DETAILED ACTION
This office action is in response to applicant’s RCE submission filed on 10/25/2021, which has an effective filing date of 08/27/2018. Claims 1, 12, and 19 have been amended.  Claims 1-20 are pending and are directed towards system, method, and computer product for Ransomware Remediation in Collaboration Environments.  This is Non-Final action.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 10/25/2021 have been fully considered.
A) Applicant’s arguments, with respect to the newly amended limitations of claims 1, 12, and 19, that Iwanir and Bennett fail to teach “the prevention message is delivered to at least one second user of the second user device in addition to the first user of the first user device, the second user device at least potentially has access to a content object affected by the ransomware process running on the first user device” (page 9 of the present response) have been fully considered but they are not persuasive.

Claim Rejections - 35 USC § 103
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which 
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Iwanir et al. (US Pub. 2018/0034835), hereinafter Iwanir, filed on Dec. 9, 2016 in view of Bennett (US Pub. 2009/0282483) filed on Feb. 17, 2009.
	Regarding claim 1, Iwanir teaches a method for ransomware remediation in collaboration environments (para 28, line 1-7 and line 17-21; ransomware detection and countermeasures on a cloud storage system 320 communicating with client devices 310), the method comprising: 

receiving, from at least one first user device of a first user from among the one or more user devices that perform the file operations, a notification that describes a ransomware process running on the first user device or an effect of the ransomware process running on the first user device at the collaboration system (para 28, line 1-17 and para 33, line 1-15; each client device may include an ARC agent 312 and ARC agent may send file event notifications that the client device may be infected with ransomware to the cloud storage system or the ARC system and a ransomware notification may indicate the type of ransomware); and
generating, by the collaboration system, a prevention policy based on the notification received from the first user device (Fig. 3 and para 33, line 1-15; ARC 
Iwanir does not teach delivering a prevention message comprising at least the prevention policy generated by the system to at least one second user device of the one or more user devices, wherein the prevention message is processible by the at least one second user device
Bennett teaches delivering a prevention message comprising at least the prevention policy generated by the system to at least one second user device of the one or more user devices, wherein the prevention message is processible by the at least one second user device (para 20, line 1-12 and line 28-40 and para 23, line 1-10; when malware is detected, the support server sends a warning message to end users or client devices may include description of malware and types of remediation to be performed),
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Iwanir to incorporate the teachings of Bennett to provide the support server sending a warning message to end users or client devices may include description of malware and types of remediation to be performed.  Doing so would allow for malware detection and elimination within the system, as recognized by Bennett.

