Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-21 are pending in this office action.
Applicant’s arguments, filed 08/24/2021, have been fully considered but they are not persuasive.

Priority
Foreign priority claimed to RU2019120220, filed 06/28/2019. However in order to be entitled to the benefit of earlier filing date of 06/28/2019 under the first inventor to file provisions of the AIA , an English translation of the priority application needs to be filed. Since an English translation of the priority application is missing, the effective filing date of this application for the purpose of overcoming a prior-art reference will be considered as the filing date of this application, which is 10/31/2019 (See MPEP § 216.01).
Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 07/09/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant argues:
In the Office Action, page 8-9, the Examiner conceded that Viljoen and Sobel fail to describe or suggest "determining the trust level for all the files of the group based on verdicts of outside services that have been assigned to the files of the group, the outside services including any number of servers of a cloud infrastructure with which a computing device is communicatively coupled." However, the Examiner alleges that Teddy closes the significant gap left by Viljoen and Sobel. The Examiner's assertion is respectfully traversed. Teddy describes or suggests a server assisted anti-malware client where a file is identified by the host device, a local reputation data and anti-malware support system is searched to determine whether to allow loading the file on the host device. The cited paragraphs of Teddy describe querying outside sources for assistance but obtaining verdicts of outside services for all of the files of a group is not disclosed or suggested by Teddy.

Examiner Response:
Regarding argument (a), examiner respectfully disagrees with applicant. Examiner would like to point out, based on the rejection, that Viljoen discloses determining the trust level for all the files of the group based on verdicts of outside services that have been assigned to the files of the group (para 0020, 0025, 0034 – the files in the package may be assigned “provided-trusted” trust level based on the digital signature of the provider/vendor, implying that if the digital signature can’t be verified or the vendor/dominant developer cannot be verified, then other means or services such as hygiene ratings of the outside clients, or the backend utilizing other external information to determine trustworthiness, may be used). Viljoen further discloses that the outside services comprise at least one protection system of at least one computing device on which the files are stored (Fig. 1, 3; para 0020, 0025, 0034 - outside service associated with corresponding protected/trusted system). 
As to the structure/location of such outside services (or of the corresponding devices hosting the services) that perform functions such as providing verdicts, or providing trust levels which may be viewed as providing verdict on trustworthiness similar to functionality of the outside service of Viljoen in view of Sobel, it would be obvious to implement or extend the ‘outside service’ anywhere in or outside the system, in any network or even in a cloud infrastructure, which is also very well-known in the art for achieving efficiency and flexibility offered by such cloud-based arrangements. So, as explained in the rejection, the feature of the outside service comprising any number (one or more) of servers of a cloud infrastructure with which the at least one computing device is communicatively coupled, is not explicitly disclosed by Viljoen in view of Sobel, however the analogous reference Teddy teaches the same as explained in the rejection (Fig. 4; para 0028, 0071-0074, 0126 – example of outside service (client) to determine trust level based on maliciousness determination, wherein the protection system comprises various components communicatively coupled in the architecture - i.e. wherein the outside services comprise any number of servers of a cloud infrastructure with which the at least one computing device is communicatively coupled, wherein at least one protection system of the at least one computing device on which the files are stored). Thus, Teddy reference is mainly to support the process of hosting similar services in one or more servers anywhere in the system network or in a cloud, which is also an obvious matter of mere arranging or rearranging different components of the system within the system’s network, which is believed to be achieved by the combination of Viljoen in view of Sobel and Teddy.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Viljoen (US 2010/0077479 A1), in view of Sobel (US 2009/0083731 A1), and further in view of Teddy et al. (US 2014/0283065 A1, Teddy hereinafter).
For claim 1, Viljoen teaches a method for determining a trust level of a file (Abstract), the method comprising: selecting file names which are stable (para 0020, 0033 – selecting filenames attribute of stable or stored filenames that may be in the catalog or package); 
generating at least one group of files from at least two files of the selected file names, the at least two files being components of a same application (para 0020, 0024, 0031 – (plurality of) files in a software package or an application package corresponding to an application); 
searching for a presence of a dominant developer such that a digital signature of the dominant developer exists for at least one file of the group of files that is generated (para 0032-0034 – determining vendor of the files digitally signed by the vendor (dominant developer or provider of the files), wherein the signature can be verified as a provider-trusted, and signed by the provider/vendor); 
when a dominant developer is found, determining a trust level for all files of the group in accordance with verdicts associated with the dominant developer (para 0030, 0032-0034 - identify the vendor of the files and cross-reference the vendor against of list of known vendors and corresponding levels of trust, wherein the trustworthiness of the files also depend on vendors indicated as trustworthy sources themselves); and 
when the dominant developer is not found, determining the trust level for all the files of the group based on verdicts of outside services that have been assigned to the files of the group (para 0020, 0025, 0034 – the files in the package may be assigned “provided-trusted” trust level based on the digital signature of the provider/vendor, implying that if the digital signature can’t be verified or the vendor/dominant developer cannot be verified, then other means or services such as hygiene ratings of the outside clients, or the backend utilizing other external information to determine trustworthiness, may be used).
Although it is well-known in the art that a private key may be used to encrypt a file, leading to creation of corresponding digital signature, also implying that in case of vendor-associated digital signature of the file, the signature is created using a private key of the vendor used to sign the file, however, Viljoen does not explicitly disclose but Sobel discloses private key of the dominant developer (publisher) has been used to sign at least one file (para 0028-0030 – private key used to sign and create the digital signature).
Furthermore, although it would be obvious to implement or extend the system into cloud infrastructure for achieving efficiency offered by well-known cloud-based structures,  Viljoen and Sobel do not appear to explicitly teach, however Teddy teaches wherein the outside services including any number of servers of a cloud infrastructure with which a computing device is communicatively coupled (Fig. 4; para 0028, 0071-0074, 0126 – example of outside service (client) to determine trust level based on maliciousness determination, wherein the protection system comprises various components communicatively coupled in the architecture).
Therefore, based on Viljoen in view of Sobel and Teddy, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Sobel and Teddy, in the system of Viljoen, in order to utilize well-known method of signature creation using the entity’s private key, and utilizing systems hosted across various commonly implemented network infrastructures, thereby ensuring  ownership-based trust correlation, security and trustworthiness of the data and the associated system, along with achieving system extensibility and secure scalability.

