DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8 September 2021 has been entered.
 

Introductory Remarks
	In response to communications filed on 8 September 2021, claims 1, 3-6, 8, 10-13, 15, and 17-20 are amended per Applicant's request. No claims were cancelled. No claims were withdrawn. No new claims were added. Therefore, claims 1-20 are presently pending in the application, of which claims 1, 8, and 15 are presented in independent form.

The previously raised objection of the pending claims is withdrawn in view of the amendments to the claims.
The previously raised 103 rejection of the pending claims is withdrawn in view of the amendments to the claims. A new ground(s) of rejection has been issued.



Response to Arguments
Applicant’s arguments filed 8 September 2021 with respect to the objection of the claims have been fully considered and are persuasive, as the amendments render the objection moot.
Applicant’s arguments filed 8 September 2021 with respect to the rejection of the claims under 35 U.S.C. 103 have been fully considered but are moot because the arguments do not apply to any of the references being used in the current rejection.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-3, 6, 8-10, 13, 15-17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Crofton et al. (“Crofton”) (US 2017/0177867 A1), in view of Ranum et al. (“Ranum”) (US 2014/0013434 A1).
	Regarding claim 1: Crofton teaches A method for preserving integrity and performing a backup of a plurality of endpoint devices centrally managed by a central server over a network (Crofton, [0026], where the system comprises a plurality of devices (i.e., “endpoint devices”) communicating via a network to a backup server. See Crofton, [0039], where the backup server executes a backup manager that manages (i.e., “centrally manages”) the backups for the one or more endpoint devices), comprising:
	receiving at the central server, from each of the plurality of endpoint devices, [one or more hashes] for performing the backup and preserving integrity of the endpoint device that identifies files located in the file system of the endpoint device, the [one or more hashes] containing unique file signatures of the files in the file system of the endpoint device, wherein the manifest is produced on the endpoint device by an agent operating on the endpoint device that calculates the unique file signatures of the files in the file system of the endpoint device (Crofton, [0034], where a backup server may receive file hashes from one or more backup agents running on one or more client devices (i.e., “endpoint devices”) (see Crofton, [0008], where a backup agent runs on a computing device). See Crofton, [0036], where a device identifier may be provided by the backup agent to a server (item 140) along with file hashes and/or files, and may be recorded or associated with the hashes or backed up files. See Crofton, [0055], where each file or fragment may be associated with a hash value or signature generated from a cryptographic hash function. Note that one of ordinary skill in the art would have recognized that a cryptographic hash would have generated a unique file signature of the file, since the cryptographic hash is based on the contents of the file1.
[0105], where the backup agent executing on a client device may monitor file system read/write operations anywhere in storage of the client device, i.e., indicating that the files are located in a file system of the client device (i.e., “file system of the endpoint device”));
	for each of the plurality of endpoint devices, backing up the endpoint device by determining content changed on the endpoint device since a previous backup by comparing the received [hash value] with a previous [hash value] received from the endpoint device to determine what changes have taken place on the endpoint device since the capturing of the previous [hash value] (Crofton, [0044], where a data hash table may store a plurality of hashes in explicit association with each hash corresponding to a state of the file. When a file is modified on a client device, the client device’s backup agent may generate a new hash for that file, and transmit a new hash value and file identifier (Crofton, [0056]). See Crofton, [0039], where the backup manager executing by the server (item 140) (see Crofton, [0031]) may compare received file hashes to stored file hashes before receiving backup data from the devices, where the backup manager may maintain a data hash table. See Crofton, [0063], where upon determine a hash value transmitted by the backup agent running on the client device is not present in the data hash table, the backup manager may request the backup agent to transfer the corresponding file for archival), and uploading the changed content to the central server (Crofton, [0041], where modified files or modified fragments may be backed up to the backup server. To further save storage and bandwidth, the modifications may be stored as a difference or delta from the prior version of the file, i.e., performing differential backups. See also Crofton, [0071], where the backup agent may calculate a hash of a newly created or modified file or fragment to be backed up, where that fragment may be backed up without requiring the entire file to be backed up again. See Crofton, [0076], where after performing a series of checks, the file or fragment is transferred from the client device for archival to the backup server or storage server for storing the fragment/file);
	checking integrity of the endpoint device by inspecting the manifest received from the endpoint device to determine whether to trigger remedial action [0044], where file hash results or signatures may be compared (i.e., “check[ed]”) to detect differences, which may allow for detection and mitigation of malicious activity on a user’s device), the inspection performed by:
	retrieving a reference [hash value] corresponding to the endpoint device (Crofton, [0039], where the backup manager running on the server (Crofton, [0031]) may compare received file hashes to stored file hashes (i.e., “retrieving a reference [hash value]”), where the stored file hashes correspond to files in the device (Crofton, [0060]) (i.e., “[the] reference [hash value] corresponding to the endpoint device”). See also Crofton, [0063], where the backup manager determines whether a received hash value is present or not present within the data hash table) … ;
