DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Relevant co-pending applications: 16/774577 and 16/774627

Claims 1, 2, 4, 6-8, 10, 12-14, 16 and 18 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, 4-9, 11-16 and 18-21 of copending Application No. 16/774577 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims differ only with minor re-wording.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claims 1-18 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of copending Application No. 16/774627 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims differ only with minor re-wording.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.






16/774661
16/774577
16/774627
1. A data management system, comprising:
1. A data management system, comprising:
1. A data management system, comprising:
a storage appliance configured to store a snapshot of a virtual machine;
a storage appliance configured to store a snapshot of a virtual machine;

one or more processors in communication with the storage appliance, the one 



receiving a write made to the virtual machine;

a device configured to receive writes made to a virtual machine;
receiving, at the device, a write made to the virtual machine from a virtual machine host;
computing, at the storage appliance, a fingerprint of the transmitted write;
computing, outside of the virtual machine, a fingerprint of the write;
computing, at the device, a fingerprint of the transmitted write;
comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog;
comparing, outside of the virtual machine, the computed fingerprint to malware fingerprints in a malware catalog;
6. wherein the operations are performed in a device that is not hosting the virtual machine.
comparing, at the device, the computed fingerprint to malware fingerprints in a malware catalog;


repeating the computing and comparing;
repeating the computing and comparing;
disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.
disabling the virtual machine if malware is detected based on a number of matches from the comparing breaching a predetermined threshold over a predetermined amount of time.
7. wherein the disabling determines if malware is present based on whether a number of matches from the comparing exceeds a predetermined threshold over a predetermined amount of time.
disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.







2. wherein the operations further include restoring the virtual machine using the snapshot stored in the storage appliance to a state before the predetermined threshold was breached.
2. wherein the operations further include restoring the virtual machine using a snapshot stored in a storage appliance to a state before the predetermined threshold was breached.
3. wherein the operations further include blocking writes from a source of the matches.

3. wherein the operations further include blocking writes from a source of the matches.
4. wherein the operations further include generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware.
4. wherein the operations further include generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware.
4. wherein the operations further include generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware.
5. wherein the fingerprints are computed at 4 kilobytes aligned offsets generated using SHA256.

5. wherein the computing computes fingerprints at 4 kilobytes aligned offsets.

5. wherein the operations further include repeatedly generating snapshots of the virtual machine over time.
6. wherein the operations further include repeatedly generating snapshots of the virtual machine over time.






Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-10, 12-16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sanders et al., (US Publication No. 2016/0048683), hereinafter “Sanders”, and further in view of Armstrong et al., (US Publication No. 2006/0136720), hereinafter “Armstrong”.

Regarding claims 1, 7 and 13, Sanders discloses 

receiving, at the storage appliance from a server Sanders, Abstract, paragraph 40, provided by firewall (server); determination of whether the potential malware sample matches a profile signature]; 
computing, at the storage appliance, a fingerprint of the transmitted write [Sanders, paragraph 40, provided by firewall (server); determination of whether the potential malware sample matches a profile signature]; 
comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog [Sanders, paragraph 40, provided by firewall (server); determination of whether the potential malware sample matches a profile signature];
repeating the computing and comparing [Sanders, paragraph 40, provided by firewall (server); determination of whether the potential malware sample matches a profile signature]. 

Sanders does not specifically disclose, however Armstrong teaches
a storage appliance configured to store a snapshot of a virtual machine [Armstrong, paragraph 31 snapshot]; 
hosting the virtual machine [Armstrong, paragraph 31 snapshot];
Armstrong, paragraph 31 snapshot, restore to the latest state before the virus/malware].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide a device to take a snapshot of a virtual machine (storing the snapshot on a different system for security) and if malware found on the virtual machine to install a previous version of the virtual machine before the introduction of the malware in order to protect the system and safely continue running the virtual server. 

Regarding claims 2, 8 and 14, Sanders-Armstrong further discloses
wherein the operations further include restoring the virtual machine using the snapshot stored in the storage appliance to a state before the predetermined threshold was breached [Armstrong, paragraph 31 snapshot, restore to the latest state before the virus/malware].

Regarding claims 3, 9 and 15, Sanders-Armstrong further discloses
wherein the operations further include blocking writes from a source of the matches [Armstrong, paragraph 31 take action to prevent the recurrence of the anomaly].

Regarding claims 4, 10 and 16, Sanders-Armstrong further discloses
Sanders, paragraph 44, binary code analysis of a sample].

Regarding claims 6, 12 and 18, Sanders-Armstrong further discloses
wherein the operations further include repeatedly generating snapshots of the virtual machine over time [Armstrong, paragraph 31 snapshot].

Claims 5, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sanders-Armstrong as applied to claims 1, 7 and 13 above, and further in view of Aronovich, (US Publication No. 2015/0019509).

Regarding claims 5, 11 and 17, Sanders-Armstrong does not specifically disclose, however Aronovich teaches 
wherein the fingerprints are computed at 4 kilobytes aligned offsets generated using SHA256 [Aronovich, paragraph 20].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use a well-known concept of SHA-256 with a 4 kilobyte size in order to use a well-known process for creating the fingerprints of signatures to ensure the security of the system.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589. The examiner can normally be reached M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/William J. Goodchild/Primary Examiner, Art Unit 2433