Iwanir does not teach the prevention message is delivered to at least one second user of the second user device
Bennett teaches the prevention message is delivered to at least one second user of the second user device (para 20, line 1-12 and line 28-40 and para 23, line 1-10; when malware is detected, the support server sends a warning message to end users or client devices may include description of malware)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Iwanir to incorporate the teachings of Bennett to provide the support server sending a warning message to end users or client devices may include description of malware.  Doing so would allow for malware detection and elimination within the system, as recognized by Bennett.
Iwanir teaches processing instructions based on the notification received from the first user device to prevent synchronization of content object changes made by the ransomware process with content objects at the collaboration 
Regarding claim 2, Iwanir and Bennett teach method of claim 1.
Iwanir teaches processing the prevention message to block invocation of the ransomware process at the at least one second user device (para 34, line 1-17 and para 37, line 1-12; countermeasures processor of the ARC system directs processing to implement instructions to prevent synchronization of files of the client device with other client devices to prevent the propagation of files undergoing a ransomware attack).
Regarding claim 3, Iwanir and Bennett teach method of claim 2.
Iwanir teaches blocking invocation of the ransomware process at the collaboration system (para 37, line 1-12; prevent synchronization of files of the client device with other client devices and with the cloud service to prevent the propagation of files undergoing a ransomware attack).
Regarding claim 4, Iwanir and Bennett teach method of claim 2.
Iwanir teaches blocking operations on the at least one local copy of one or more content objects of the one or more user devices, or blocking operations to a 
Regarding claim 5, Iwanir and Bennett teach method of claim 1.
Iwanir teaches suspending at least a portion of the file operations performed over the one or more content objects (para 37, line 1-12; prevent synchronization of files of the client device with other client devices and with the cloud service to prevent the propagation of files from the client device undergoing a ransomware attack).
Regarding claim 6, Iwanir and Bennett teach method of claim 5.
Iwanir teaches resuming at least some of the file operations (para 34, line 34-44; in block 705, if an enable synchronization flag is set, enables the synchronization of files).
Regarding claim 7, Iwanir and Bennett teach method of claim 6.
Iwanir teaches the portion of the file operations is resumed based at least in part on a ransomware remediation status (Fig. 7 and para 34, line 34-44; neutralizes ransomware and, if an enable synchronization flag is set, enables the synchronization of files).
Regarding claim 8, Iwanir and Bennett teach method of claim 1.
Iwanir teaches detecting the ransomware process (para 28, line 1-10; determine whether the client device may be infected with ransomware); and 
issuing, in response to detecting the ransomware process, the notification (para 28, line 1-17; each client device may include an ARC agent 312 and ARC agent may send file event notifications that the client device may be infected with ransomware to the cloud storage system or the ARC system).
Regarding claim 9, Iwanir and Bennett teach method of claim 8.
Iwanir teaches the detecting the ransomware process is based at least in part on at least one of, an activity pattern, or a file entropy parameter, or a file extension (para 17, line 1-9; various detection criteria such as entropy change and sudden changes in user behavior may be used to determine whether a file has been maliciously changed (e.g., encrypted or otherwise corrupted)).
Regarding claim 10, Iwanir and Bennett teach method of claim 1.
Iwanir teaches the notification comprises at least one of, a notification identifier, a device identifier, a user identifier, a ransomware detection class, an object identifier, or a process hash (para 33, line 1-7; the ransomware processor of the ARC system processes a ransomware notification and determines the type of ransomware, such as Locky or CryptoWall).
Regarding claim 11, Iwanir and Bennett teach method of claim 1.
Iwanir teaches the content object changes made by the ransomware process comprise at least one of, random data, or executable code comprising ransomware, or a variation or portion of the executable code that is embedded in the content object (para 25, line 1-16; the ARC system monitors changes to files, such as a file variance because a file affected by ransomware may have content that is dissimilar from its prior version including extension changes).
Regarding claim 12, Iwanir teaches a non-transitory computer readable medium having stored thereon a sequence of instructions which, when stored in memory and executed by one or more processors causes the one or more processors to perform a set of acts for ransomware remediation in collaboration environments (para 28, line 1-21 and para 29, line 11-18 and para 30, line 1-7; ransomware detection and countermeasures on a cloud storage system 320 communicating with client devices 310, where storage media contains computer-executable instructions are executed by processors), the set of acts comprising: 
maintaining a collaboration system having one or more content objects shared by a plurality of user devices, wherein at least one local copy of the one or more content objects from a collaboration system is stored in a file system of one or more user devices of the plurality of user devices, and the collaboration system 
receiving, from at least one first user device of a first user from among the one or more user devices that perform the file operations, a notification that describes a ransomware process running on the first user device or an effect of the ransomware process running on the first user device at the collaboration system (para 28, line 1-17 and para 33, line 1-15; each client device may include an ARC agent 312 and ARC agent may send file event notifications that the client device may be infected with ransomware to the cloud storage system or the ARC system and a ransomware notification may indicate the type of ransomware); and
generating, by the collaboration system, a prevention policy based on the notification received from the first user device (Fig. 3 and para 33, line 1-15; ARC system retrieves countermeasure instructions for the type of ransomware indicated in the ransomware notification); and 
Iwanir does not teach delivering a prevention message comprising at least the prevention policy generated by the system to at least one second user device 
Bennett teaches delivering a prevention message comprising at least the prevention policy generated by the system to at least one second user device of the one or more user devices, wherein the prevention message is processible by the at least one second user device (para 20, line 1-12 and line 28-40 and para 23, line 1-10; when malware is detected, the support server sends a warning message to end users or client devices may include description of malware and types of remediation to be performed),
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Iwanir to incorporate the teachings of Bennett to provide the support server sending a warning message to end users or client devices may include description of malware and types of remediation to be performed.  Doing so would allow for malware detection and elimination within the system, as recognized by Bennett.
Iwanir teaches the prevention message is delivered to the first user of the first user device (para 34, line 17-38 and para 35, line 1-19; notify user on a client-side component of a suspected ransomware that identifies the files and additional information)  

Bennett teaches the prevention message is delivered to at least one second user of the second user device (para 20, line 1-12 and line 28-40 and para 23, line 1-10; when malware is detected, the support server sends a warning message to end users or client devices may include description of malware)  
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Iwanir to incorporate the teachings of Bennett to provide the support server sending a warning message to end users or client devices may include description of malware.  Doing so would allow for malware detection and elimination within the system, as recognized by Bennett.  
Iwanir teaches the second user device at least potentially has access to a content object affected by the ransomware process running on the first user device (para 33, line 1-15 and para 34, line 1-17; countermeasures processor of the ARC system directs processing to implement instructions to prevent synchronization of files of the client device with other client devices on the cloud storage system to prevent ransomware infection).
processing instructions based on the notification received from the first user device to prevent synchronization of content object changes made by the ransomware process with content objects at the collaboration system (para 33, line 1-15 and para 34, line 1-17; countermeasures processor of the ARC system directs processing to implement instructions to prevent synchronization of files of the client device with other client devices and with the cloud service based on the received ransomware notification).
Regarding claim 13, Iwanir and Bennett teach computer product of claim 12.
Iwanir teaches processing the prevention message to block invocation of the ransomware process at the at least one second user device (para 34, line 1-17 and para 37, line 1-12; countermeasures processor of the ARC system directs processing to implement instructions to prevent synchronization of files of the client device with other client devices to prevent the propagation of files undergoing a ransomware attack).
Regarding claim 14, Iwanir and Bennett teach computer product of claim 13.
Iwanir teaches blocking invocation of the ransomware process at the collaboration system (para 37, line 1-12; prevent synchronization of files of the 
Regarding claim 15, Iwanir and Bennett teach computer product of claim 13.
Iwanir teaches blocking operations on the at least one local copy of one or more content objects of the one or more user devices, or blocking operations to a native file system of the one or more user devices (para 37, line 1-12; prevent synchronization of files of the client device with other client devices and with the cloud service to prevent the propagation of files from the client device undergoing a ransomware attack).
Regarding claim 16, Iwanir and Bennett teach computer product of claim 12.
Iwanir teaches suspending at least a portion of the file operations performed over the one or more content objects (para 37, line 1-12; prevent synchronization of files of the client device with other client devices and with the cloud service to prevent the propagation of files from the client device undergoing a ransomware attack).  
Regarding claim 17, Iwanir and Bennett teach computer product of claim 16.

