DETAILED ACTION

Corrected Notice of Allowability
This action is issued to correct several informalities in the claim language and punctuation.

 


 




EXAMINER'S AMENDMENT

An examiner' s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner' s amendment was given in an interview with Kenneth Kwan 3-30-2022

The application has been amended as follows: 



presenting, by a processing system including at least one processor and implementing a protection application, a user interface that enables user selection of files, drives, and drive partitions to be protected by the protection application and enables user selection of trusted users permitted to modify protected files; 

receiving, by the processing system and via the user interface, a first user designation of a plurality of files and at least one drive or drive partition to be protected by the protection application and a second user designation of a plurality of trusted users; 

detecting, by  the processing system, a read operation of a file during an initial accessing of the file;

responsive to the detecting the read operation of the file, determining, by the processing system, whether there is an indication of a ransomware attack by identifying whether the file is included in the plurality of files to be protected by the protection application and whether the initial accessing of the file is performed by any of [[of]] the plurality of trusted users; 

generating, by the processing system, a reference copy of the file in response to a determination that there is the indication of the ransomware attack in a case of   identifying that the file is included in the plurality of files to be protected by the protection application and when   the initial accessing of the file is not performed by any of the plurality of trusted users; 

allocating, by the processing system, a designated storage location, wherein the designated storage location is accessible only by the protection application so that no unauthorized code or device can access files stored in the designated storage location; Appln. No 16/584,284Page 3 of 22 Reply to Non-Final Office Action of December 22, 2021 

Docket No. 2019-0034_7785-2709A storing, by the processing system and in response to the indication of the ransomware attack, the reference copy of the file in the designated storage location for recovery of the reference copy by the protection application after any unauthorized manipulation or alteration of the file; 

further detecting, by the processing system and based on the detecting of the initial accessing of the file, that the file is no longer being accessed; 

applying, by the processing system, a checksum operation to the file to generate a checksum in response to the further detecting that the file is no longer being accessed; 

determining, by the processing system, that the checksum does not match an expected checksum for the file and thereby that the indication of the ransomware attack comprises an actual ransomware attack;

generating, by the processing system, an alert the actual ransomware attack in response to the determining that the checksum does not match the expected checksum, wherein the generating the reference copy of the file enables protection against the ransomware attack; and 

thwarting the actual ransomware attack by retrieving the reference copy of the file from the designated storage location, resulting in a retrieved reference copy, and by overwriting the file with the retrieved reference copy.
 

presenting a user interface that enables user selection of files, drives, and drive partitions to be protected by the protection application and enables user selection of trusted users permitted to modify protected files;
receiving, via the user interface, a first user designation of a plurality of files and at least one drive or drive partition to be protected by the protection application and a second user designation of a plurality of trusted users;
detecting a read operation of a file during an initial accessing of the file[[,]];
responsive to the detecting the read operation of the file, determining whether there is an indication of a ransomware attack by identifying whether the file is included in the plurality of files to be protected by the protection application and whether the initial accessing of the file is performed by any of the plurality of trusted users;
generating a reference copy of the file in response to a determination that there is the indication of the ransomware attack based on identifying that the file is included in the plurality of files to be protected by the protection application and when the initial accessing of the file is not performed by any of the plurality of trusted users;
allocating a designated storage location, wherein the designated storage location is accessible only by the protection application so that no unauthorized code or device can access files stored in the designated storage location; 
storing, in response to the indication of the ransomware attack, the reference copy of the file in the designated storage location for recovery of the reference copy by the protection application after an unauthorized manipulation or alteration of the file;
further detecting the file is no longer being accessed;
applying a checksum operation to the file to generate a checksum in response to further detecting completion of the accessing of the file;
determining that the checksum does not match an expected checksum for the file and thereby that the indication of the ransomware attack comprises an actual ransomware attack;
generating an alert of the actual ransomware attack in response to the determining that the checksum does not match the expected checksum, wherein the generating the reference copy of the file enables protection against the ransomware attack; and
thwarting the actual ransomware attack by retrieving the reference copy of the file from the designated storage location, resulting in a retrieved reference copy, and by overwriting the file with the retrieved reference copy.
 

