DETAILED ACTION
This action is responsive to the amendment filed on 08/16/2021.  Claim 1 is cancelled. Claims 2-21 are pending and being considered. Claims 2, 16 and 19 are independent. Claims 2, 4-5, 8, 16 and 18-19 are amended. Thus, claims 2-21 are rejected.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/16/2021 was filed on or after the mailing date of the application no.16/563,207 on 09/06/2019.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner and an initialed and dated copy of Applicant’s IDS forms 1449 filed on 08/16/2021 is attached to the instant office action.

Response to Claim Objection(s)
In response to claim amendments, filed on 08/16/2021, the claim objections has been waived and/or withdrawn.

Response to Objection(s) to the Specification
In response to the specification objection(s), on page 12 of arguments/remarks, the applicant refers the examiner to the application as published as US 2020/0210624, 

Response to Interpretation under 35 U.S.C. 112(f)
In response to the applicant’s arguments/remarks, filed on 08/16/2021, the claim interpretation under 35 U.S.C. 112(f) has been waived and/or withdrawn.

Response to Rejection(s) under 35 U.S.C. 103
	Applicant’s arguments/remarks, filed on 08/16/2021, have been fully considered but they are not persuasive. 
Applicant’s argument:
Regarding independent claims 2, 16 and 19: Applicant argues/remarks that the cited reference Solodovnikov et al. (US 2016/0359842 A1), hereinafter (Solo) and Iwanir et al. (US 20180034835 A1), hereinafter (Iwanir) has failed to teach the limitation(s) “a check tool configured to: detect an attack on the user computing device against at least one system tool for verifying digital signatures of files” in the independent claims 2, 16 and 19. The examiner acknowledges the applicant’s prospective but respectfully disagrees due to explanation and reason(s) provided in examiner’s response.
Examiner’s response:
In response to the applicant's arguments/remarks that the cited prior art ‘Solo in view of Iwanir’ has failed to teach/suggest the limitation “a check tool configured to: detect an attack ” of the independent claims 2, 16 and 19. The and as further disclosed in Para. [0027], in one example aspect, the system 100 may also include a server 120, which is connected via a private or public network to the user computer 110. The server 120 includes a verification module 103, connected to the application 101, and designed to obtain an end certificate from the application 101 upon performing a verification of the certificate. The end certificate may be the public key certificate of the software manufacturer whose digital signature was used to sign the file 102. A module of assigning a level of trust 104 is connected to the verification module 103 and serves to determine the level of trust for certificates with the help of a database of trusted certificates 105. The level of trust as used herein refers to a parameter (such as an integer) determining the validity of the certificate, and it is used for the antivirus Herein, the application 101 of the user computer 110 and verification module 103 of the server 120 represents the check tool(s) to detect the malicious files (stored/downloaded on the user computer 110) by verifying the certificates included in the digital signatures of the files.
Thus, Solo teaches to detect malicious files on the user computer 110 by verifying digital signatures of the files against server 120 of the system 100 as mentioned above, however Solo fails to explicitly disclose but Iwanir clearly teaches to detect an attack on the user computing device against at least one system tool for verifying digital signatures of files (Iwanir, Abstract and/or Para. [0037], discloses a system for detecting by a cloud service a ransomware attack on a client device based on detected changes to the files that appears to be malicious, and as disclosed in Para. [0024], e.g., by running a scan of files based on known signatures of ransomware);
Wherein Solo and Iwanir are analogous arts and are in the same field of endeavor as they both pertain and directed to check/detect changes in the files that appears to be malicious.
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Iwanir’ into the teachings of ‘Solo’, with a motivation to detect an attack on the user’s computing device, as taught by Iwanir, in order to detect and prevent the propagating of files from the client device, which is undergoing a ransomware attack; Iwanir, Para. [0007].
Therefore, Examiner suggests to further amend the independent claims 2, 16 and 19 to overcome the claim rejections under 35 U.S.C. 103.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 2-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Regarding claim 2, the claim recites limitation(s) "cause the computing platform” in lines 6-7 of the claim, which has not been previously defined. Therefore, there is insufficient antecedent basis for this limitation. 
Regarding claim 4, the claim recites limitation(s) "when executed on the computing platform, cause the computing platform” in lines 4-5 of the claim, which has not been previously defined. Therefore, there is insufficient antecedent basis for this limitation. 
Dependent claims 3, 5-15 are likewise rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, since they depend on and/or carries the deficiencies of the parent claim(s).


Claim Rejections - 35 U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-11 and 14- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Solodovnikov; Andrey Y. et al. (US 2016/0359842 A1), hereinafter (Solo), in view of Iwanir; Elad et al. (US 20180034835 A1), hereinafter (Iwanir).

Regarding claim 1, (Cancelled).  