Regarding claim 18, Iwanir and Bennett teach computer product of claim 17.
Iwanir teaches the portion of the file operations is resumed based at least in part on a ransomware remediation status (Fig. 7 and para 34, line 34-44; neutralizes ransomware and, if an enable synchronization flag is set, enables the synchronization of files).
Regarding claim 19, Iwanir teaches a system for ransomware remediation in collaboration environments (para 28, line 1-7 and line 17-21; ransomware detection and countermeasures on a cloud storage system 320 communicating with client devices 310), the system comprising: 
a storage medium having stored thereon a set of instructions (para 29, line 11-18; computer-readable storage media contain computer-executable instructions); and 
one or more processors that execute the set of instructions to cause a set of acts (para 30, line 1-7; computer-executable instructions executed by one or 
maintaining a collaboration system having one or more content objects shared by a plurality of user devices, wherein at least one local copy of the one or more content objects from a collaboration system is stored in a file system of one or more user devices of the plurality of user devices, and the collaboration system is accessed by the one or more user devices to perform file operations over the one or more content objects (Fig. 3 and para 26, line 1-7 and para 28, line 1-13; anti-ransomware cloud-service, or ARC, system monitors changes to files of a client device that stores files with the cloud storage system or incoming communications to the client device for multiple client devices); 
receiving, from at least one first user device of a first user from among the one or more user devices that perform the file operations, a notification that describes a ransomware process running on the first user device or an effect of the ransomware process running on the first user device at the collaboration system (para 28, line 1-17 and para 33, line 1-15; each client device may include an ARC agent 312 and ARC agent may send file event notifications that the client device may be infected with ransomware to the cloud storage system or the ARC system and a ransomware notification may indicate the type of ransomware); and

Iwanir does not teach delivering a prevention message comprising at least the prevention policy generated by the system to at least one second user device of the one or more user devices, wherein the prevention message is processible by the at least one second user device
Bennett teaches delivering a prevention message comprising at least the prevention policy generated by the system to at least one second user device of the one or more user devices, wherein the prevention message is processible by the at least one second user device (para 20, line 1-12 and line 28-40 and para 23, line 1-10; when malware is detected, the support server sends a warning message to end users or client devices may include description of malware and types of remediation to be performed),
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Iwanir to incorporate the teachings of Bennett to provide the support server sending a warning message to end users or client devices may include description of 
Iwanir teaches the prevention message is delivered to the first user of the first user device (para 34, line 17-38 and para 35, line 1-19; notify user on a client-side component of a suspected ransomware that identifies the files and additional information)  
Iwanir does not teach the prevention message is delivered to at least one second user of the second user device  
Bennett teaches the prevention message is delivered to at least one second user of the second user device (para 20, line 1-12 and line 28-40 and para 23, line 1-10; when malware is detected, the support server sends a warning message to end users or client devices may include description of malware)  
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Iwanir to incorporate the teachings of Bennett to provide the support server sending a warning message to end users or client devices may include description of malware.  Doing so would allow for malware detection and elimination within the system, as recognized by Bennett.  

processing instructions based on the notification received from the first user device to prevent synchronization of content object changes made by the ransomware process with content objects at the collaboration system (para 33, line 1-15 and para 34, line 1-17; countermeasures processor of the ARC system directs processing to implement instructions to prevent synchronization of files of the client device with other client devices and with the cloud service based on the received ransomware notification).
Regarding claim 20, Iwanir and Bennett teach system of claim 19.
Iwanir teaches the content object changes made by the ransomware process comprise at least one of, random data, or executable code comprising ransomware, or a variation or portion of the executable code that is embedded in the content object (para 25, line 1-16; the ARC system monitors changes to files, .
Conclusion
4.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	The following are the related patents and applications: Abdel-Aziz et al. (US Pub. 2009/0328220) discloses malware detection systems and methods are presented at a wireless access switch shared by multiple clients and to identify clients suspected of being infected with malware; Tamir et al. (US Pub. 2018/0211039) discloses a system for protecting a database against a ransomware attack includes a database backup handler configured to selectively output database backup data associated with a database to a storage device; Weaver et al. (US Patent 10,055,582) discloses a ransomware detector configured to generate a detection score for one or more sets of files stored in the storage device and to generate an alert if the detection score for the one or more sets of files exceeds a specified threshold.
5.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 






/NHAN HUU NGUYEN/Examiner, Art Unit 2492


/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492