	identifying differences between the received manifest and the reference manifest for the endpoint device (Crofton, [0044], where file hash results or signatures may be compared to detect differences. See Crofton, [0039], where the backup manager may compare received file hashes (i.e., “received [hash value]”) to stored file hashes (i.e., “reference [hash value]”), where the stored file hashes correspond to files in the device (see, e.g., Crofton, [0060]) (i.e., “the reference [hash values] for the endpoint device”));
	determining whether the identified differences constitute a compromise to the integrity of the endpoint device (Crofton, [0079], where the backup manager may tag or identify the file or fragment as potentially malicious. See Crofton, [0044], where the system may detect and mitigate malicious activity on a user’s device. See also Crofton, [Section B “Malicious Activity Detection in an Online Backup System”], i.e., Crofton, [0095-0124], with regards to the system determining legitimate/malicious activities based on a variety of factors and thresholds. See Crofton, [0044], where the system ultimately detects and mitigates malicious activity on a user’s device based on the file hash result comparisons (i.e., indicating that the device’s integrity had been compromised)); and
	if the identified differences constitute a compromise to the integrity of the endpoint device, triggering the remedial action (Crofton, [0097], where upon detection of potentially malicious modification activity, a user is allowed to restore to [0109], where the backup agent may restore the previous, unmodified version of the file).
	Although Crofton does not appear to explicitly state that the one or more hashes are represented as a manifest, as claimed, Crofton suggests that multiple file hashes/signatures may be sent (see Crofton, [0036], where a device identifier may be provided to a server (item 140) along with file hashes and/or files, and may be recorded or associated with the hashes or backed up files). Furthermore, Crofton’s comparison of file hashes/signatures results in equivalent operating characteristics as the claimed invention, as both the previous and current manifests (as claimed) comprise a list of file signatures, i.e., both Crofton and the claimed invention are directed to comparing one or more file signatures (i.e., Crofton’s device sending one or more file signatures to the backup server; the claimed invention obtaining this information from the manifest) to previously received/stored file signatures (i.e., Crofton’s data hash table; a previous manifest as claimed).
	Thus, one of ordinary skill in the art would have been suggested by Crofton’s disclosure to utilize a manifest, as claimed, with the motivation of avoiding performing multiple handshakes with the backup server each time a new file signature is computed and transmitted, which would have resulted in higher I/O processing; however, the use of a manifest requires only one handshake for each manifest snapshot, where the backup server would receive the manifest of file signatures all at one time.
	Crofton discloses all the claim limitations, but does not appear to explicitly teach wherein the reference manifest is produced by performing a full scan of the file system of the endpoint device when the endpoint device is in a clean state and calculating unique file signatures of files in the file system.
	Ranum teaches wherein the reference manifest is produced by performing a full scan of the file system of the endpoint device when the endpoint device is in a clean state and calculating unique file signatures of files in the file system (Ranum, [0047], where scanners may compare current file systems associated with scanned hosts (i.e., “endpoint device”) to identify differences relative to the indexed trusted file systems (i.e., “reference manifest”), which may include previous file systems associated with the scanned hosts at an earlier time when the scanned hosts had no malware infections (Ranum, [0057]) (i.e., “when the endpoint device is in a clean state”). Note that the indexes may be in the form of manifests (Ranum, [0057]). See Ranum, [0045], where the manifests list file hashes, where file hashes are unique signatures associated with files on the known reference systems (i.e., “calculating unique file signatures of files in the file system [of the endpoint device]”).
Note that although Ranum does not appear to explicitly state that the scanned hosts pertained to a “full” scan as claimed, one of ordinary skill in the art would have been motivated to have modified Ranum’s disclosure to explicitly perform a full scan of the scanned host with the motivation of ensuring that malware/viruses had not infected any part of the scanned host at all (i.e., otherwise malware/viruses that infected certain unscanned portions of the host will be left undetected, and defeats the purpose of having a clean/trusted reference system)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Crofton and Ranum (hereinafter “Crofton as modified”) with the motivation of representing “ideal” or master sets that can be used to baseline subsequent comparisons used to detect whether viruses or other malware have infected the network (Ranum, [0046]).

	Regarding claim 2: Crofton as modified teaches The method of claim 1, wherein identifying the differences between the received manifest and the reference manifest comprises at least one of: determining added files based on file signatures that are present in the received manifest and not present in the reference manifest; determining missing files based on file signatures that are present in the reference manifest and not present in the received manifest; or determining file path changes based on file signatures that are the same in the reference manifest and in the received manifest but have different corresponding file paths in the received manifest and in the reference manifest (Crofton, [0063], where the backup manager determines that a received hash value is not present in the data hash table (the data hash table storing prior hash values)). 

