DETAILED ACTION
	This office action is in response to the filed application 16/808,083 on March 3, 2020 and preliminary amendment filed on May 20, 2020. 
	Claims 2-21 are presented for examination.  Claims 3-21 are newly added.   Claim 1 is cancelled. 

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Information Disclosure Statement
The information disclosure statements (IDS) submitted on May 20, 2020 was in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure stat, ements were considered by the Examiner.

Allowable Subject Matter
Claims 8 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 2-7, 9-17, 19-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Martynenko et al. (US 2011/0083176) in further view of St. Pierre et al. (US 6,959,368).

In regard to claim 2, Martynenko et al. teach a method for monitoring log data associated with a plurality of client computing devices, the method comprising: 
parsing, with a first monitoring module comprising one or more computer processors, at least a first log on a first client computing device, the first log comprising log data generated by a plurality of applications executing on the first client computing device (malware detection based on a behavior of applications running on a computer system, para. 15); 
in response to said parsing the log data stored in the first log, and based on log monitoring rules, detecting a triggering event that a computer virus has infected the first client computing device (comparing the behavior of an application against a set of rules defining a sequence of the normal system activities, para. 16, 34); 
if an event is detected, the system module makes a copy of the event for processing, para. 37); 
in response to identifying the triggering event, extracting with a second monitoring module comprising one or more computer processors, a second subset of log data from at least a second log associated with a second client computing device for storage in a second collection repository and detecting whether the second client computing device has been infected with the computer virus (using the abnormalities detection method, the behavior of a network user can also be monitored, a set of heuristic data can be created for each network user, para. 50, it is noted that the triggering event of the first client and the second client is equate to different network user using the abnormalities detection method). 
Martynenko et al. does not explicitly teach but St. Pierre et al. teach performing a backup operation with one or more computer processors that copies the first and second subsets of log data stored in the first and second collection repositories to secondary storage (duplicating selected backup data from a backup medium to a logical duplication medium, fig. 2, col. 10 lines 10-48). 
It would have been obvious to modify the method of Martynenko et al. by adding St. Pierre et al. duplicating backup data.   A person of ordinary skill in the art before the effective filing date of the claimed invention would have been motivated to make the modification because it would provide duplicated data (col. 6 lines 1-15). 

asynchronous event processing for each network client, para. 36, 50).

In regard to claim 4, Martynenko et al. teach the method of claim 2, wherein the first and second subsets of log data comprises files affected by the computer virus (a malicious object  can be a Trojan, a virus, a rootkit or a worm, para. 1, use of binary files, para. 65).

In regard to claim 5, Martynenko et al. teach the method of claim 2, further comprising, in response to identifying the triggering event, and based on the log monitoring rules (comparing the behavior of an application against a set of rules defining a sequence of the normal system activities, para. 16, 34), performing a remedial action associated with the first client computing device (pass event for further processing, fig. 3, 345, para. 36).

In regard to claim 6, Martynenko et al. teach the method of claim 5, wherein the remedial action comprises at least one of the group consisting of: notifying a storage manager module of the triggering event, limiting or preventing access to at least one application of the plurality of applications, limiting or preventing access to the first client computing device, limiting or preventing access to at least one file or folder stored on the first client computing device, and notifying a user or administrator of the triggering event (if the AV check reveals a malicious nature of the event, the process that caused the event is blocked and terminated, para. 37).

if the AV check reveals a malicious nature of the event, the process that caused the event is blocked and terminated, para. 37).

In regard to claim 9, Martynenko et al. teach the method of claim 2, wherein the triggering event further includes at least one of the group consisting of: an unauthorized access, an attempted unauthorized access, a request for unauthorized access, a predetermined number of failed login attempts, an unauthorized modification of one or more files, an application error, and termination of employment of a user (malware detection based on behavior of applications running on a computer system, para. 15-16).

In regard to claim 10, Martynenko et al. teach the method of claim 2, further comprising processing of data stored in the first collection repository to audit system behavior, wherein the processing of the data is performed by a computing device other than the first client computing device (detection of malicious web sites, para. 48, detection of abnormalities in the network configurations of a corporate network including computers systems 810-850 is monitored, para. 49, it is noted that these two detections examples consist of a computer device other than the monitored computer device to perform the method described).

In regard to claim 11, Martynenko et al. teach the method of claim 2, wherein the first client computing device and the first collection repository communicate via a local area network (LAN), and the first client computing device and a storage manager module communicate via a logical connections include a local area network and a wide area network, para. 80).

