DETAILED ACTION
This action is in response to new application file 1/28/2020 titled “Malware Protection for Virtual Machines”. Claims 1-21 were received for consideration and are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/9/2022 and 3/9/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-21 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-18 of copending Application No.  (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because claims differ only with minor re-wording.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Claims 1-21 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-18 of copending Application No. 16/774627 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because claims differ only with minor re-wording.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
16/774577 Claim 1, 8 and 15
16/774661 Claim 1, 7 and 13
16/774627 Claim 1, 7 and 13
A data management system, comprising: 
A data management system, comprising: 
A data management system, comprising: 
a storage appliance configured to store a snapshot of a virtual machine; 

a storage appliance configured to store a snapshot of a virtual machine; 


one or more processors in communication with the storage appliance, the one or more processors configured to perform operations including: 

one or more processors in communication with the storage appliance, the one or more processors configured to perform operations including: 

one or more processors in communication with the device, the one or more processors configured to perform operations including: 


receiving a write made to the virtual machine
receiving a write made to the virtual machine
computing, outside of the virtual machine, a fingerprint of the write
computing, at the storage appliance, a fingerprint of the write;
computing, at the device, a fingerprint of the transmitted write;
comparing, outside of the virtual machine, the computed fingerprint to malware fingerprints in a malware catalog
comparing at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog
comparing, at the device, the computed fingerprint to malware fingerprints in a malware catalog
repeating the computing
and comparing;
repeating the computing
and comparing;
repeating the computing
and comparing;
disabling the virtual 
machine if malware is detected based on a number of matches from the comparing breaches a
predetermined threshold
over a predetermined
amount of time.
disabling the virtual machine if a number of
matches from the
comparing breaches a
predetermined threshold
over a predetermined
amount of time.
disabling the virtual machine if a number of
matches from the
comparing breaches a
predetermined threshold
over a predetermined
amount of time.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Sanders et al (US 2016/0048683) in view of Armstrong et al (US 2006/0136720).
With respect to claim 1 (system), 8 (method) and 15 (machine-readable medium) Sanders teaches a data management system, comprising: 
a storage appliance configured to store a snapshot of a virtual machine; 
one or more processors in communication with the storage appliance, the one or more processors configured to perform operations including: 
receiving a write made to the virtual machine (see Sanders Abstract and paragraph 0040 i.e. provided by firewall (server); determination of whether the potential malware sample matches a profile signature); 
computing, outside of the virtual machine, a fingerprint of the write (Sanders paragraph 0040 i.e. In some embodiments, the profile signature can include IPS signature based information (e.g., pcap information can be used to facilitate a profile signature match using an IPS engine) as described herein with respect to various embodiments. At 412, a malware family determination of the potential malware sample is provided if there is a profile signature match, and no malware family is identified if there is no profile signature match); 
comparing, outside of the virtual machine, the computed fingerprint to malware fingerprints in a malware catalog (Sanders paragraph 0040 i.e. In some embodiments, the profile signature can include IPS signature based information (e.g., pcap information can be used to facilitate a profile signature match using an IPS engine) as described herein with respect to various embodiments. At 412, a malware family determination of 

Sanders does not specifically disclose repeating the computing and comparing and disabling the virtual machine if malware is detected based on a number of matches from the comparing breaching a redetermined threshold over a predetermined amount of time.
Armstrong disclose repeating the computing and comparing and disabling the virtual machine if malware is detected based on a number of matches from the comparing breaching a redetermined threshold over a predetermined amount of time (see Armstrong  paragraph 0031 periodic snapshots, restore to the latest state before the virus/malware).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide a device to take a snapshot of a virtual machine (storing the snapshot on a different system for security) and if malware found on the virtual machine to install a previous version of the virtual machine before the introduction of the malware in order to protect the system and safely continue running the virtual server.

With respect to claims 2, 9 and 16 Sanders teaches the system of claim 1, but does not disclose wherein the operations further include restoring the virtual machine using the snapshot stored in the storage appliance to a state before the predetermined threshold was breached.

It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide a device to take a snapshot of a virtual machine (storing the snapshot on a different system for security) and if malware found on the virtual machine to install a previous version of the virtual machine before the introduction of the malware in order to protect the system and safely continue running the virtual server.