For claim 2, Viljoen in view of Sobel and Teddy teaches the claimed subject matter as discussed above. Viljoen further discloses wherein the trust levels are determined in accordance with verdicts associated with the dominant developer based on: verdicts of outside services which have been assigned to the files of the group (para 0020, 0025, 0034 – the files in the package may be assigned “provided-trusted” trust level based on the digital signature of the provider/vendor, wherein other means or services such as information from publishers related to the prevalence, hygiene ratings of the outside clients, or the backend utilizing other external information to determine trustworthiness may be used in combination with the vendor/signature verification associated with the dominant developer).

For claim 3, Viljoen in view of Sobel and Teddy teaches the claimed subject matter as discussed above. Viljoen further discloses wherein the trust levels are determined in accordance with verdicts associated with the dominant developer based on: verdicts of outside services which have been assigned to at least one file on a computing device of a user and a digital signature of the dominant developer exists for the at least one file (para 0032-0034 – determining vendor of the files digitally signed by the vendor (dominant developer or provider of the files), wherein the signature can be verified as a provider-trusted, and signed by the provider/vendor).  
Although it is well-known in the art that a private key may be used to encrypt a file, leading to creation of corresponding digital signature, also implying that in case of vendor-associated digital signature of the file, the signature is created using a private key of the vendor used to sign the file, however, Viljoen does not explicitly disclose but Sobel discloses private key of the dominant developer (publisher) has been used to sign at least one file (para 0028-0030 – private key used to sign and create the digital signature), and wherein the trust levels are determined in accordance with verdicts associated with the dominant developer based on: verdicts of outside services which have been assigned to at least one file on a computing device of a user which does not belong to the group (para 0005, 0011, 0031-0033, 0039, 0042 – wherein the other application(s) are signed by the reputed publisher/dominant developer, each application being another group of files of user(s) such that reputations are utilized in trustworthiness determination in that the existing signatures/reputations are leveraged upon in making new determination for unknown group of files).
based on Viljoen in view of Sobel, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Sobel in the system of Viljoen, in order to utilize well-known method of signature creation using the entity’s private key in addition to utilizing trustworthiness nature of a publisher and existing trust information in the system, thereby ensuring the operational efficiency and ownership-based trust correlation, as well as ensuring the security and trustworthiness of the data and the system.

For claim 4, Viljoen in view of Sobel and Teddy teaches the claimed subject matter as discussed above. Viljoen further discloses wherein the trust levels are determined in accordance with verdicts associated with the dominant developer based on: verdicts of outside services that have been assigned to files of another group of the dominant developer, the files of the another group having a run frequency among users that is greater than a predetermined threshold for a run frequency (para 0025-0026 – threshold prevalence based on number of requests (frequency of running of commands for trust level determination).

For claim 5, Viljoen in view of Sobel and Teddy teaches the claimed subject matter as discussed above. Viljoen further discloses wherein the outside services further comprise at least one protection system of at least one computing device on which the files are stored (Fig. 1, 3; para 0020, 0025, 0034 – the files in the package may be assigned “provided-trusted” trust level based on the digital signature of the provider/vendor, wherein other means or services such as information from publishers related to the prevalence, hygiene ratings of the outside clients, or the backend utilizing other external information to determine trustworthiness may be used as outside service on a protected system).

For claim 6, Viljoen in view of Sobel and Teddy teaches the claimed subject matter as discussed above. Viljoen further discloses wherein the cloud infrastructure aggregates and stores data received from all of the computing devices (para 0021, 0034).  Viljoen in view of Sobel does not appear to explicitly teach, however Teddy teaches wherein data is collected by a protection system of a given computing device based on confidentiality settings selected by a user of the given computing device (para 0048-0049, 0063, 0081, 0086 – user permission and preferences act as settings or directive to storage of file-related and other identification data).

For claims 8-13, the claims are drawn to a system for determining a trust level of a file, comprising: at least one processor (Viljoen – Fig. 1, 3; para 0018-0019) configured to perform the method steps of claims 1-6 respectively. As the claim limitations are otherwise similar to those of claims 1-6 respectively, the instant claims 8-13 are rejected according to claims 1-6 respectively, as above.

For claims 15-20, the claims are drawn to a non-transitory computer readable medium storing thereon computer executable instructions for determining a trust level of a file (Viljoen – Fig. 1, 3; para 0018-0019), including instructions for performing the method steps of claims 1-6 respectively. As the claim limitations are otherwise similar to those of claims 1-6 respectively, the instant claims 15-20 are rejected according to claims 1-6 respectively, as above.

Allowable Subject Matter
Claims 7, 14 and 21 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the respective base claims and any intervening claims.

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433