Regarding claim 2, Solo teaches a system for responding to attack on a user computing device, the system comprising (Solo, Para. [0023] and Fig. 1, shows an example system for antivirus checking of files. Wherein the system 100 includes a user computer 110 with installed application 101): a data transfer device including (Solo, Fig. 1 and Para. [0027], discloses that the system 100 may also include a server 120): 
computing hardware of at least one processor and memory operably coupled to the at least one processor; and instructions that, when executed on the computing hardware, cause the computing platform to implement (Solo, See Para. [0005 and 0069-0070]): 
a check tool configured to (Solo, Fig. 1, discloses a verification module 103): detect an attack Solo, Para. [0023-0027] clearly discloses a general diagram of an example system for antivirus checking of files (on user computer 110) based on level of trust of their digital certificates. The system 100 includes a user computer 110 with installed application 101 […]. In one example aspect, the application 101 may be an antivirus program configured to perform antivirus checking of files 102 stored or downloaded on the computer 110 using, for example, signature matching, emulation, heuristic analysis and/or other known malware detection techniques. In one example aspect, the antivirus application 101 may also check the validity of the public key certificate of the file’s digital signatures. The certificate may be deemed valid if one or more of the following conditions are met: [0024] the digital signature of the certification authority (CA)s correct; [0025] the validity period of the certificate has not expired at the present moment; and [0026] the certificate has not been revoked, and as further disclosed in Para. [0027], in one example aspect, the system 100 may also include a server 120, which is connected via a private or public network to the user computer 110. The server 120 includes a verification module 103, connected to the application 101, and designed to obtain an end certificate from the application 101 upon performing a verification of the certificate. The end certificate may be the public key certificate of the software manufacturer whose digital signature was used to sign the file 102. A module of assigning a level of trust 104 is connected to the verification module 103 and serves to determine the level of trust for certificates with the help of a database of trusted certificates 105. The level of trust as used herein refers to a parameter (such as an integer) determining the validity of the certificate, and it is used for the antivirus checking of file 102 (stored or downloaded on the computer 110, as shown in Fig. 1). Herein, the application 101 of the user computer 110 and verification module 103 of the server 120 represents the check tool(s) to detect the malicious files (stored/downloaded on the user computer 110) by verifying the certificates included in the digital signatures of the files), 
obtain at least one file, the at least one file to be analyzed by the at least one system tool for verifying digital signatures of files (Solo, Para. [0023], discloses that the application 101 may be an antivirus program configured to perform antivirus checking of files 102 stored or downloaded on the computer 110 using, for example, signature matching, emulation, heuristic analysis and other known malware detection techniques. In one example aspect, the antivirus application 101 may also check the validity of the public key certificate of the files’ digital signatures), the at least one file including a digital signature, the digital signature including a DS certificate (Solo, Para. [0005], discloses to obtaining a digital certificate of a digital signature of the file, and/or see also Para. [0027], discloses the public key certificate of the software manufacturer whose digital signature was used to sign the file 102), 
determine whether the DS certificate is valid (Solo, Para. [0035], when an unknown file 102 is executed on the computer 110, the application 101 may send an identifier of the certificate and the file (e.g., the hash sum of the file) to the server 120 for validation […]. The verification module 103 may use the received identifiers to verify using the database 105 validity of the associated certificates), 
determine whether the digital signature is valid (Solo, Para. [0046], discloses that the checking of the digital signature can be done by deciphering it with the public key contained in the public key certificate of the given digital signature and then comparing the resulting value of the hash function of the file with the calculated value of the hash function of the file), and 
if the DS certificate is valid, determine the DS certificate is trusted (Solo, Para. [0007 or 0047], discloses that a medium level of trust may be assigned to valid certificates).  
Solo teaches to detect malicious files on the user computer 110 by verifying digital signatures of the files against server 120 of the system 100, however Solo fails to explicitly disclose but Iwanir teaches to detect an attack on the user computing device against at least one system tool for verifying digital signatures of files (Iwanir, Para. [0037], discloses a system for detecting by a cloud service a ransomware attack on a client device based on detected changes to the files that appears to be malicious, and as disclosed in Para. [0024], e.g., by running a scan of files based on known signatures of ransomware);
Solo and Iwanir are analogous arts and are in the same field of endeavor as they both pertain and directed to check/detect changes in the files that appears to be malicious.
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Iwanir’ into the teachings of ‘Solo’, with a motivation to detect an attack on the user computing device, as taught by Iwanir, in order to detect and prevent the propagating of files from the client device, which is undergoing a ransomware attack; Iwanir, Para. [0007].