	Regarding claim 3: Crofton as modified teaches The method of claim 2, further comprising:
determining that an identified difference constitutes a compromise to the integrity of the endpoint device when the identified difference includes at least one of: an added file of a type that is deemed to be potentially harmful; a missing file of a type that is deemed to be potentially harmful; or a file path change corresponding to a file of a type that is deemed to be potentially harmful (Crofton, [0111-0112], where malicious activity detection may be based on file type modifications, where a file type for a file is identified, and then the system determines whether a corresponding file type-specific modification rate is greater than another threshold. See also Crofton, [0118], where the file modification behavior comprises a number of modified files of a predetermined type during a predetermined time window, and determines that the number of modified files of the predetermined type during the predetermined time window exceeds a second threshold.
Note that although Crofton discloses the backup agent operating on the client device performs this function, one of ordinary skill in the art would have modified Crofton’s disclosure such that this determination process is performed on the backup server (i.e., the claimed central server) with the motivation of pushing this processing onto the backup server, thereby relieving the client devices from these processing tasks (since client devices may have lower processing capacities than a server), i.e., avoiding severely impacting performance on the client devices). 

	Regarding claim 6: Crofton as modified teaches The method of claim 1, wherein the remedial action comprises conveying a message indicating the compromise to the integrity of the endpoint device (Crofton, [0097], where a message may be presented to a user, informing them of the potentially malicious activity on the client device). 

	Regarding claim 8: Claim 8 recites substantially the same claim limitations as claim 1, and is rejected for the same reasons.
Note that Crofton teaches A computing device for preserving integrity and performing a backup of a plurality of endpoint devices centrally managed by a central server over a network, comprising: at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing device to perform the steps of [the claim] (Crofton, [0125-0126], where the disclosed system may be implemented on a computing device and performing the disclosed operations, where the computing device includes a central processing unit that processes instructions fetched from the main memory unit and/or storage).

	Regarding claim 9: Claim 9 recites substantially the same claim limitations as claim 2, and is rejected for the same reasons.

	Regarding claim 10: Claim 10 recites substantially the same claim limitations as claim 3, and is rejected for the same reasons.

	Regarding claim 13: Claim 13 recites substantially the same claim limitations as claim 6, and is rejected for the same reasons.

	Regarding claim 15: Claim 15 recites substantially the same claim limitations as claim 1, and is rejected for the same reasons.
Note that Crofton teaches A non-transitory computer readable storage medium for preserving integrity and performing a backup of a plurality of endpoint devices centrally managed by a central server over a network comprising one or more sequences of instructions, the instructions when executed by one or more processors causing the one or more processors to execute the operations of [the claimed steps] (Crofton, [0125-0126], where the disclosed system may be implemented on a computing device and performing the disclosed operations, where the computing device includes a central processing unit that processes instructions fetched from the main memory unit and/or storage).

	Regarding claim 16: Claim 16 recites substantially the same claim limitations as claim 2, and is rejected for the same reasons.

	Regarding claim 17: Claim 17 recites substantially the same claim limitations as claim 3, and is rejected for the same reasons.

	Regarding claim 20: Crofton as modified teaches The non-transitory computer readable storage medium of Claim 15, wherein the remedial action comprises at least one of conveying a message indicating the compromise to the integrity of the endpoint device, or enforcing a base image on the endpoint device (Crofton, [0097], where a message may be presented to a user, informing them of the potentially malicious activity. The user is then allowed to restore to before the modification. See also Crofton, [0109], where the backup agent may restore the previous, unmodified version of the file).


