DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 1-20 as submitted on 8/11/20 were considered.

Information Disclosure Statement
	The IDS submitted on 8/12/20 was considered.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Probert et al (US 2005/0091214).
Claim 1:
	Butler discloses:
detecting a computer resource process running or attempting to run on an operating system (paragraphs 26, 36, 63, and 74; When Butler’s invention is running in protected mode, it detects attempts to run a new instance of an application/computer resource process and determine if that process is listed in a user’s whitelist.  Butler’s invention could also be turned off and on at different points when the OS is already running. This means that when Butler’s invention is turned off, a process that’s not on a user’s whitelist could run.  As per paragraph 74, should this happen, Butler’s invention terminates execution of all processes/applications not listed in the user’s whitelist once Butler’s program is activated and switched to protected mode); 
comparing details of the computer resource process against an authorized processes database containing details of previously run computer resources processes to determine if the computer resource process is running or attempting to run for a first time on the operating system (paragraphs 26, 36-37, 63, and 74; In protected mode, Butler’s invention, when an application/computer resource process attempts to run for the first time during a particular computing session, checks to see if the application is listed in a user’s whitelist.  If it is not, the application is prevented from running or is terminated.  As discussed above, it is also possible for an application to already be running and when Butler’s invention switches to protected mode, it compares all currently running processes to ones found in the user’s whitelist and terminates any that aren’t on the list); 
adding, during a learning mode, the details of the computer resource process to the authorized processes database when it is determined that the computer resource process is running or attempting to run for the first time on the operating system (paragraphs 9, 35, 59, and 72); and 
suspending, during a protect mode, the computer resource process from running on the operating system when it is determined that the computer resource process is 

Butler does not disclose, but Probert discloses wherein the details of the computer resource process include at least one of semaphore data, mutex data or atom data for the computer resource process (paragraphs 24-26).  Note that as defined by applicant’s specification, an atomic table is a global table available, so it appears that a named object as discussed in paragraph 25-26 of Probert is an atom as it is a globally unique identifier.  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention using Probert’s teachings by having the Butler’s whitelist to identify processes on the list wherein the details of the computer resource process (in the list) include at least one of semaphore data, mutex data or atom data for the computer resource process.  Butler’s invention does not limit how processes are tracked and identified in his whitelist, nor does he place limits on the types of processes his invention protects against.  Thus, the rationale for why it would be obvious to utilize Probert’s teachings in Butler’s invention to track processes in the whitelist is that doing so is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Claim 2:


Claim 3:
	Butler further discloses terminating the computer resource process (paragraph 63).

Claim 4:
	Butler further discloses generating an alert for the computer resource process, including the details of the computer resource process (paragraphs 63, 81, and 87).

Claim 5:
	Butler further discloses checking, during the protect mode, if the computing device is operating in a client- server mode; and generating an alert for the computer resource process, including the details of the computer resource process when the computing device is operating in the client-server mode (paragraphs 63, 68-69, 81; and Figure 8; Butler’s invention checks if certain types of programs are running to decide when to switch his invention to protected mode.  Such programs include an internet browser or email client.  Each of these programs turns a computer to one which operates in client-server mode as they communicate with the Internet).

Claim 6:


Claim 7:
	Butler further discloses analyzing, during the protect mode, the details of the computer resource process; and allowing, during the protect mode, the computer resource process to run on the operating system based on a result of the analysis (paragraph 63).

Claim 8:
	Butler further discloses adding, during the protected mode, the details of the computer resource process to the authorized processes database (paragraphs 70-71).  Butler invention has a two sub-modes of the protected mode, each of which have variations which would allow new computer resource processes to be added to the whitelist even though protected mode is on.

Claim 10:
	Butler further discloses wherein the details of the computer resource process further include at least one of a process name, a file path, a cryptographic hash, or timestamp (paragraph 63 and Figure 3).



Claims 9 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Probert et al (US 2005/0091214) in further view of Challita et al (US 2018/0248896).

Claim 9:
	Butler discloses sending, during the protect mode, the details of the computer resource process to another computing device for analysis; receiving an analysis result from said another computing device (paragraph 88; Secondary protection device/system, such as a known virus/malware scanner could be used in conjunction with Butler’s invention).  
Butler does not disclose either terminating the computer resource process or allowing the computer resource process to run on the operating system based on the analysis result.  However, Challita discloses sending, during the protect mode, the details of the computer resource process to another computing device for analysis; receiving an analysis result from said another computing device; and either terminating the computer resource process or allowing the computer resource process to run on the operating system based on the analysis result (paragraphs 18, 20, and 47-48; Multiple analysis systems are used sequentially to analyze suspected ransomware and the ransomware’s process run is terminated upon detection, but the file could still be further analyzed after termination).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention to utilize 

Claim 11:
	Butler does not disclose, but Challita discloses wherein the malware comprises crypto-ransomware (paragraph 5).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention in accordance with the discussed teachings of Challita.  The rationale for why it would be obvious is that Butler does not place any restriction on the type of malware his invention protects against, thus having the malware comprise crypto-ransomware is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007). 


Claims 12, 14-15, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Challita et al (US 2018/0248896).

