ALLOWABILITY NOTICE
Claims 1-4, 6-12, 14-18 and 20 are pending in this action.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/18/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement has been considered by the examiner.


Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Michael Fainberg on 1/27/2022.

The claims are amended as follows:

1. (Currently Amended) A method of updating antivirus applications with antivirus records, the method comprising: analyzing, by a processor, a log of records of API ; and creating a new antivirus record comprising the extracted one or more API function calls, a set of hash sums from different segments of the file and rules for selecting the set of hash sums.

2. (Currently Amended) method of claim 1, further comprising: 

3. (Original) The method of claim 1, wherein the processor includes a sandbox, and the log of API function calls being populated by executing processes launched from the file in the sandbox.

the register.

5. (Canceled).

6. (Original) The method of claim 1, wherein each record of the API functions call log comprises at least an identifier of the API function called, an identifier of the process launched from the file; an identifier of a thread executing instructions of the address space of the process; a set of arguments of the API function called.

7. (Currently Amended) The method of claim 1, wherein the behavioral rule corresponds to a verdict which is pronounced upon triggering of the rule, the verdict indicating a category of the malicious behavior corresponding to that behavioral rule.

8. (Currently Amended) The method of claim 1, wherein the analysis of the file by the processor includes at least one of: a check with the use of the reputation service, a check with the use of one or more YARA rules, or an expert analysis.

9. (Currently Amended) A system of updating antivirus applications with antivirus records, comprising: at least one processor configured to: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule ; and creating a new antivirus record comprising the extracted one or more API function calls, a set of hash sums from different segments of the file and rules for selecting the set of hash sums.

10. (Currently Amended) The system of claim 9, wherein the processor further configured to: 

11. (Original) The system of claim 9, wherein at least one processor includes a sandbox, and the log of API function calls being populated by executing processes launched from the file in the sandbox.

12. (Currently Amended) The system of claim 11, wherein the sandbox is realized on at least one of: a virtual machine, a partial virtualization of a file system and a register, and access rules to the file system and the register.

13. (Canceled).

system of claim 9, wherein each record of the API functions call log comprises at least an identifier of the API function called, an identifier of the process launched from the file; an identifier of a thread executing instructions of the address space of the process; a set of arguments of the API function called.

15. (Currently Amended) The system of claim 9, wherein the behavioral rule corresponds to a verdict which is pronounced upon triggering of the rule, the verdict indicating a category of the malicious behavior corresponding to that behavioral rule.

16. (Currently Amended) The system of claim 9, wherein the analysis of the file by the processor includes at least one of: a check with the use of the reputation service, a check with the use of one or more YARA rules, or an expert analysis.

17. (Currently Amended) A non-transitory computer readable medium storing thereon computer executable instructions for updating antivirus applications with antivirus records, including instructions for: analyzing a log of records of API function calls of a file for presence of malicious behavior using one or more behavioral rules; determining that the file is malicious when a behavioral rule corresponding to one or more records of API function calls from the log is identified; extracting from the log the one or more API function calls associated with the identified behavioral rule; determining whether the one or more extracted records of API function calls are supported by an antivirus application of a user device; and when the one or more extracted records of API function calls are not supported by the antivirus application, adding to the antivirus application, a support ; and creating a new antivirus record comprising the extracted one or more API function calls, a set of hash sums from different segments of the file and rules for selecting the set of hash sums.

18. (Currently Amended) The non-transitory computer readable medium of claim 17, further comprising instructions for: 

19. (Canceled).

20. (Original) The non-transitory computer readable medium of claim 18, wherein each record of the API functions call log comprises at least an identifier of the API function called, an identifier of the process launched from the file; an identifier of a thread executing instructions of the address space of the process; a set of arguments of the API function called.

Reasons for Allowance
Claims 1-4, 6-12, 14-18 and 20 are allowed.

The following is an examiner’s statement of reasons for allowance:  The cited prior art references, Bian et al. (WO 2017028612 A1), Zhou et al. (CN 106295336 A), Monastyrski et al. (RU 2592383 C1), Monastyrski et al. (CN 105760787 A), Aseev et al. .

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER C SHAW whose telephone number is 571-270-7179.  Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/PETER C SHAW/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        January 29, 2022