Claims 4-5, 11-12, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Crofton et al. (“Crofton”) (US 2017/0177867 A1), in view of Ranum et al. (“Ranum”) (US 2014/0013434 A1), in further view of Moran (“Moran”) (US 2007/0157315 A1).
	Regarding claim 4: Crofton as modified teaches The method of claim 1, but does not appear to explicitly teach wherein determining whether the identified differences constitute a compromise to the integrity of the endpoint device is based on a policy file stored on the server.
	Moran teaches wherein determining whether the identified differences constitute a compromise to the integrity of the endpoint device is based on a policy file stored on the server (Moran, [0303], where an operator may specify a policy (i.e., “policy file”) describing what changes to a package can be ignored. Although Moran does not appear to explicitly state that the policy is stored as a file on a server, one of ordinary skill in the art would have recognized that such policies set by a user (and later consulted by the system) implies that the policies are stored. Regardless of whether the policies are stored in a file or in some other data form, the claimed invention does not distinguish over the prior art because both the claimed invention and Moran pertain to allowing users to set policies that the system can later use (i.e., retrieve and compare), and utilizing the user-specified policies to override certain files that would normally have been flagged as malicious. Thus, the claimed invention does not distinguish over the prior art).
	Although Moran’s disclosure pertains to potentially-compromised packages (rather than potentially-compromised endpoint devices, as claimed), Moran is analogous to the claimed invention because both Moran and the claimed invention pertain to security measures for detecting possible compromised data in a set of files by comparing file signatures in the set of files, and allowing users to manually specify certain policies in the detection of compromised data. Therefore, Moran is analogous to the claimed invention.
	Crofton as modified and Moran are directed to the same field of invention, which is detecting possible compromised data in a set of files by comparing file signatures in the set of files, and allowing users to manually specify certain policies in the detection of compromised data. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Crofton as modified and Moran (hereinafter “Crofton as modified”) by modifying Crofton’s central server to include a policy file (as disclosed by Moran), with the motivation of reducing the problem of high false positives (i.e., incorrectly flagging a package/file as suspicious/malicious) (see Moran, [0303], where this false-positive problem is reduced by allowing the operator to specify a policy describing what changes can be ignored), e.g., some of the files installed as part of a package are expected to change and would have produced false positives (see Moran, [0309]).

	Regarding claim 5: Crofton as modified teaches The method of claim 4, wherein, at least one of:
	the policy file defines a location on the endpoint device that is deemed to be safe, and identified differences corresponding to files in the location deemed to be safe are ignored when determining whether identified differences constitute a compromise to the integrity of the endpoint device; or the policy file defines a file type that is deemed to be safe and identified differences corresponding to files of the type deemed to be safe are ignored when determining whether identified differences constitute a compromise to the integrity of the endpoint device (Moran, [0303], where an operator may specify a policy describing what changes to a package can be ignored. See Moran, [0309-0321], where the system checks files in a package management database and compares the signatures in the database to the signature of the current version of the file in the package. The system may suppress false positives by ignoring mismatches when (1) a file is determined to be of a particular category type (e.g., configuration file, log file, etc.) (i.e., “file type that is deemed to be safe”), and/or (2) the location of the file is compared against conventions for where changeable files are in place, e.g., certain directories such as /var/lib or /var/log are common locations for configuration files/configurable scripts and log files, respectively (i.e., “a location…that is deemed to be safe”)). 

	Regarding claim 11: Claim 11 recites substantially the same claim limitations as claim 4, and is rejected for the same reasons.

	Regarding claim 12: Claim 12 recites substantially the same claim limitations as claim 5, and is rejected for the same reasons.

	Regarding claim 18: Claim 18 recites substantially the same claim limitations as claim 4, and is rejected for the same reasons.

	Regarding claim 19: Claim 19 recites substantially the same claim limitations as claim 5, and is rejected for the same reasons.


Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Crofton et al. (“Crofton”) (US 2017/0177867 A1), in view of Ranum et al. (“Ranum”) (US 2014/0013434 A1), in further view of Besch et al. (“Besch”) (US 2008/0178290 A1).
	Regarding claim 7: Crofton as modified teaches The method of claim 1, but does not appear to explicitly teach wherein the remedial action comprises enforcing a base image on the endpoint device.
	Besch teaches wherein the remedial action comprises enforcing a base image on the endpoint device (Besch, [0017], where if a harmful file is found during examination of the virtual hard disk, an alarm can be appropriately triggered to inform the user of the computer system or an administrator. To eliminate the malware, an older, clean image of the hard disk can be restored. In addition, the hard disk can be repaired so that a harmful file on the hard disk or on an image of the hard disk is replaced by a corresponding undamaged file, i.e., from an older image or from a reference image).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Crofton as modified and Besch. Crofton suggests in [0097] that a user may be allowed to restore to a file to before the modification (see also Crofton, [0109], where the backup agent may restore the previous, unmodified version of the file), but does not appear to explicitly state that the entire device is restored to previous state. Therefore, one of ordinary skill in the art would have been motivated to have combined the teachings of Crofton as modified and Besch with the motivation of completely cleaning the client device by rolling it back to a previous state due to a possibility that the infection is widespread within the client device, i.e., not just confined to only the file detected to be corrupted.

	Regarding claim 14: Claim 14 recites substantially the same claim limitations as claim 7, and is rejected for the same reasons.







Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to IRENE BAKER whose telephone number is (408)918-7601. The examiner can normally be reached M-F 8-5PM PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEVEEN ABEL-JALIL can be reached on (571)270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/IRENE BAKER/Primary Examiner, Art Unit 2152                                                                                                                                                                                                        
5 November 2021


    
        
            
        
            
        
            
        
            
    

    
        1 Gosnell et al. (US Patent Publication No. 2007/0038857 A1) at [0031].