DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/19/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
The information disclosure statement (IDS) submitted on 11/16/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
The information disclosure statement (IDS) submitted on 12/17/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

Claims 1, 4-11, 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Charters et al (PGPUB 2018/0204000), and further in view of Yoshikawa et al (PGPUB 2018/0020013).

Regarding Claim 11:
Charters teaches a system comprising: 
one or more hardware processors (abstract, method for safeguarding a stored file from malware; paragraph 85, computer system representative of server system 102 or client devices 120/130, including processor and memory); and 
a memory storing instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations comprising (paragraph 85-87, processor and memory storing instructions for execution by processor): 
accessing, by a cloud storage server, a plurality of server-stored files of a cloud storage account of a client device (paragraph 12, cloud-based backup service; paragraph 44-47, file storage analysis program (FSAP) receives file or group of files to storage account; FSAP buffers or caches (e.g. stores) files received for backup in order to perform analysis; FSAP analyzes received files); 
determining that one or more server-stored files from the plurality of server-stored files are affected by a malware activity (paragraph 47-49, FSAP analyzes received files by analyzing file attributes, extension, metadata, and/or structure to determine whether received file is affected by malware; paragraph 53-54, FSAP determines file is suspect (i.e. suspected of being affected by malware activity) and notifies user associated with file); 
generating a graphical user interface that includes a detection notification and a confirmation request (paragraph 55-56, FSAP notifies user that received file is suspect by utilizing UI of client device 120, or GUI associated with file backup program; notification message includes means for indicating a false-positive or confirming malware, e.g. web link or character string for input), the detection notification indicating a detected presence of malware in the one or more server-stored files (paragraph 55-56, FSAP notifies user that received file is suspect), the confirmation request indicating a request for the client device to confirm the detected presence of malware in the one or more server-stored files (paragraph 56, message (e.g. email) contains options to indicate false-positive or confirm malware, e.g. web links for each option); and 
receiving a confirmation response from the client device, the confirmation response identifying at least one of the one or more server-stored files and confirming the presence of malware activity in the identified server-stored files (paragraph 56, 69-70, user confirmation of false-positive or malware; file storage control program determines whether false-positive result is confirmed or not confirmed based on input from user via user device 120).
Charters does not explicitly teach the detection notification indicating metadata corresponding to the one or more server-stored files, the metadata indicating a suspicious file renaming activity.
However, Yoshikawa teaches the concept of generating a graphical user interface that includes a detection notification, the detection notification indicating the detected presence of malware in one or more files and metadata corresponding to the one or more files, the metadata indicating a suspicious file renaming activity (abstract, method for preventing malware attacks; process is judged as ransomware on the basis of certain conditions; paragraph 422-427, Fig. 43, warning screen presented when file content is modified and file name is modified; warning screen includes process name, behavior detected, i.e. “modification of file name”, affected file, and modified file name; user selects buttons to terminate process, ignore, or add to exclusion list); and
Charters teaches wherein the one or more files are server-stored files (paragraph 12, cloud-based backup service; paragraph 44-47, file storage analysis program (FSAP) receives file or group of files to storage account; FSAP buffers or caches (e.g. stores) files received for backup in order to perform analysis; FSAP analyzes received files).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the ransomware notification metadata teachings of Yoshikawa with the server-side malware detection and user confirmation teachings of Charters, in order to provide an end user with detailed information about the affected systems and nature of a possible attack, thereby enabling the user to more confidently make an informed decision regarding identification and remediation of a potential malware infection, resulting in the beneficial effect of further reducing the number of false-positives and false-negatives.

Regarding Claim 14:
Charters in view of Yoshikawa teaches the system of claim 11.  In addition, Yoshikawa teaches wherein the metadata comprises an identification of a subset of the one or more files (paragraph 422-427, Fig. 43, alert including affected file name), and
Charters teaches the one or more files are server-stored files (paragraph 12, 44-47, as above); and
the subset identified based on a common server-stored file share attribute identifying a shared user (paragraph 20, user profiles include list of users that share access to one or more files; paragraph 53, FSAP determines whether received file is suspect; FSAP determines that the received file that is shared by one or more users is suspect based on a comparison of the file received from device 120 and a same version or similar version of the file retrieved from another instance of device 120 of a user that shares the file), and
wherein the operations further comprise: 
(paragraph 55, file storage analysis program notifies each user that shares the received file that the file is suspect).
The rationale to combine Charters and Yoshikawa is the same as provided for claim 11 due to the overlapping subject matter between claims 11 and 14.

Regarding Claim 15:
Charters in view of Yoshikawa teaches the system of claim 11.  In addition, Charters teaches wherein the operations further comprise: 
restoring the identified server-stored files to a non-compromised version of the identified server-stored files at the cloud storage server based on a time at which the identified server-stored files became affected by the malware activity at the cloud storage server (paragraph 81, file storage control program restores one or more files to the user of device 120; based on determining which files are encrypted by ransomware, file storage control program restores unaffected version of the one or more files from storage).