Regarding claim 3, Solo as modified by Iwanir teaches the system of claim 2, wherein Solo further teaches the check tool is further configured to (Solo, Fig. 1, depicts verification module 103): search a files database for an ID of the at least one file (Solo, Fig. 1 and Para. [0033], discloses a database of malicious files 106 that contains, for each known malicious file, its hash sum, the public key certificate of the digital signature and its identifier, the status of the malicious file (for example, virus, root kit, worm, Trojan horse), the initial file, and other type of information that may be used for file identification);  4Attorney Docket No. 4222.76US01 
determine whether the at least one file is trusted or non-trusted based on the search of the files database, and when the at least one file is not determined to be trusted or determined to be non-trusted based on the search of the files database, determining the DS certificate is valid, determining the digital signature is valid, and if the DS certificate is valid, determining the DS certificate is trusted (Solo, para. [047], discloses to obtain a list of malicious files and their certificates from the database of malicious files 106, in order to determine the different levels of trust to the certificates of unknown files received from the user computers 110. For example, a medium level of trust may be assigned to valid certificates whose identifiers have been received from the users. In step 240, a low level of trust may be assigned to the remaining invalid certificates whose identifiers have been received from the users. For example, a low level of trust may be assigned to certificates of the digital signature used to sign malicious files, and as further disclosed in Para. [0007], performing signature matching of the file having a digital certificated with a medium level of trust; and assigning a medium level of trust to valid digital certificate).
  
Regarding claim 4, Solo as modified by Iwanir teaches the system of claim 3, wherein Solo further teaches the check tool is further configured to categorize the at least one file as non-trusted when the digital signature is invalid or the DS certificate is invalid or non-trusted (Solo, Para. [0054], discloses that if an intermediate certificate is contained in the database 105 and it has a low level of trust, the end certificate will likewise be assigned a low level of trust. This step lets one determine a malicious file when one of the intermediate certificates of the certificate chain has a low level of trust, even if for some reason (for example, the intermediate certificate was revoked due to compromising of the CA, while the parent CAs have not been compromised) the other certificates of the certificate chain have a medium or high level of trust), and 
wherein the data transfer device further includes instructions that, when executed on the computing platform, cause the computing platform to implement (Solo, Fig. 6 and Para. [0021], discloses a general-purposes computer system, such as a personal computer or a server, suitable for implementing the disclosed aspects of systems and methods by executing one or more instructions (see Para. [0069-0070])) a security assurance tool configured to restrict access to the user computing device to the at least one file when the at least one file is categorized as non-trusted by the check tool (Solo, Para. [0006], discloses for assigning a low level of trust to an invalid digital certificate or digital certificate of a known malicious file; […] and blocking of execution of the file having a digital certificated with a low level of trust).  

Regarding claim 5, Solo as modified by Iwanir teaches the system of claim 2, wherein solo further teaches further comprising: 
a certificate database configured to store a plurality of certificates (Solo, Fig. 1 and Para. [0027], discloses a database of trusted certificates 105); and 
a trusted certificate database configured to store trusted certificate data, wherein the DS certificate includes issuing center data and DS certificate data (Solo, Para. [0029], discloses a database 105 with the certificates of files 102 and appropriate levels of trust to the certificates […]. A high level of trust may be assigned to certificates whose certification authority is contained on the list of trusted certification authorities, and as disclosed in Para. [0035-0036], obtaining an identifier of the corresponding certificate and use the obtained identifiers to verify using the database 105 validity of the associated certificates), and 
wherein the check tool is further configured to (Solo, Fig. 1, depicts a verification module 103):  
Attorney Docket No. 4222.76US01determine whether the DS certificate is valid by checking that the DS certificate has a required certificate integrity and by validating the issuing center data with the plurality of certificates (Solo, Para. [0037], discloses that, in step 220, the verification module 103 may check validity of the selected certificates. A certificate may be found valid when one or more of the following conditions is met: [0038] the digital signature of the certification authority is correct; [0039] the validity period of the certificate has not expired at the present moment; [0040] the certificate has not been revoked), 
Determine whether the digital signature is valid by checking that the at least one file has a required file integrity and the DS certificate is valid (Solo, Para. [0046], discloses that the checking of the digital signature can be done by deciphering it with the public key contained in the public key certificate of the given digital signature and then comparing the resulting value of the hash function of the file with the calculated value of the hash function of the file), and 
if the DS certificate is valid, determine the DS certificate is trusted by finding the trusted certificate data related to the DS certificate data (Solo, Para. [0047], discloses that, in step 250, a high level of trust may be assigned to certificates whose certification authority is contained on the list of trusted certification authorities. In one example aspect, the trusted certification authorities can be the CAs of the largest software producers).  

Regarding claim 6, Solo as modified by Iwanir teaches the system of claim 4, wherein Solo further teaches the security assurance tool is configured to restrict access to the user computing device to the file by at least one of: prohibiting transfer of the at least one file to the user computing device, prohibiting execution of the at least one file on the user computing device, prohibiting opening of the at least one file on the user computing device, deleting the at least one file, or quarantining the at least one file (Solo, Para. [0006], discloses for assigning a low level of trust to an invalid digital certificate or digital certificate of a known malicious file; […] and blocking of execution of the file having a digital certificated with a low level of trust).  

