Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. 

Priority
No foreign priority is claimed.

Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 07/14/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-9, 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al. (US 2019/0235973 A1, hereinafter Brewer), in view of Cohen et al. (US 2020/0143054 A1, Cohen hereinafter).
For claim 1, Brewer teaches a method comprising: receiving, by a sandbox service associated with a network security platform protecting an enterprise network, a file containing malware from an endpoint security solution running on an endpoint device of the enterprise network and contextual information associated with the file, wherein the endpoint device has been infected by the malware (Fig. 1, 6; para 0004, 0064-0070, 0077, 0087 - malicious activity detected at a device (endpoint) that is infected, and the respective file/code is sent to the sandboxing service using file or its backup, and wherein the journal file (snapshots) and other data (as contextual information) pertaining to restoration from the ransomware damage based on restore operations); 
responsive to receipt of the file and the contextual information, capturing, by the sandbox service, information regarding a first series of actions performed by the malware, wherein each action of the series of actions is associated with a time stamp (para 0063, 0066-0067, 0084-0086 - infection point based on time, and the events 
based on the first series of actions, generating, by the sandbox service, a remediation script specifying a second series of actions that are configured to restore the endpoint device to a pre-infected state representing a state of the endpoint device prior to being infected by the malware (para 0063-0066, 0087 - steps or scripting of process that performs restoration based on pertinent and required data for restoring the system/file state to the pre-infected state); and 
causing, by the network security platform, the endpoint device to be returned to the pre-infected state by causing the endpoint security solution to execute the remediation script on the endpoint device (para 0062-0064, 0087-0089 - disaster recovery system causes the endpoint device to be restored to a good previous state via series of steps or scripted execution involving snapshots or incremental backups in a series).
Although Brewer teaches series of steps to be taken to remediate the anomaly introduced by malware, wherein it would be obvious to one of ordinary skill in the art to integrate such steps into an actionable script, does not explicitly teach, however Cohen teaches steps for undo actions in form of remediation plan or script (para 0023-0030). Based on Brewer in view of Cohen, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Cohen in the system of Brewer in order to use sequence of steps as a plan or a scripted sequence thereby better organizing the execution of remediation or any such operation which also facilitates associating such plan or series of steps to any of the vast variety of scripting tools at the users’ disposal thereby making the system organized, more efficient and extensible.

For claim 2, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer further teaches wherein the contextual information is captured by the endpoint security solution responsive to detection of a suspicious or malicious event detected by the endpoint security solution that relates to a process running on the endpoint device that is associated with the file (para 0063, 0065-0067, 0084-0086 - the events represented by snapshots at specific times corresponding to activity recorded in the snapshot or in the incremental backup associated with anomaly or the malware activities also based on detection of divergence from the expected normal activities).

For claim 3, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer further teaches the method of claim 2, wherein the contextual information includes: command line information associated with the process; an execution chain associated with the process; a memory dump associated with the process; information indicative of an application with which the process is associated; information identifying an end user associated with the process; or environment variables associated with the process (para 0044-0045, 0064-0067 - application details are captured in snapshots that include anomalies associated therewith).

For claim 4, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer further teaches wherein the network security platform is associated with a cloud-based security service (Fig. 1, 2; para 0017, 0021, 0028, 0044-0045 - cloud-based security platform including disaster recovery system).

For claim 5, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer further teaches the method of claim 4, wherein the sandbox service is in a form of a virtual sandbox appliance (para 0077, 0087).

For claim 6, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer does not appear to explicitly teach, however Cohen further teaches wherein the second series of actions are based on reverse actions of the first series of actions (para 0024-0027, 0178, 0196 - undo operations which are opposite of what was executed).

For claim 7, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer does not appear to explicitly teach, however Cohen further teaches wherein each action of the first series of action is associated with an undo recipe that is used to generate the remediation script specifying the second series of actions (para 0024-0028, 0178, 0196 - undo operations which are opposite of what was executed, resulting in an undo remediation plan corresponding to second series of actions).

For claim 8, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer does not appear to explicitly teach, however Cohen further teaches wherein the first series of actions include one or more of: a change in a registry file of the endpoint device; a change in a system file of the endpoint device; addition of a new user account on the endpoint device; addition of a new firewall rule; and a change to an existing firewall rule (para 0011-0015, 0043, 0084, 0179 - registry or other rules changed by malware).

For claim 9, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer further teaches wherein the sandbox service captures the information regarding the first series of actions by tracing operating system code of the endpoint device (para 0045, 0064, 0075- snapshot includes a copy of operating system code).

For claim 11, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer further teaches wherein the sandbox service captures, the information regarding the first series of actions based on at least one of static analysis or dynamic analysis of the file (para 0016, 0067 - recording new and modified files as a dynamic way of checking files for malware or anomaly; para 0070 - may be viewed as static file analysis using backup data).

For claim 12, the claim limitations are similar to those of claim 1, except the instant claim 12 is drawn to a non-transitory computer-readable storage medium embodying a set of instructions (para 0098-0100), which when executed by one or more processing resources, performs the method as claimed in claim 1 above. Therefore the instant claim 12 is rejected according to claim 1 as above.

As to claims 13-20, the claim limitations are similar to those of claims 2-8 and 11 respectively. Therefore the instant claims 13-20 are rejected according to claims 2-8 and 11 respectively as above.


Claims 10 is rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al. (US 2019/0235973 A1, hereinafter Brewer), in view of Cohen et al. (US 2020/0143054 A1, Cohen hereinafter), and further in view of Largman et al. (US 2010/0005531 A1, Largman hereinafter).
For claim 10, Brewer in view of Cohen teaches the claimed subject matter as discussed above. Brewer and Cohen do not appear to explicitly teach, however Largman further teaches wherein a three-dimensional in-memory graph represents the first series of actions in an operating system of the endpoint device (para 0276-0280 - 3 and 4-dimensional virtual space is created in-memory to store events in the device operating system).
Based on Brewer in view of Cohen and Largman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Largman in the system of Brewer in view of Cohen in order to use various memory-based structures to organize and utilize data during security processing of the data elements, thereby making the system more efficient and extensible.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433