Regarding Claim 16:
Charters in view of Yoshikawa teaches the system of claim 11.  In addition, Charters teaches wherein the operations further comprise: 
receiving, at the cloud storage server, a request from the client device to store a file at the cloud storage server (paragraph 44, 45, FSAP receives file/group of files to a storage account associated with a user for backup); 
storing the file in a storage device of the cloud storage server (paragraph 46, received files are cached (e.g. stored) pending analysis); 
(paragraph 46-48, FSAP analyzes received file to determine whether file is affected by malware; FSAP analyzed file attributes, etc.); 
detecting the malware activity based on the features of the server-stored file (paragraph 48, FSAP analyzes file and determines file is suspect of being affected by malware based on e.g. determining that file content does not match file extension); 
receiving, from the client device, a malware confirmation indicating a confirmation of the presence or an absence of the malware activity in the server-stored file (paragraph 56, 69-70, user confirmation of false-positive or malware; file storage control program determines whether false-positive result is confirmed or not confirmed based on input from user via user device 120); and 
updating an operation of the detection of the malware activity based on the received malware confirmation (paragraph 63, 69, 71, 84, responsive to determining that file is not suspect, FSAP stores file; if false-positive is not confirmed, file storage control program suspends rotation of files subject to backup).

Regarding Claim 17:
Charters in view of Yoshikawa teaches the system of claim 16.  In addition, Charters teaches wherein determining features of the server-stored file comprises: 
identifying an encryption status of the server-stored file (paragraph 48-49, FSAP analyzes file attributes to determine whether file is encrypted, such as by entropy analysis between two versions of the file); 
identifying a name extension of the server-stored file (paragraph 48, FSAP analyzes attributes such as whether file content matches file extension); 
identifying a content type of the server-stored file (paragraph 48, paragraph 48, FSAP analyzes attributes such as whether file content matches file extension); and
(paragraph 327-328, invention program for judging whether process is ransomware does not execute to programs listed in “Exclusion List”; i.e. if a detected process is on a whitelist, it is not intercepted by ransomware detector; paragraph 422-427, ransomware warning prompt includes “Add it to Exclusion List” button so a process can be added to the Exclusion List by a user, so as not to perform warning for the same process again, in the case that the user determines that the process is not ransomware).
The rationale to combine Charters and Yoshikawa is the same as provided for claim 11 due to the overlapping subject matter between claims 11 and 17.

Regarding Claim 18:
Charters in view of Yoshikawa teaches the system of claim 17.  In addition, Charters teaches wherein detecting the ransomware activity comprises: 
determining that the encryption status indicates that the server-stored file is encrypted and that a previous version of the server-stored file is unencrvpted (paragraph 48-49, FSAP analyzes file attributes to determine whether file is encrypted, such as by entropy analysis between two versions of the file); 
determining that the name extension or a file name of the server-stored file is indicative of the malware activity (paragraph 48, FSAP analyzes attributes such as whether file content matches file extension; if not, file is suspect); 
determining that the content type of the server-stored file does not correspond with a content associated with the name extension of the server-stored file (paragraph 48, FSAP analyzes attributes such as whether file content matches file extension; if not, file is suspect); and 
Yoshikawa teaches determining the previous user feedback in response to previous malware notifications related to the server-stored file (paragraph 327-328, invention program for judging whether process is ransomware does not execute to programs listed in “Exclusion List”; i.e. if a detected process is on a whitelist, it is not intercepted by ransomware detector; paragraph 422-427, ransomware warning prompt includes “Add it to Exclusion List” button so a process can be added to the Exclusion List by a user, so as not to perform warning for the same process again, in the case that the user determines that the process is not ransomware).
The rationale to combine Charters and Yoshikawa is the same as provided for claim 17 due to the overlapping subject matter between claims 17 and 18.

Regarding Claim 19:
Charters in view of Yoshikawa teaches the system of claim 16.  In addition, Charters teaches wherein updating the operation of the detecting the malware activity further comprises: 
identifying at least one of the server-stored file name or the server-stored name extension as safe from the malware activity in response to the confirmation response indicating the absence of the malware activity in the server-stored file (paragraph 25, 63-65, 84, file backup program removes file from file isolation in response to determining that a false-positive is confirmed; responsive to determining that the received file is not suspect, file storage analysis program stores the file and places the file within file rotation scheme).

Regarding Claims 1, 4-9:
	These are the computer-implemented method claims corresponding to the system of claims 11, 14-19, and are therefore rejected for corresponding reasons.