a processing system including at least one processor; and
a computer-readable medium storing instructions which, when executed by the processing system, cause the processing system to perform operations including implementing a protection application, the operations comprising:
presenting a user interface that enables user selection of files, drives, and drive partitions to be protected by the protection application and enables user selection of trusted users permitted to modify protected files;
receiving, via the user interface, a first user designation of a plurality of files and at least one drive or drive partition to be protected by the protection application and a second user designation of a plurality of trusted users;
detecting a read operation of a file during an initial accessing of the file[[,]];
responsive to the detecting the read operation of the file, determining whether there is an indication of a ransomware attack by identifying whether the file is included in the plurality of files to be protected by the protection application and whether the initial accessing of the file is performed by any of the plurality of trusted users;
generating a reference copy of the file in response to a determination that there is the indication of the ransomware attack based on identifying that the file is included in the plurality of files to be protected by the protection application and when the initial accessing of the file is not performed by any of the plurality of trusted users;
allocating a designated storage location, wherein the designated storage location is accessible only by the protection application so that no unauthorized code or device can access files stored in the designated storage location; 
storing, in response to the indication of the ransomware attack, the reference copy of the file in the designated storage location for recovery of the reference copy by the protection application after an unauthorized manipulation or alteration of the file;
further detecting the file is no longer being accessed;
applying a checksum operation to the file to generate a checksum in response to further detecting completion of the accessing of the file;
determining that the checksum does not match an expected checksum for the file and thereby that the indication of the ransomware attack comprises an actual ransomware attack;
generating an alert of the actual ransomware attack in response to the determining that the checksum does not match the expected checksum, wherein the generating the reference copy of the file enables protection against the ransomware attack; and
thwarting the actual ransomware attack by retrieving the reference copy of the file from the designated storage location, resulting in a retrieved reference copy, and by overwriting the file with the retrieved reference copy.
Allowable Subject Matter

Claims 1-14 and 17-22 are allowed.

The following is an examiner' s statement of reasons for allowance: 
YAVO et al (US 2019/0347415  ) discloses in [0075], that files 202B are monitored to detect an access or overwrite request.  In [0081], YAVO discloses a GUI to designate particular files as protected files. In [0086], YAVO discloses a safelist of applications that are allowed to overwrite a file.

Patton et al  (US 9734337) discloses in C6 4-13 and 54-60 that a read operation may be a weak indicator or ransomware whereas a particular combination of behaviors may be considered a strong indicator of ransomware.

Chung et al (10,007,795) discloses in C4 1-10 that a file may be identified as protected by consulting the DPH list.  In C4 54-67,   Chung discloses a program whitelist that are allowed to access protected documents.  In C4 65- C5 10,   Chung discloses a user may launch a whitelist program to access a protected document and that the user may inadvertently launch malware no included in the program whitelist will be prevented from accessing protected documents.

McGregor et al (US 2020/0082074) discloses in [0007] protecting a file against ransomware by requiring a user who requests to modify a file to present an authentication token.  Upon successful authentication, the user is allowed to modify the file.

Satpathy et al (US 2019/0266327) discloses in [0070] analyzer 410 detects a file system read and may determine the presence of ransomware.

ANIMIREDDYGARI et al (US 2019/0188380) discloses in Fig 3 that a restoration copy of a protected file is created based on the detection of a write operation and that the restoration copy is restored to the system on a later determination that the write operation was performed by malware.  see also [0044]

Roguine et al (US 2017/0364681) discloses in Fig 1 that user authorization is requested  to allow or deny the overwriting of  a file with an encrypted copy of the file when the system detects that the encrypted copy is being used to overwrite the file.





responsive to the detecting the read operation  of the file, determining, by the processing system, whether there is an indication of a ransomware attack by identifying whether the file is included in the plurality of files to be protected by the protection application and whether the initial accessing of the file is performed by any of the plurality of trusted users; 

generating, by the processing system, a reference copy of the file in response to a determination that there is the indication of the ransomware attack in a case of identifying that the file is included in the plurality of files to be protected by the protection application and when the initial accessing of the file is not performed by any of the plurality of trusted users; 


The prior art teaches several embodiments of creating a file reference copy to be restored when a ransomware attack is detected.  Applicant's invention lies in that the ransomware attack detection includes a detection of a read operation by a user that is not a trusted user.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner' s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD A MCCOY/Examiner, Art Unit 2431