Regarding claim 7, Solo as modified by Iwanir teaches the system of claim 5, wherein Solo further teaches checking that the at least one file has the required file integrity includes: obtaining a decrypted digital signature checksum from the digital signature; obtaining a checksum algorithm from the DS certificate; calculating a file checksum of the at least one file using the checksum algorithm; 6Attorney Docket No. 4222.76US01comparing the digital signature checksum with the file checksum using a public key in the DS certificate; and if the digital signature checksum matches the file checksum, determining that the at least one file has the required file integrity (Solo, Para. [0046], discloses that the checking of the digital signature can be done by deciphering it with the public key contained in the public key certificate of the given digital signature and then comparing the resulting value of the hash function of the file with the calculated value of the hash function of the file, and as further disclosed in Para. [0035], when an unknown file 102 is executed on the computer 110, the application 101 may send an identifier (the hash sum from the public key of the certificate, see Para. [0027]) of the certificate and the file (e.g., the hash sum of the file) to the server 120 for validation. Wherein the verification module 103 may use the received identifiers to verify validity of the certificates associated with files, and as further disclosed in Para. [0029], that a medium level of trust may be assigned to the verified valid certificates whose identifiers have been received and validated). 
 
Regarding claim 8, Solo as modified by Iwanir teaches the system of claim 5, wherein validating the issuing center data includes: building a chain of certificates from the plurality of certificates; checking that each of the plurality of certificates in the chain of certificates has a required certificate integrity (Solo, Para. [0009], discloses to determine validity of the digital certificate may includes: constructing a certificate chain associated with the certificate of the file; and validating each certificate in the chain, and/or see also Para. [0030], discloses that the verification module 103 is configured to form the certificate chain from the end certificate to the root certificate. The certificate chain consists of the set of certificates […]. Usually the certificate chain contains an end certificate, a set of intermediate certificates, and a root certificate); 
checking that one of the plurality of certificates in the chain of certificates is related to the issuing center data (Solo, Para. [0030], discloses that the verification module 103 serves to determine one of: [0031] a first certificate of the certificate chain that is contained in the database 105, and/or see also Para. [0044], discloses to determine that one of the certificates of the certificate chain was issued by a CA that was certified by the CA of the certificate being checked); 
checking that a root certificate is the last certificate in the chain of certificates (Solo, Para. [0030], discloses that the certificate chain contains an end certificate, a set of intermediate certificates, and a root certificate--the certificate of a root certification authority trusted by all parties in the certificate chain); and 
if each of the plurality of certificates in the chain of certificates has the required certificate integrity, one of the plurality of certificates in the chain of certificates is related to the issuing center data, and the root certificate is the last certificate in the chain of certificates, determining that the issuing center data is valid (Solo, Para. [0050], discloses that the verification module 103 constructs the certificate chain from the end certificate to the root certificate. Using the database 105, the certificate can be uniquely defined from its identifier. The construction of the certificate chain is done using method known to those of ordinary skill in the art of computer security. For example, for the end certificate, the first CA which issued the certificate is determined. For the certificate of the first CA, the second CA having issued the certificate of the first CA is determined, and so on, until the root CA is determined).  

Regarding claim 9, Solo as modified by Iwanir teaches the system of claim 5, wherein Solo further teaches finding the trusted certificate data related to the DS certificate data includes: identifying the DS certificate data in the trusted certificate data, wherein the DS certificate data includes at least one of the DS certificate, an ID of the DS certificate, or a vector of values identifying the DS certificate (Solo, Para. [0027], discloses that a module of assigning a level of trust 104 is connected to the verification module 103 and serves to determine the level of trust for certificates with the help of a database of trusted certificates 105. The level of trust as used herein refers to a parameter (such as an integer) determining the validity of the certificate, and it is used for the antivirus checking of file 102. The database 105 is connected to the module of assigning the level of trust 104, and it contains certificates, as well as their corresponding levels of trust and identifiers which can be used to uniquely determine each certificate); or  Attorney Docket No. 4222.76US01 
identifying a certifying center certificate from a certifying center that issued the DS certificate in the trusted certificate data (Solo, Para. [0044], discloses that one of the certificates of the certificate chain was issued by a CA that was certified by the CA of the certificate being checked).  

Regarding claim 10, Solo as modified by Iwanir teaches the system of claim 9, wherein Solo further teaches the certificate database is further configured to store revocation data about the plurality of certificates and wherein determining the DS certificate is trusted further comprises (Solo, Para. [0027], discloses that the database 105 is connected to the module of assigning the level of trust 104, and it contains certificates, as well as their corresponding levels of trust and identifiers which can be used to uniquely determine each certificate): comparing the DS certificate to the revocation data to determine the DS certificate has not expired (Solo, Para. [0011 or 0023 or 0037], discloses to determine whether a digital certificate is valid when one or more of the following conditions is met: the digital signature of the certification authority is correct; the validity period of the certificate has not expired at the present moment; and the certificate has not been revoked.). 
 
