DETAILED ACTION


Acknowledgements
This action is responsive to Applicants' Pre-brief conference request received 15 June 2021.
Claims 1-20 are pending. 
Claims 1-20have been examined.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. §103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained through the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-20 as understood by the Examiner, are rejected under 35 U.S.C. §103(a) as being unpatentable over Park et al. (US 2009/0300761) in view of Ogilvie (US 8,056,134).
With respect to claims 1, 8 and 15:
Park discloses a cloud-based malware detection (“Centralized Malware detection”) method implemented by a Malware Detection Service (MDS) executed on a server located on an external network from a computer (“Security Server 110” Fig. 1), the cloud-based malware detection method comprising:
receiving a hash signature from the computer (“The system comprises a reporting module adapted to receive an intelligent hash generated based on a suspicious entity encountered by a client”, [0011]), wherein the hash signature is computed locally by the computer from a file to identify the file (“An "intelligent hash" is generated by identifying metadata associated with an entity, such as a file or a software application, that is both unique to the entity (i.e. specific) and largely invariant over small changes to the entity such as polymorphisms (i.e. robust).”, [0023]), and wherein the hash signature is transmitted to the server instead of the file because the hash signature is smaller in size than the file (“The intelligent hash is transmitted to a server for evaluation of whether the suspicious entity corresponds to the malware entity”, [Abstract], [0012] and Claim 14);
determining a status indicator identifying whether the file on the computer is trusted, untrusted, or unknown for malware by the server 
transmitting the status indicator identifying whether the file is trusted, untrusted, or unknown for malware to the computer based on the determining (“The security server 110 reports the results of the evaluation back to the client 150.”, [0025]), wherein the computer is precluded from distribution of the file responsive to the file being untrusted.
A processor (“security server 110”)
memory storing computer program instructions (“The memory 206 may be, for example, firmware, read-only memory (ROM), non-volatile random access memory (NVRAM), and/or RAM, and holds instructions and data used by the processor 202”, [0031])
performing security operations on the file based on the status indicator. (“If the suspicious entity hash evaluation indicates that the entity is malware (i.e. the highest scoring intelligent hash is above the similarity cutoff value and is associated with a malware entity), the suspicious entity hash reporting module 460 remediates the client 150, for example, by removing the suspicious entity and/or repairing corrupted entities on the client 150. The suspicious entity hash reporting module 460 may perform additional actions, such as alerting a user of the client 150 and logging the suspicious entity.”, [0060])
Park discloses a centralized malware detection system that includes a network of computers (clients 150) where the remote server receives the hash signature of the file from client and compares with intelligent database 174 to determine the trustworthiness of the file but does not explicitly disclose only the hash signature is transmitted to the server instead of the file,
However, Ogilvie teaches wherein the hash signature is transmitted to the server instead of the file because the hash signature is smaller in size than the file (“The system characteristics of a spoof component that has a corresponding component of a 
Therefore it would have been obvious to one of ordinary skill in the art, at the time of invention to have combined the centralized malware detection system as disclosed by Park with Ogilvie’s system to transmit a smaller file to the central server, with the motivation to provide a system that reduces the network load by reducing the size of transmissions, since so doing could be performed readily and easily by any person of ordinary skill in the art, with neither undue experimentation, nor risk of unexpected results.

With respect to claims 2 and 9:
Park discloses receiving the file from the computer responsive to the file being unknown, scanning the file to identify content as trusted or untrusted; and transmitting whether the file is trusted or untrusted based on the scanning (“A suspicious entity detection module 450 detects suspicious entities. In one embodiment, the suspicious entity detection module 450 scans the storage device 208 or memory 206 associated with the client 150 to detect suspicious entities installed or stored on the storage device 208 or 
 With respect to claims 3 and 10:
Park discloses wherein the determining is based on a lookup of the file based on its hash signature in a table of file hash signatures. (“the suspicious entity detection module 450 can scan the client 150 using a set of malware signature”, [0056])
With respect to claims 4 and 11:
Parkwherein the table of file hash signatures is managed based on the MDS operating with a plurality of computers. (“FIG. 1 is a high-level block diagram of a computing environment 100 according to one embodiment. FIG. 1 illustrates a security server 110 and three clients 150 connected by a network 114. Only three clients 150 are shown in FIG. 1 in order to simplify and clarify the description. Embodiments of the computing environment 100 can have thousands or millions of clients 150 connected to the network 114.”, [0022])
With respect to claims 5 and 12:
Park discloses wherein the hash signature is based on a combination of content of the file, a name of the file, and a size of the file. (“The 
With respect to claims 6, 13 and 19:
Park discloses wherein the hash signature is adjusted in a predetermined manner at the computer to prevent the hash signature matching known trusted files (“The intelligent hash generation module 312 determines the frequency at which each subsequence occurs in the sequence of metalanguage instructions. In a specific embodiment, the intelligent hash generation module 312 uses a sliding window method to enumerate the frequency at which each subsequence occurs within the sequence of metalanguage instructions. In a sliding window method, a window of a fixed size n is advanced by one instruction or operation code over the sequence to enumerate the number of times each subsequence of 
With respect to claims 7, 14 and 20:
Park discloses wherein the hash signature is about 16-20 bytes to limit network transmissions. (“The intelligent hash generation module 312 selects a set of unique strings for inclusion in the intelligent hash. In some embodiments, the intelligent hash generation module 312 selects all of the unique strings for inclusion in the intelligent hash. In other embodiments, the intelligent hash generation module 312 may limit the number of unique strings based on a fixed size of the intelligent hash (e.g. 750 bytes).”, [0045]). Since Park teaches one of ordinary skill in the art before the time of invention would have known that the hash signature may be limited, the specific range would be merely a choice of design. The limitation “to limit network transmissions” is interpreted as intended use of the hash signature and has no limiting effect on the claim scope as it merely states the purpose of the hash signature size but no functional steps performed by the server.
With respect to claim 16:
Park discloses checking if the hash signature is stored locally to identify whether the file is trusted or untrusted; and performing the transmitting responsive to the hash signature not being locally stored. (“Upon receiving a suspicious entity hash from a client 150, the security server 110 evaluates the intelligent hash by comparing it to the intelligent hashes in the database 174 to determine whether the suspicious entity hash is the same or similar to the intelligent hashes in the intelligent hash 
With respect to claim 17:
Park discloses transmitting the file to the MDS responsive to the status indicator being unknown. (“The program code further comprises program code for transmitting the intelligent hash to a server for evaluation of whether the suspicious entity corresponds to the malware entity.”, [0012])
With respect to claim 18:
Park discloses identifying any file created by a trusted file as trusted and storing associated hash signatures locally (“The security module 116 identifies 712 a suspicious entity. The security module 116 generates 714 a suspicious entity hash. The security module 116 transmits 616 the suspicious entity hash to the security server 110. The security module 116 receives 618 an evaluation of the suspicious entity hash from the security server 110, the evaluation indicating whether the suspicious entity hash 

Response to Arguments
Applicant’s arguments with respect to rejection of claims based on 35 U.S.C. § 101 have been considered and the rejection is withdrawn and new grounds for rejection based on 35 U.S.C. § 103 are provided.
Conclusion
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to MURALI K. DEGA whose telephone number is (571)270-5394.  The Examiner can normally be reached on Monday to Thursday 7.00AM to 5.30 PM
If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Christine M. Behncke can be reached on (571) 272-8103.    The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Murali K. Dega/
Art Unit: 3697
/CHRISTINE M BEHNCKE/Supervisory Patent Examiner, Art Unit 3697