synchronization client on the antivirus software, as taught by Voronkov, to Palliyil’s invention. The motivation to do so would have been so that group of devices can be viewed as multiple separate devices, each of which is represented in the directory service (Voronkov: col. 9 lines 67 – col 10 lines 1-2).

Claims 5-10 rejected under 35 U.S.C. 103 as being unpatentable over Palliyil et al. (US 2009/0019547 A1, hereinafter “Palliyil”) in view of Voronkov et al. (US 8,839, 234 B1, hereinafter “Voronkov”) in further view of Teddy et al. (US 2014/0289853  A1, hereinafter “Teddy”).

Regarding claim 5, the combination of Palliyil and Voronkov do not explicitly teach yet Teddy suggests:
The method of claim 1, further comprising 
comparing the identifier (i.e. versions) of the antivirus software to a list of approved antivirus software applications (Teddy: par 17: “an antimalware support system can be configured to interoperate with multiple different versions or types of antimalware clients hosted by a variety of different host devices... configurable, for instance, by an administrator of the domain, to provide customized anti-”; Examiner notes that this comparison is implied in the configuration “configure to interoperate” as the antimalware support system must be able to distinguish which version or type of antimalware client is hosted in the device.  Furthermore, the language “configurable…to provide customized anti-malware…consistent with…domain specific rules, policies, characteristics, or definitions” imply that the antimalware in the host device is approved by the “rules, policies, characteristics, or definitions” as defined in the antimalware support system), and 
wherein remotely initiating the antivirus software installed locally on the user device includes remotely initiating the antivirus software installed locally on the user device when the identifier of the antivirus software (Teddy: par 17: “versions or types of antimalware clients”) is included in the list of approved antivirus software applications (Teddy: par 17: “an antimalware support system can be...configurable...to provide customized anti-malware support consistent...”; Examiner notes that this providing antimalware support consistent with the rules, policies, etc., suggest that the antimalware support system will perform remediation steps remotely initiated when the antimalware is consistent with such rules, policies, etc. [see also Abstract, par. 20]).  
	Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have implemented a mechanism to compare the identifier of the antivirus software to a known good list of antivirus software prior to installing the antivirus software, as taught by Teddy, to Palliyil and Voronkov’s (Teddy: par 3).

Regarding claim 6, the combination of Palliyil and Voronkov do not explicitly teach yet Teddy suggests:
The method of claim 1, wherein remotely initiating the antivirus software installed locally on the user device includes generating an application programming interface call (Teddy: par 52; i.e. remediation steps include making API calls to the host device) based on the identifier (Teddy: par 17: “multiple different versions or types of antimalware clients hosted by a variety of different host devices”) of the antivirus software (Teddy: par 52, remediation engine remotely launches a remediation action to the host device in connection with the malware issues discovered).  
	Accordingly, it would have been obvious to one having ordinary skill in the art before the filing date of the invention to have provided the generation of an API call based on the antivirus software, as taught by Teddy, to Pelliyil and Voronkov’s invention. The motivation to do so would be in order to employ traffic management techniques so as optimize use of network bandwidth in connection with outbound messages communicated from the antimalware support system [i.e. remote] to antimalware clients [i.e. user device] (Teddy: par 30).

Regarding claim 7, same rationale for combination of Pelliyil, Voronkov and Teddy, which combined in claim 6, applies here as it encompasses same subject matter.  Therefore, Pelliyil, Voronkov and Teddy teach:
The method of claim 1, wherein remotely initiating the antivirus software installed locally on the user device includes generating an application programming interface call based on the identifier of the antivirus software (Teddy: par 52, remediation engine remotely launches a remediation action to the host device in connection with the malware issues discovered) and the user device (Teddy: par 52; i.e. remediation steps include making API calls to the host device).  

Regarding claim 8, same rationale for combination of Pelliyil, Voronkov and Teddy, which combined in claim 6, applies here as it encompasses same subject matter.  Therefore, Pelliyil, Voronkov and Teddy teach:
The method of claim 1, wherein remotely initiating the antivirus software installed locally on the user device includes generating an application programming interface call based on the identifier of the antivirus software and the infected file. (Teddy: par 52, remediation engine remotely launches a remediation action to the host device in connection with the malware issues discovered; Examiner notes that the malware issues also imply an infected file due to the malware) .
 
Regarding claim 9, the combination of Pelliyil and Voronkov do not teach yet Teddy suggests:
(Teddy: par 70; i.e. antimalware support system (is remote from host, see par. 17) is provided a query of a file by an antimalware client local to the host device) and presenting at least a portion of the status information within a user interface (Teddy: fig. 5). 
	Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have implemented a mechanism to provide status information of the antivirus software being installed and providing such status via the user interface, as taught by Teddy, to Pelliyil and Voronkov’s invention.  The motivation to do so would be in order to provide a variety of information to be communicated in the query response corresponding to all or a portion of the information available at or through the antimalware support system with regard to a particular file (Teddy: par 70).
 