Regarding claim 11, Solo as modified by Iwanir teaches the system of claim 2, wherein Solo further teaches the at least one system tool for verifying digital signatures of files includes a Wintrust.dll library, a Keychain software component, or a GateKeeper software component (Solo, Fig. 1, depicts a module of assigning level of trust 104).

Regarding claim 14, Solo as modified by Iwanir teaches the system of claim 4, wherein Solo fails to explicitly disclose but Iwanir further teaches the security assurance tool is further configured to: determine a timeframe that the attack occurred; determine a suspicious set of files based on the timeframe (Iwanir, Para. [0035], discloses that, in block 801, the notify user component of the system sends a notification to the user that identifies the files and includes additional information such as a characterization of the changes, the time of the changes, and so forth); and invoke the check tool to categorize the suspicious set of files (Iwanir, Para. [0035], discloses to confirm the changes in the identified files and when it is confirmed that the changes to the identified files are unauthorized, then in block 804, the notify user component logs a ransomware attack as a positive sample of training data and completes, indicating that ransomware or a malicious change (e.g., changes to the identified files) has been confirmed as unauthorized). 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Iwanir’ into the teachings of ‘Solo’, with a motivation to detect unauthorized changes to the files on the client device and prevent the propagating of files from the client device, which is undergoing a ransomware attack; Iwanir, Para. [0007].
 
Regarding claim 15, Solo as modified by Iwanir teaches the system of claim 14, wherein Solo further teaches invoking the check tool to categorize the suspicious set of files includes sending the suspicious set of files to a remote server for analysis (Solo, Para. [0035], discloses that if a certificate for the received identifier was not found in the database 105 the verification module 103 can request the unknown file 102 from the application 101. Alternatively, the verification module 103 can obtain the unknown file 102 directly from the software producer).  

Regarding claim 16, Solo teaches a method for responding to attack on a user computing device, the method comprising (Solo, Para. [0005], discloses systems, methods and computer program products for antivirus checking of files, and as depicted in Fig. 1, a user computer 110 with installed application 101): 
detecting an attack Solo, Para. [0023-0027] clearly discloses a general diagram of an example system for antivirus checking of files (on user computer 110) based on level of trust of their digital certificates. The system 100 includes a user computer 110 with installed application 101 […]. In one example aspect, the application 101 may be an antivirus program configured to perform antivirus checking of files 102 stored or downloaded on the computer 110 using, for example, signature matching, emulation, heuristic analysis and/or other known malware detection techniques. In one example aspect, the antivirus application 101 may also check the validity of the public key certificate of the file’s digital signatures. The certificate may be deemed valid if one or more of the following conditions are met: [0024] the digital signature of the certification authority (CA)s correct; [0025] the validity period of the certificate has not expired at the present moment; and [0026] the certificate has not been revoked, and as further disclosed in Para. [0027], in one example aspect, the system 100 may also include a server 120, which is connected via a private or public network to the user computer 110. The server 120 includes a verification module 103, connected to the application 101, and designed to obtain an end certificate from the application 101 upon performing a verification of the certificate. The end certificate may be the public key certificate of the software manufacturer whose digital signature was used to sign the file 102. A module of assigning a level of trust 104 is connected to the verification module 103 and serves to determine the level of trust for certificates with the help of a database of trusted certificates 105. The level of trust as used herein refers to a parameter (such as an integer) determining the validity of the certificate, and it is used for the antivirus checking of file 102 (stored or downloaded on the computer 110, as shown in Fig. 1). Herein, the application 101 of the user computer 110 and verification module 103 of the server 120 represents the check tool(s) to detect the malicious files (stored/downloaded on the user computer 110) by verifying the certificates included in the digital signatures of the files); 
obtaining at least one file, the at least one file to be analyzed by the at least one system tool for verifying digital signatures of files (Solo, Para. [0023], discloses that the application 101 may be an antivirus program configured to perform antivirus checking of files 102 stored or downloaded on the computer 110 using, for example, signature matching, emulation, heuristic analysis and other known malware detection techniques. In one example aspect, the antivirus application 101 may also check the validity of the public key certificate of the files’ digital signatures), the at least one file including a digital signature, the digital signature including a DS certificate (Solo, Para. [0005], discloses to obtaining a digital certificate of a digital signature of the file, and/or see also Para. [0027], discloses the public key certificate of the software manufacturer whose digital signature was used to sign the file 102); 
determining whether the DS certificate is valid (Solo, Para. [0035], when an unknown file 102 is executed on the computer 110, the application 101 may send an identifier of the certificate and the file (e.g., the hash sum of the file) to the server 120 for validation […]. The verification module 103 may use the received identifiers to verify using the database 105 validity of the associated certificates); 
determining whether the digital signature is valid (Solo, Para. [0046], discloses that the checking of the digital signature can be done by deciphering it with the public key contained in the public key certificate of the given digital signature and then comparing the resulting value of the hash function of the file with the calculated value of the hash function of the file); and 
if the DS certificate is valid, determining the DS certificate is trusted (Solo, Para. [0007 or 0047], discloses that a medium level of trust may be assigned to valid certificates).  
Solo teaches to detect malicious files on the user computer 110 by verifying digital signatures of the files against server 120 of the system 100 as mentioned above, however Solo fails to explicitly disclose but Iwanir teaches to detect an attack on the user computing device against at least one system tool for verifying digital signatures of files (Iwanir, Para. [0037], discloses a system for detecting by a cloud service a ransomware attack on a client device based on detected changes to the files that appears to be malicious, and as disclosed in Para. [0024], e.g., by running a scan of files based on known signatures of ransomware);
Solo and Iwanir are analogous arts and are in the same field of endeavor as they both pertain and directed to check/detect changes in the files that appears to be malicious.
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Iwanir’ into the teachings of ‘Solo’, with a motivation to detect an attack on the user computing device, as taught by Iwanir, in order to detect and prevent the propagating of files from the client device, which is undergoing a ransomware attack; Iwanir, Para. [0007].