Claim 12:
	Butler discloses:
a processor running an operating system (paragraph 35); 
an authorized processes database containing details of previously run computer resources processes (paragraph 9); and 
a malware monitor configured to operate in a learning mode or a protect mode (paragraph 26), the malware monitor being arranged to: 
detect a computer resource process running or attempting to run on an operating system (paragraphs 26, 36, 63, and 74; When Butler’s invention is running in protected mode, it detects attempts to run a new instance of an application/computer resource process and determine if that process is listed in a user’s whitelist.  Butler’s invention could also be turned off and on at different points when the OS is already running. This means that when Butler’s invention is turned off, a process that’s not on a user’s whitelist could run.  As per paragraph 74, should this happen, Butler’s invention terminates execution of all processes/applications not listed in the user’s whitelist once Butler’s program is activated and switched to protected mode); 
compare details of the computer resource process against an authorized processes database containing details of previously run computer resources processes to determine if the computer resource process is running or attempting to run for a first time on the operating system (paragraphs 26, 36-37, 63, and 74; In protected mode, Butler’s invention, when an application/computer resource process attempts to run for the first time during a particular computing session, checks to see if the application is listed in a user’s whitelist.  If it is not, the application is prevented from running or is terminated.  As discussed above, it is also possible for an application to already be running and when Butler’s invention switches to protected mode, it compares all currently running processes to ones found in the user’s whitelist and terminates any that aren’t on the list); 
add, during a learning mode, the details of the computer resource process to the authorized processes database when it is determined that the computer resource process is running or attempting to run for the first time on the operating system (paragraphs 9, 35, 59, and 72); and 
suspend, during a protect mode, the computer resource process from running on the operating system when it is determined that the computer resource process is running or attempting to run for the first time on the operating system (paragraphs 74-75 and 87)

Butler does not disclose, but Challita discloses wherein the malware monitor is ransomware monitor (abstract and paragraph 5).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention in accordance with the discussed teachings of Challita so that the malware monitor was a ransomware monitor.  The rationale for why it would be obvious is that Butler does not place any restriction on the type of malware his invention protects against, thus having the malware comprise ransomware and the malware monitor be a ransomware monitor is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007). 

Claim 14:


Claim 15:
	Butler further discloses wherein the authorized processes database includes a computing resource process whitelist (paragraph 9).

Claim 18:
	Butler further discloses an internal timer arranged to be set to a learn time value or a protect time value (paragraphs 59-60, 72, and 78).

Claim 19:
	Butler further disclose wherein the malware monitor is further arranged to: check, during the protect mode, if the computing device is operating in a client- server mode; and generate an alert for the computer resource process, including the details of the computer resource process when the computing device is operating in the client-server mode (Butler: paragraphs 63, 68-69, 81; and Figure 8; Butler’s invention checks if certain types of programs are running to decide when to switch his invention to protected mode.  Such programs include an internet browser or email client.  Each of these programs turns a computer to one which operates in client-server mode as they communicate with the Internet).  The malware monitor being ransomware monitor was obvious over Challita’s teachings as previously discussed.

Claim 20:
	Butler discloses send, during the protect mode, the details of the computer resource process to another computing device for analysis; receive an analysis result from said another computing device (paragraph 88; Secondary protection device/system, such as a known virus/malware scanner could be used in conjunction with Butler’s invention).  
Butler does not disclose either, based on the analysis result, terminate the computer resource process or allowing the computer resource process to run on the processor.  However, Challita discloses send, during the protect mode, the details of the computer resource process to another computing device for analysis; and either, based on the analysis result, terminate the computer resource process or allowing the computer resource process to run on the processor (paragraphs 18, 20, and 47-48; Multiple analysis systems are used sequentially to analyze suspected ransomware and the ransomware’s process run is terminated upon detection, but the file could still be further analyzed after termination).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention to utilize Challita’s teachings discussed.  One skilled would have been motivated to do so because it would allow Butler’s invention to provide for not only detection, but also mitigation solution for possible malware (Challita: paragraph 13).



Claims 13 and 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Challita et al (US 2018/0248896) in further view of Probert et al (US 2005/0091214).
Claim 13:
Butler does not disclose, but Probert discloses wherein the details of the computer resource process include at least one of semaphore data, mutex data or atom data for the computer resource process (paragraphs 24-26).  Note that as defined by applicant’s specification, an atomic table is a global table available, so it appears that a named object as discussed in paragraph 25-26 of Probert is an atom as it is a globally unique identifier.  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Butler’s invention using Probert’s teachings by having the Butler’s whitelist to identify processes on the list wherein the details of the computer resource process (in the list) include at least one of semaphore data, mutex data or atom data for the computer resource process.  Butler’s invention does not limit how processes are tracked and identified in his whitelist, nor does he place limits on the types of processes his invention protects against.  Thus, the rationale for why it would be obvious to utilize Probert’s teachings in Butler’s invention to track processes in the whitelist is that doing so is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Claim 16:
	Butler further discloses wherein the authorized processes database includes a process table containing a process table value for each of the previously run computer resources processes (Fig 3).
Butler does not disclose the process table is a mutex table and the process table value is a mutex value, however, these limitations are taught by Probert (paragraph 24).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Butler’s invention using Probert’s as discussed.  Butler’s invention does not limit how processes are tracked and identified in his whitelist, nor does he place limits on the types of processes his invention protects against.  Thus, the rationale for why it would be obvious to utilize Probert’s teachings in Butler’s invention to track processes in the whitelist is that doing so is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Claim 17:
	Butler further discloses wherein the authorized processes database includes a process table containing a process table value for each of the previously run computer resources processes (Fig 3).
Butler does not disclose the process table is a semaphore table and the process table value is a semaphore value, however, these limitations are taught by Probert (paragraph 24).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Butler’s invention KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-





/PONNOREAY PICH/Primary Examiner, Art Unit 2495