In regard to claim 12, Martynenko et al. teach a system configured to monitor log data in a data storage environment, the system comprising:
at least first and second client computing devices having a plurality of applications executing thereon (malware detection based on behavior of applications running on a computer system, para. 32);
at least a first set of log monitoring rules that define one or more triggering events (set of rules defining a sequence of the normal system activities, para. 33);
at least a first log associated with the first computing device and a second log associated with the second client computing device (an algorithm of asynchronous event processing, fig. 3, para. 36-37);
at least a first monitoring module and a second monitoring module, the first and second monitoring modules comprising one or more computer processors (processing of the system event by a stream scanner, fig. 4, para. 37);
the first monitoring module configured to parse at least the first log on a first client computing device, the first log comprising log data generated by a plurality of applications executing on the first client computing device (malware detection based on a behavior of applications running on a computer system, para. 15); 
in response to parsing the log data stored in the first log, and based on log monitoring rules, the first monitoring module is configured to detect a triggering event that a computer virus comparing the behavior of an application against a set of rules defining a sequence of the normal system activities, para. 16, 34); 
in response to identifying the triggering event in the first log and based on the log monitoring rules, the first monitoring module is configured to extract, a first subset of log data from at least the first log for storage in a first collection repository that is separate from the first client computing device and stores the first subset of log data (if an event is detected, the system module makes a copy of the event for processing, para. 37); 
in response to identifying the triggering event, the second monitoring module is configured to extract a second subset of log data from at least the second log associated with the second client computing device for storage in a second collection repository and detect whether the second client computing device has been infected with the computer virus (using the abnormalities detection method, the behavior of a network user can also be monitored, a set of heuristic data can be created for each network user, para. 50, it is noted that the triggering event of the first client and the second client is equate to different network user using the abnormalities detection method). 
Martynenko et al. does not explicitly teach but St. Pierre et al. teach a storage manager module comprising one or more computer processors, the storage manager module configured to direct performance of a backup operation that copies the first and second subsets of log data stored in the first and second collection repositories to secondary storage (duplicating selected backup data from a backup medium to a logical duplication medium, fig. 2, col. 10 lines 10-48). 

asynchronous event processing for each network client, para. 36, 50).

In regard to claim 14, Martynenko et al. teach the system of claim 12, wherein the first and second subsets of log data comprises files affected by the computer virus (a malicious object  can be a Trojan, a virus, a rootkit or a worm, para. 1, use of binary files, para. 65).
In regard to claim 15, Martynenko et al. teach the system of claim 12, wherein the first monitoring module, in response to identifying the triggering event, and based on the log monitoring rules (comparing the behavior of an application against a set of rules defining a sequence of the normal system activities, para. 16, 34), is configured to perform a remedial action associated with the first client computing device  (pass event for further processing, fig. 3, 345, para. 36).

In regard to claim 16, Martynenko et al. teach the system of claim 15, wherein the remedial action comprises at least one of the group consisting of: notifying a storage manager module of the triggering event, limiting or preventing access to at least one application of the plurality of applications, limiting or preventing access to the first client computing device, limiting or preventing access to at least one file or folder stored on the first client computing device, and notifying a user or administrator of the triggering event (if the AV check reveals a malicious nature of the event, the process that caused the event is blocked and terminated, para. 37).
if the AV check reveals a malicious nature of the event, the process that caused the event is blocked and terminated, para. 37).

In regard to claim 19, Martynenko et al. teach the system of claim 12, wherein the triggering event further includes at least one of the group consisting of: an unauthorized access, an attempted unauthorized access, a request for unauthorized access, a predetermined number of failed login attempts, an unauthorized modification of one or more files, an application error, and termination of employment of a user (malware detection based on behavior of applications running on a computer system, para. 15-16).

In regard to claim 20, Martynenko et al. teach the system of claim 12, further comprising a computing device other than the first client computing device that is configured to process data stored in the first collection repository to audit system behavior (detection of malicious web sites, para. 48, detection of abnormalities in the network configurations of a corporate network including computers systems 810-850 is monitored, para. 49, it is noted that these two detections examples consist of a computer device other than the monitored computer device to perform the method described).

In regard to claim 21, Martynenko et al. teach the system of claim 12, wherein the first client computing device and the first collection repository communicate via a local area network (LAN), and the first client computing device and the storage manager module communicate via a logical connections include a local area network and a wide area network, para. 80).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO 892.
Atluri et al. (US 2010/0280999) data persistence and consistency through filter and backup
Choy (US 2008/0183773) parses entries and backup
Fries et al. (US 2007/0283438) virus checking and replication
Neystadt et al. (US 2008/0244748) detecting compromised computer
Park et al. (US 2009/0300761) centralized malware detection
Tuvell et al. (US 2015/0347753) malware detection for mobile 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LOAN TRUONG whose telephone number is 408-918-7552.  The examiner can normally be reached on 10AM-6PM PST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Loan L.T. Truong/Primary Examiner, Art Unit 2114
Silicon Valley Regional Office
Loan.truong@uspto.gov