DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 17 December 2021 has been entered.
Claims 1, 2, 5-9, 12-16, and 19-21 are pending.
This Action is Non-Final.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5-9, 12-16, and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Richard et al. (US 20130145471) in view of Morkovsky (US 20170085585), and further in view of Kailash et al. (US 20180124070) and Schmugar et al. (US 20190228151).

for data fragments extracted from the file, determining a category, wherein the category is selected from a list of categories that includes at least: trusted, malicious, and untrusted (see paragraphs [0050]-[0053] where the fragments are categorized as low, i.e. trusted, medium, i.e. untrusted, or high i.e. malicious); 
when a number of data fragments of the file categorized as being malicious is below a predetermined threshold, avoiding categorization of the file as malicious (see paragraphs [0026] and [0050]-[0053] where the number of fragments in each category determine its overall categorization); and 
when a number of data fragments of the file categorized as being malicious reaches or exceeds the predetermined threshold, determining whether at least one malicious file detection rule having criteria for detecting a malicious file is found; when at least one malicious file detection rule whose criteria is met is found, categorizing the file as a malicious file; and when no malicious file detection rule whose criteria is met is found, avoiding categorization of the file as a malicious file (see paragraphs [0050]-[0055] where a determination as to whether the fragments reaches or exceeds a threshold indicates the file is malicious).
While Richard et al. teaches the comparison of fragments of a file to different patterns, there lacks an explicit teaching of categorizing each fragment of the file, the category of the data fragment is determined by searching in a database of data fragments, the database comprising at least one of: a list of data fragments, identifiers of categories of the data fragments included in the list of data fragments, and byte sequences containing substitute characters (see paragraphs [0050]-[0053] where the patterns 
However, Morkovsky teaches fragmenting and analyzing each fragment of a file as part of malware detection (see paragraphs [0006] and [0035]-[0040]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to categorize each fragment of the file in the Richard et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to use all the information within the file to make the determination thereby reducing the number of miscategorizations.
The modified Richard et al. and Morkovsky et al. system discloses when the search is successful, the category of the data fragment is determined as being either malicious or trusted based on a content of an identifier of the category of the data fragment included in the database (see Richard et al. paragraphs [0019]-[0021] and [0050]-[0053]), but fails to explicitly disclose when the search in the database is unsuccessful, the category of the data fragment is determined as being untrusted, and when the search is successful, the category of the data fragment is determined as being either malicious or trusted based on a content of an identifier of the category of the data fragment included in the database.
However, Kailash et al. teaches when the search in the database is unsuccessful, the category of the data fragment is determined as being untrusted, and when the search is successful, the category of the data fragment is determined as being either malicious or trusted based on a content of an identifier of the category of the data fragment included in the database (see paragraphs [0045]-[0046] where the content is identified as either trusted or untrusted, i.e. malicious if the signature is found, or unknown, i.e. untrusted, if the signature is not found).

Motivation, as recognized by one of ordinary skill in the art, to do so would have been to have the ability to categorize every type of result from the database.
While the modified Richard et al., Morkovsky, and Kailash et al. system generally discloses a given byte sequence coincides with the data fragment, when during a comparison of the data fragment with the given byte sequence, the substitute character coincides with any value (see Richard et al. paragraphs [0050]-[0053] where the patterns are used to determine the categorization and paragraphs [0019]-[0021] where the patterns are from a database), there lacks an explicit teaching of wherein a given byte sequence coincides with the data fragment, when during a comparison of the data fragment with the given byte sequence, the substitute character coincides with any value, wherein each byte sequence in the database of data fragments is labeled by an identifier of the data fragment category.
However, Schmugar et al. teaches wherein a given byte sequence coincides with the data fragment, when during a comparison of the data fragment with the given byte sequence, the substitute character coincides with any value (see paragraphs [0028]-[0030], [0036], [0039] and [0042] where the system uses wildcards in the blocks from strings), wherein each byte sequence in the database of data fragments is labeled by an identifier of the data fragment category (see paragraphs [0040]-[0042] the labeling of the different samples within databases as clean or not clean).
At a time before the effective filing date of the invention, it would have been obvious to use the wildcards and labeling of sequences on Schmugar et al. in the modified Richard et al., Morkovsky, and Kailash et al. system.
Motivation to do so would have been to allow for providing a confidence scale of whether a sample is clan or not clean based on how closely the sample matches (see Schmugar et al. paragraphs [0028]-[0030]).

As per claims 5, 12, and 19, the modified Richard et al., Morkovsky, Kailash et al., and Schmugar et al. system the at least one malicious file detection rule includes: a malicious file detection rule for detecting the file as being malicious when the number of data fragments of the file categorized as being malicious reaches or exceeds the predetermined threshold, the predetermined threshold being expressed either as a percentage of the data fragments of the file being detected as being malicious or as a number of data fragments of the file being detected as malicious (see Richard et al. paragraphs [0026] and [0050]-[0053]).
As per claims 6, 7, 13, 14, 20, and 21, the modified Richard et al., Morkovsky, Kailash et al., and Schmugar et al. system the at least one malicious file detection rule includes: a malicious file detection rule based on a harmfulness rating of the file, wherein the file is categorized as malicious when the harmfulness rating of the file reaches or exceeds a predetermined threshold of harmfulness, the harmfulness rating of the file being computed as a sum of harmfulness ratings of all data fragments of the file that are categorized as being malicious (see Richard et al. paragraph [0055] where the behavior indicates the file is harmful and therefore malicious).

Response to Arguments
Applicant's arguments filed 17 December 2021 have been fully considered but they are not persuasive.  Applicant argues that the cited prior art fails to teach the newly amended independent claims.  While the modified Richard et al., Morkovsky, and Kailash et al. system teaches the general identification, i.e. categorization, of fragments, there lacks a specific teaching of the newly amended claims and newly cited Schmugar et al. has been applied and therefore Applicant’s arguments are moot.
 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875.  The examiner can normally be reached on Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.