Regarding claim 10, same rationale for combination of Pelliyil, Voronkov and Teddy, which combined in claim 9, applies here as it encompasses same subject matter.  Therefore, Pelliyil, Voronkov and Teddy teach:
The method of claim 9, further comprising, in response to the status information indicating a failure of the antivirus software installed locally on the user device (Teddy: par 81: “based on the failure of unilateral (or antimalware support system-directed) attempts by the antimalware client to remediate the file... the antimalware support system, in connection with a query involving the file from the antimalware client, can ”), notifying a user of the user device of the failure and recommending an action for the user to perform to attempt to repair the user device (Teddy: par 81: “the antimalware support system can be invoked to assist the antimalware client (and its host device) with remediation of a particular file using functionality provided, at least in part, at the remote the antimalware support system.”).  


Claims 13-15, 20 rejected under 35 U.S.C. 103 as being unpatentable over Palliyil et al. (US 2009/0019547 A1, hereinafter “Palliyil”) in view of Teddy et al. (US 2014/0289853  A1, hereinafter “Teddy”)

Regarding claim 13, Palliyil does not explicitly teach yet Teddy suggests:
The system of claim 11, wherein the electronic processor is further configured to compare the antivirus software installed locally on the user device to a list of approved antivirus software applications (Teddy: par 17: “an antimalware support system can be configured to interoperate with multiple different versions or types of antimalware clients hosted by a variety of different host devices... configurable, for instance, by an administrator of the domain, to provide customized anti-malware support consistent with one or more domain-specific rules, policies, characteristics, or definitions”; Examiner notes that this comparison is implied in the configuration “configure to interoperate” as the antimalware support system must be able to distinguish which version or type of antimalware client is hosted in the device.  Furthermore, the language “configurable…to provide customized anti-malware…consistent with…domain specific rules, policies, characteristics, or definitions” imply that the antimalware in the host device is approved by the “rules, policies, characteristics, or definitions” as defined in the antimalware support system), and remotely initiate the antivirus software installed locally on the user device when the antivirus software is included in the list of approved antivirus software applications (Teddy: par 17: “an antimalware support system can be...configurable...to provide customized anti-malware support consistent...”; Examiner notes that this providing antimalware support consistent with the rules, policies, etc., suggest that the antimalware support system will perform remediation steps remotely initiated when the antimalware is consistent with such rules, policies, etc. [see also Abstract, par. 20]).  
Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have implemented a mechanism to compare the identifier of the antivirus software to a known good list of antivirus software prior to installing the antivirus software, as taught by Teddy, to Palliyil’s invention. The motivation to do so would be in order to identify malware that have the potential of damaging and compromising the security of computer systems (Teddy: par 3).

Regarding claim 14, Pelliyil do not teach yet Teddy suggests:
(i.e. making API calls) based on at least one selected from a group consisting of the antivirus software, the user device, and the infected file (Teddy: par 52, remediation engine remotely launches a remediation action to the host device in connection with the malware issues discovered) and transmit the application programming interface call to the user device (Teddy: par 52; remediation steps include making API calls to the host device).  
Accordingly, it would have been obvious to one having ordinary skill in the art before the filing date of the invention to have provided the generation of an API call based on the antivirus software, as taught by Teddy, to Pelliyil’s invention. The motivation to do so would be in order to employ traffic management techniques so as optimize use of network bandwidth in connection with outbound messages communicated from the antimalware support system [i.e. remote] to antimalware clients [i.e. user device] (Teddy: par 30).

Regarding claim 15, Pelliyil does not teach yet Teddy suggests:
The system of claim 11, wherein the electronic processor is further configured to receive status information from the antivirus software installed locally on the user device (Teddy: par 70; i.e. antimalware support system (is remote from host, see par. 17) is provided a query of a file by an antimalware client local to the host device) and presenting at least a portion of the status information within a user interface (Teddy: fig. 5).  
(Teddy: par 70).

Regarding claim 20, the claims are set forth and rejected as discussed in claim 14.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIZBETH TORRES-DIAZ whose telephone number is (571)272-178772-1787.  The examiner can normally be reached on 9:00a-4:30p.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr, can be reached on (571)272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  


/LIZBETH TORRES-DIAZ/Examiner, Art Unit 2495                                                                                                                                                                                                        
/March 13, 2021/
/ltd/