Regarding Claim 10:
Charters in view of Yoshikawa teaches the computer-implemented method of claim 6.

identifying at least one of the server-stored file name or the server-stored name extension as safe from the malware activity in response to the confirmation response indicating the absence of the malware activity in a client-stored file copy of the server-stored file (paragraph 25, 63-65, 84, file backup program removes file from file isolation in response to determining that a false-positive is confirmed; responsive to determining that the received file is not suspect, file storage analysis program stores the file and places the file within file rotation scheme; as files are stored on user device and serve file backup, response indicates absence of malware activity in client-stored file copy).

Regarding Claim 20:
	This is the machine-storage medium claim corresponding to the system of claim 11, and is therefore rejected for corresponding reasons.

Claims 2-3, 12-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Charters in view of Yoshikawa, and further in view of Brown (PGPUB 2019/0205530).

Regarding Claim 12:
Charters in view of Yoshikawa teaches the system of claim 11.  In addition, Yoshikawa teaches wherein the metadata comprises a file name, an extension name, and a type of activity identifying a nature of a modification of a corresponding file (paragraph 422-427, Fig. 43, alert including affected file name, extension (e.g. “Pdf”), and behavior (e.g. modification of file contents/file name)); and
(paragraph 12, 44-47, as above; paragraph 48, file extension of received file).
The rationale to combine Charters and Yoshikawa is the same as provided for claim 11 due to the overlapping subject matter between claims 11 and 12.
Charters in view of Yoshikawa does not explicitly teach wherein the metadata comprises a name of a user who last modified a corresponding server-stored file and a time of the modification.
However, Brown teaches the concept wherein metadata comprises a name of a user who last modified a corresponding server-stored file, and a time of the modification (abstract, techniques locate or identify malware based on events from or at monitored computing devices; paragraph 27, cluster computing system; paragraph 28, cluster deployed in cloud; paragraph 34, malware-detection algorithms performed on cluster computing devices; paragraph 78-81, detection module produces event record including one or more fields, e.g. event timestamp, associated user identifiers, and filenames).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the extended event metadata teachings of Brown with the server-side malware detection and user confirmation teachings of Charters in view of Yoshikawa, in order to provide a complete record of a potential malware event to the appropriate user or administrator, to further improve the ability to gather and act upon detailed forensic information related to possible anomalies or attacks, providing the beneficial effect of further reducing the number of false-positives and false-negatives.

Regarding Claim 13:
Charters in view of Yoshikawa and Brown teaches the system of claim 12.  In addition, Yoshikawa teaches wherein the metadata comprises an identification of a subset of the one or more (paragraph 422-427, Fig. 43, warning screen presented when file content is modified and file name is modified; warning screen includes process name, behavior detected, i.e. “modification of file name”, affected file, and modified file name; user selects buttons to terminate process, ignore, or add to exclusion list), the subset identified based on one of a common extension name (paragraph 422-427, Fig. 43, affected file identified with extension, e.g. “Pdf”), a common type of activity (paragraph 422-427, Fig. 43, nature of activity, e.g. “modification of file name” identified in warning), and a common name of the user who last modified the subset of the one or more server-stored files; and
Charters teaches the one or more files are server-stored files and extensions (paragraph 12, 44-47, as above; paragraph 48, file extension of received file).
The rationale to combine Charters and Yoshikawa is the same as provided for claim 12 due to the overlapping subject matter between claims 12 and 13.

Regarding Claims 2-3:
	These are the computer-implemented method claims corresponding to the system of claims 12-13, and are therefore rejected for corresponding reasons.

Response to Arguments
Applicant's arguments filed 10/23/2020 have been fully considered but they are not persuasive.

Regarding the claim objections:
Applicant’s amendments have overcome the previous claim objections, which are therefore withdrawn.

Regarding the rejection of claims under 35 USC 103:
Regarding Applicant’s arguments dated 10/23/2020, page 9 paragraph 2-page 10 paragraph 1, the Examiner responds: Charters in view of Sella was recited as teaching the displaying of the metadata regarding a potential malware activity (e.g. Sella paragraph 22).  It is therefore unnecessary for Brown to teach what Sella already teaches, i.e. “generating a graphical user interface that includes a detection notification, the detection notification indicating… metadata corresponding to the one or more server-stored files”.  Brown was recited as teaching that metadata corresponding to one or more server-stored files includes such metadata as filename before and after a rename, associated user, time of modification, etc., which relates to a detected malware activity.  Furthermore, arguments related to Sella are moot as Sella is no longer part of the rejection of claims 1-20.  However, a new ground(s) for rejection is provided above which teaches “the detection notification indicating… metadata corresponding to the one or more server-stored files, the metadata indicating a suspicious file renaming activity”, as added by amendment.
	Applicant’s arguments with regard to independent claims 11 and 20 are similar to those regarding claim 1 and are therefore responded to in a similar way.
	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814.  The examiner can normally be reached on 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.










/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491