Regarding claim 17, Solo as modified by Iwanir teaches the method of claim 16, Wherein Solo further teaches further comprising: searching a files database for an ID of the at least one file (Solo, Fig. 1 and Para. [0033], discloses a database of malicious files 106 that contains, for each known malicious file, its hash sum, the public key certificate of the digital signature and its identifier, the status of the malicious file (for example, virus, root kit, worm, Trojan horse), the initial file, and other type of information that may be used for file identification),  Attorney Docket No. 4222.76US01 
determining whether the at least one file is trusted or non-trusted based on the search of the files database, and when the at least one file is not determined to be trusted or determined to be non-trusted based on the search of the files database, determining the DS certificate is valid, determining the digital signature is valid, and if the DS certificate is valid, determining the DS certificate is trusted (Solo, para. [047], discloses to obtain a list of malicious files and their certificates from the database of malicious files 106, in order to determine the different levels of trust to the certificates of unknown files received from the user computers 110. For example, a medium level of trust may be assigned to valid certificates whose identifiers have been received from the users. In step 240, a low level of trust may be assigned to the remaining invalid certificates whose identifiers have been received from the users. For example, a low level of trust may be assigned to certificates of the digital signature used to sign malicious files, and as further disclosed in Para. [0007], performing signature matching of the file having a digital certificated with a medium level of trust; and assigning a medium level of trust to valid digital certificate). 

Regarding claim 18, Solo as modified by Iwanir teaches the method of claim 17, wherein Solo further teaches further comprising: categorizing the at least one file as non-trusted when the digital signature is invalid or the DS certificate is invalid or non-trusted (Solo, Para. [0054], discloses that if an intermediate certificate is contained in the database 105 and it has a low level of trust, the end certificate will likewise be assigned a low level of trust. This step lets one determine a malicious file when one of the intermediate certificates of the certificate chain has a low level of trust, even if for some reason (for example, the intermediate certificate was revoked due to compromising of the CA, while the parent CAs have not been compromised) the other certificates of the certificate chain have a medium or high level of trust); and 
restricting access to the user computing device to the at least one file when the at least one file is categorized as non-trusted (Solo, Para. [0006], discloses for assigning a low level of trust to an invalid digital certificate or digital certificate of a known malicious file; […] and blocking of execution of the file having a digital certificated with a low level of trust).  