With respect to claims 3, 10 and 17 Sanders teaches the system of claim 1, wherein the operations further include transmitting a warning to a user of the virtual machine (i.e. IT admins of such customers of the security cloud service and/or to security vendors to inform them of any detected known malware family results (e.g., feedback can be provided programmatically using application programming interfaces (APIs) or other mechanism, alerts, and/or notifications can be provided using e-mail, text messaging, voice communications, and/or other notification techniques), so that appropriate responses can be implemented by such security vendor(s) and/or security devices and/or such customers (e.g., if malware associated with the Zeus family is detected, then a customer may implement a more aggressive IT/security response)).




With respect to claims 5, 12 and 19 Sanders teaches the system of claim 1, but does not disclose wherein the operations further include repeatedly generating snapshots of the virtual machine over time.
Armstrong teaches wherein the operations further include repeatedly generating snapshots of the virtual machine over time (See Armstrong paragraph 0031 i.e. snapshot).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide a device to take a snapshot of a virtual machine (storing the snapshot on a different system for security) and if malware found on the virtual machine to install a previous version of the virtual machine before the introduction of the malware in order to protect the system and safely continue running the virtual server.

With respect to claim 6, 13 and 20 Sanders teaches the system of claim 1, wherein the operations are performed in a device that is not hosting the virtual machine (see Sanders Abstract and paragraph 0040 i.e. provided by firewall (server)).


Armstrong teaches wherein the disabling determines if malware is present based on whether a number of matches from the comparing exceeds a predetermined threshold over a predetermined amount of time (see Armstrong paragraph 0057 i.e. FIG. 5 provides an example of an offline scanning routine 500 facilitated by a supervisory process that controls a set of security applications (e.g., antivirus software) configured to perform offline scanning and repair of a virtual machine running on the host system. At block 501 the routine 500 retrieves a period snapshot of the running virtual machine's current state. At block 502, the routine scans the retrieved periodic snapshot. At decision block 503, if a problem is detected, the routine proceeds to block 504, where the routine notifies the running virtual machine of the problem or, alternatively, instructs the virtual machine to roll back to a last saved state before the problem occurred. If at decision block 503, the routine 500 does not detect a problem, the routine loops back to block 501 to retrieve the next periodic snapshot).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide a device to take a snapshot of a virtual machine (storing the snapshot on a different system for security) and if malware found on the virtual machine to install a previous version of the virtual machine before the introduction of the malware in order to protect the system and safely continue running the virtual server.

Prior Art
	Chakraborty et al (US 9,740,577) titled “Backing Up A Virtual Machine And Restoring From A Synthetic Full Backup” teaches a first backup check point corresponding to the full backup is created. After the full backup, a second backup check point is created. The agent issues to the VMMS a request to export changes to the VM between the first and second backup check points. An incremental backup of the exported changes is performed and a backup components document is created. A synthetic full backup based on the incremental and full backups is created and restoration of the VM from the synthetic full backup is based on the information in the backup components document.
	Derbeko et al (US 10,536,471) titled “Malware Detection In Virtual Machines” teaches a system, computer program product, and computer-executable method of detecting malware in a virtual machine (VM), the computer-executable method comprising periodically creating snapshots of the VM, analyzing each of the snapshots in comparison to one or more previous snapshots to determine whether anomalies exist, and based on a threshold amount of anomalies detected, scanning the VM to determine whether malware is detected.
	Field et al (US 2009/0007100) titled “Suspending A Running Operating System To Enable Security Scanning” teaches monitoring of virtual machine 112(1), virtual machine monitor 108 and/or host 110 may suspend operating system 114 to capture a state or snapshot of the operating system and of corresponding virtual machine 112(1). This state or snapshot may then be inspected for malware 120 or may be used for other 
	Wang et al (US 2009/0089879) titled “SECURING ANTI-VIRUS SOFTWARE WITH VIRTUALIZATION” teaches Checker component 310 periodically retains a snapshot of a virtual disk or file system of guest virtual machine 120. For example, checker component 310 utilizes copy-on-write disks to efficiently generate snapshots. After taking the snapshot, checker component 310 verifies whether the snapshot is consistent with the sequence of file system operations logged in append-only log 220 between the newest snapshot and the previous snapshot retained. For example, checker component 310 can create a virtual disk from the previous snapshot and replay the logged operations since that snapshot to produce a resultant state of the virtual disk. The resultant virtual disk is compared to the most recent snapshot at the file system level.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492