Regarding claim 19, Solo teaches a computing device comprising: at least one processor and memory operably coupled to the at least one processor; and instructions that, when executed on the processor, cause the processor to implement (Solo, See Fig. 6 and Para. [0005 and 0069-0070]): 
a check tool configured to (Solo, Fig. 1, discloses a verification module 103): detect an attack Solo, Para. [0023-0027] clearly discloses a general diagram of an example system for antivirus checking of files (on user computer 110) based on level of trust of their digital certificates. The system 100 includes a user computer 110 with installed application 101 […]. In one example aspect, the application 101 may be an antivirus program configured to perform antivirus checking of files 102 stored or downloaded on the computer 110 using, for example, signature matching, emulation, heuristic analysis and/or other known malware detection techniques. In one example aspect, the antivirus application 101 may also check the validity of the public key certificate of the file’s digital signatures. The certificate may be deemed valid if one or more of the following conditions are met: [0024] the digital signature of the certification authority (CA)s correct; [0025] the validity period of the certificate has not expired at the present moment; and [0026] the certificate has not been revoked, and as further disclosed in Para. [0027], in one example aspect, the system 100 may also include a server 120, which is connected via a private or public network to the user computer 110. The server 120 includes a verification module 103, connected to the application 101, and designed to obtain an end certificate from the application 101 upon performing a verification of the certificate. The end certificate may be the public key certificate of the software manufacturer whose digital signature was used to sign the file 102. A module of assigning a level of trust 104 is connected to the verification module 103 and serves to determine the level of trust for certificates with the help of a database of trusted certificates 105. The level of trust as used herein refers to a parameter (such as an integer) determining the validity of the certificate, and it is used for the antivirus checking of file 102 (stored or downloaded on the computer 110, as shown in Fig. 1). Herein, the application 101 of the user computer 110 and verification module 103 of the server 120 represents the check tool(s) to detect the malicious files (stored/downloaded on the user computer 110) by verifying the certificates included in the digital signatures of the files), 
obtain at least one file, the at least one file to be analyzed by the at least one system tool for verifying digital signatures of files (Solo, Para. [0023], discloses that the application 101 may be an antivirus program configured to perform antivirus checking of files 102 stored or downloaded on the computer 110 using, for example, signature matching, emulation, heuristic analysis and other known malware detection techniques. In one example aspect, the antivirus application 101 may also check the validity of the public key certificate of the files’ digital signatures), the at least one file including a digital signature, the digital signature including a DS certificate (Solo, Para. [0005], discloses to obtaining a digital certificate of a digital signature of the file, and/or see also Para. [0027], discloses the public key certificate of the software manufacturer whose digital signature was used to sign the file 102), 10Attorney Docket No. 4222.76US01 
determine whether the DS certificate is valid (Solo, Para. [0035], when an unknown file 102 is executed on the computer 110, the application 101 may send an identifier of the certificate and the file (e.g., the hash sum of the file) to the server 120 for validation […]. The verification module 103 may use the received identifiers to verify using the database 105 validity of the associated certificates), 
determine whether the digital signature is valid (Solo, Para. [0046], discloses that the checking of the digital signature can be done by deciphering it with the public key contained in the public key certificate of the given digital signature and then comparing the resulting value of the hash function of the file with the calculated value of the hash function of the file), 
if the DS certificate is valid, determine the DS certificate is trusted (Solo, Para. [0007 or 0047], discloses that a medium level of trust may be assigned to valid certificates), and 
categorize the at least one file as non-trusted when the digital signature is invalid or the DS certificate is invalid or non-trusted (Solo, Para. [0054], discloses that if an intermediate certificate is contained in the database 105 and it has a low level of trust, the end certificate will likewise be assigned a low level of trust. This step lets one determine a malicious file when one of the intermediate certificates of the certificate chain has a low level of trust, even if for some reason (for example, the intermediate certificate was revoked due to compromising of the CA, while the parent CAs have not been compromised) the other certificates of the certificate chain have a medium or high level of trust); and 
a security assurance tool configured to: restrict access to the user computing device to the at least one file when the at least one file is categorized as non-trusted by the check tool (Solo, Para. [0006], discloses for assigning a low level of trust to an invalid digital certificate or digital certificate of a known malicious file; […] and blocking of execution of the file having a digital certificated with a low level of trust).  
Solo teaches to detect malicious files on the user computer 110 by verifying digital signatures of the files against server 120 of the system 100, however Solo fails to explicitly disclose but Iwanir teaches to detect an attack on the user computing device against at least one system tool for verifying digital signatures of files (Iwanir, Para. [0037], discloses a system for detecting by a cloud service a ransomware attack on a client device based on detected changes to the files that appears to be malicious, and as disclosed in Para. [0024], e.g., by running a scan of files based on known signatures of ransomware);
Solo and Iwanir are analogous arts and are in the same field of endeavor as they both pertain and directed to check/detect changes in the files that appears to be malicious.
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Iwanir’ into the teachings of ‘Solo’, with a motivation to detect an attack on the user computing device, as taught by Iwanir, in order to detect and prevent the propagating of files from the client device, which is undergoing a ransomware attack; Iwanir, Para. [0007].

Regarding claim 20, Solo as modified Iwanir teaches the computing device of claim 19, wherein the security assurance tool is further configured to: determine a timeframe that the attack occurred; determine a suspicious set of files based on the timeframe (Iwanir, Para. [0035], discloses that, in block 801, the notify user component of the system sends a notification to the user that identifies the files and includes additional information such as a characterization of the changes, the time of the changes, and so forth); and invoke the check tool to categorize the suspicious set of files (Iwanir, Para. [0035], discloses to confirm the changes in the identified files and when it is confirmed that the changes to the identified files are unauthorized, then in block 804, the notify user component logs a ransomware attack as a positive sample of training data and completes, indicating that ransomware or a malicious change (e.g., changes to the identified files) has been confirmed as unauthorized).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Iwanir’ into the teachings of ‘Solo’, with a motivation to detect unauthorized changes to the files on the client device and prevent the propagating of files from the client device, which is undergoing a ransomware attack; Iwanir, Para. [0007].

Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Solodovnikov; Andrey Y. et al. (US 2016/0359842 A1), hereinafter (Solo), in view of Iwanir; Elad et al. (US 2018/0034835 A1), hereinafter (Iwanir), and further in view of Mathew Hicks (NPL: Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically; 2010 IEEE), hereinafter (Hicks).

Regarding claim 12, Solo as modified by Iwanir teaches the system of claim 2, wherein Solo further teaches the check tool is further configured to (Solo, Fig. 1 depicts a verification module 103) 
However Solo fails to explicitly disclose but Iwanir further teaches detect the attack on the user computing device against the at least one system tool Iwanir, Para. [0037], discloses to detect, by a cloud service, a ransomware attack on a client device).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Iwanir’ into the teachings of ‘Solo’, with a motivation to detect an attack on the user computing device, as taught by Iwanir, in order to detect and prevent the propagating of files from the client device, which is undergoing a ransomware attack; Iwanir, Para. [0007].
However Solo as modified by Iwanir fails to explicitly disclose but Hicks teaches to detect the attack on the user computing device against the at least one system tool by identifying a modification or a replacement of the at least one system tool or a component used by the at least one system tool (Hicks, pdf page 9 (right column, first paragraph), discloses that an attacker can compromise the system (or can compromise the security of the entire computing system, see pdf page 1 (Introduction)), for example, by modifying the memory of the targeted system, and as disclosed on pdf page 5 (5. Detecting Suspicious Circuits), a detection algorithm for identifying suspicious circuits automatically within a hardware (e.g., modified memory of the targeted system)).  
Solo, Iwanir and Hicks are analogous arts and are in the same field of endeavor as they all pertain and directed to detect changes/attacks in the systems.
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Hicks’ into the teachings of ‘Solo’ as modified by ‘Iwanir’, with a motivation to identify a modification or a replacement of the at least one system tool or a component used by the at least one system tool, as taught by Hicks, in order to detect and prevent all hardware attacks in the computer systems; Hicks, pdf page 1 (Abstract).

Regarding claim 13, Solo as modified by Iwanir in view of Hicks teaches the system of claim 12, wherein Solo as modified by Iwanir fails to explicitly disclose but Hicks further teaches the check tool is further configured to detect the attack by determining the at least one system tool or the component used by the at least one system tool is malicious (Hicks, pdf page 5 (5. Detecting Suspicious Circuits), discloses a detection algorithm for identifying suspicious circuits automatically within a hardware (e.g., malicious modification to a hardware, see pdf page 1 (Introduction))).  
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Hicks’ into the teachings of ‘Solo’ as modified by ‘Iwanir’, with a motivation to identify a modification or a replacement of the at least one system tool or a component used by the at least one system tool, as taught by Hicks, in order to detect and prevent all hardware attacks in the computer systems; Hicks, pdf page 1 (Abstract).

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Solodovnikov; Andrey Y. et al. (US 2016/0359842 A1), hereinafter (Solo), in view of Iwanir; Elad et al. (US 2018/0034835 A1), hereinafter (Iwanir), and further in view of Gribble et al. (US 2007/0174915 A1), hereinafter (Gribble).

Regarding claim 21, Solo as modified by Iwanir teaches the computing device of claim 19, further comprising: a computing device operating system (OS) (Solo, Para. [0046], discloses that the checking of the digital signature can be done by system resources (e.g., in Windows OS by the Sign Tool program), and/or see also Fig. 6 and Para. [0063], the operating system running on the computer 20); and 
instructions that, when executed on the processor, cause the processor to implement (Solo, Fig. 6 and Para. [0069], discloses a processor 21 to execute instructions stored on a non-transitory computer-readable medium) 
However Solo as modified by Iwanir fails to explicitly disclose but Gribble teaches a virtual machine comprising a virtual machine OS, the virtual machine OS being different than the computing device OS, and wherein the at least one file is executable only on the virtual machine OS (Gribble, Claim 1, discloses to produce a virtual machine on a computing device and installing an operating system on the virtual to create a virtual machine environment useful for testing a potential source accessible on the network, and as further disclosed in Claim 5 when the executable file is executed within the produced virtual machine environment).
Solo, Iwanir and Gribble are analogous arts and are in the same field of endeavor as they all pertain and directed to check/detect changes in the files that appears to be malicious.
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Gribble’ into the teachings of ‘Solo’ as modified by ‘Iwanir’, with a motivation to create and provide a clean operating system within a VM running on the user’s computer to perform analysis in real time (on-the-fly), in order to identify spyware that is piggy-backed on the executable files; Gribble, Para. [0015] and Abstract.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose telephone number is 571-272-1239. The examiner can normally be reached on 8AM-4PM (EST) Monday-Friday. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey C Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALI CHEEMA/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433