DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The rejection of claim 7 under 35 U.S.C. 112(b) is hereby withdrawn by the Examiner. 
Applicant’s amendments to claim have overcome the previous grounds of the rejection.  The previous grounds of the rejection have been withdrawn, claims 1-8 are now in conditions for allowance. 
Applicant’s arguments with respect to the amendments in claims 9 and 14 has been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 9, 11-15 are rejected under 35 U.S.C. 103 as being unpatentable over Richard et al, U.S. Patent 8,635,700 in view of Topan et al, U.S. Patent 8,584,235.



As per claim 9, it is taught by Richard et al of a processing apparatus comprising:
a server device (col. 2, lines 33-35) comprising:
a data receiving module to receive a record of client event which occurred on, and was transmitted from, a client device, wherein the client event is associated with malicious action at the client device (having a file analyzed to determine if it potentially includes malware, col. 2, lines 35-40); and
an event analytics (analysis) module uses data corresponding to the client event which occurred on the client device, wherein the data is shared by the server device and the client device and includes content expected of the record received by the data receiving module (col. 2, lines 35-44), wherein the event analytics module is further to compare the data with the record received by the data receiving module, to issue an alert if at least a portion of the data is not found in the record received by the data receiving module, and to remove or change the record (col. 10, lines 5-9) received by the data receiving module if at least the portion of the data is found in the record received by the data receiving module (col. 2, lines 35-44 and col. 4, line 50 through col. 5, line 10).
The teachings of Richards fail to disclose of generating data on the server side, more specifically fails to disclose wherein the data is generated using information shared by the server device and the client device and includes content expected of the record received by the data receiving module, wherein comparing the generated data with the record received by the data receiving module.
 Topan et al teaches of generating the data (computes hashing information used for a server-side identifier) using information shared by the server device and the client device and includes content expected of the record received by the data receiving module, wherein comparing the generated data with the record received by the data receiving module (col. 2, lines 15-37 and col. 14, lines 7-22).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated for a server to generate data on the server side that which is used for comparison of received data to determine if there exists matches or discrepancies which are used to determine if malware exists.  The teachings of Topan et al disclose of the need to determine if similarities exist in reference to client side generated hashes, whereby newly detected malware and new legitimate software portions can be determined using server side analysis that evolves over time easing the processing burden on the client side (col. 15, lines 46-55).  It is obvious that the teachings of Topan et al offer additional benefits to the teachings of Richards et al by using server side analysis to compensate for newly evolved malware patterns that the client may not be able to detect. 
As per claim 11, it disclosed by Richard et al wherein the client event comprises at least one of: downloading a file, creating a file, running malware, running blacklisted code or non-whitelisted code, updating a signature list, updating a root certificate list, installing a new piece of software, disabling or changing at least one security checking function; disabling or change at least one security setting (col. 2, lines 37-46).
As per claim 12, it is taught by Richard et al wherein
 the event analytics (analysis) module (col. 2, lines 35-44) comprises:
an event generating module processing at the server event data, wherein data corresponding to the client event which occurred on the client device (col. 2, lines 35-44).
The teachings of Richards et al fails to disclose an event generating module to generate server event, wherein generating data corresponding to the client event which occurred on the client device comprises generating the server event at the event generating module. 
Topan et al disclose of generating server event data, wherein generating data corresponding to the client event which occurred on the client device comprises generating the server event at the event generating module (col. 2, lines 15-37 and col. 14, lines 7-22).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated for a server to generate data on the server side that which is used for comparison of received data to determine if there exists matches or discrepancies which are used to determine if malware exists.  The teachings of Topan et al disclose of the need to determine if similarities exist in reference to client side generated hashes, whereby newly detected malware and new legitimate software portions can be determined using server side analysis that evolves over time easing the processing burden on the client side (col. 15, lines 46-55).  It is obvious that the teachings of Topan et al offer additional benefits to the teachings of Richards et al by using server side analysis to compensate for newly evolved malware patterns that the client may not be able to detect.
As per claim 13, it is disclosed by Richard et al wherein the event analytics module comprises: a statistics module to generate statistics associated with the received record (col. 4, lines 46-49).
As per claim 14, it is taught by Richard et al of a non-transitory machine-readable storage medium, encoded with instructions executable by a processor, the machine-readable storage medium comprising instructions to cause the processor to:
receive from a client device a record of an event associated with a malicious action (having a file analyzed to determine if it potentially includes malware, col. 2, lines 35-40);
data corresponding to the event using information shared with the client device, wherein the data includes content expected of the record (col. 2, lines 35-44); and
compare the data with the record, issue an alert if at least a portion of the data is not found in the record, and remove or change the record (col. 10, lines 5-9) if at least a portion of the data is found in the record, wherein the data includes content expected of the record (col. 4, line 50 through col. 5, line 10).
The teachings of Richard et al fail to disclose of the server generating data corresponding to the event using information shared with the client device; and compare the generated data with the record, issue an alert if at least a portion of the generated data is not found in the record.
Topan et al teaches that the server generates data (computes hashing information used for a server-side identifier) corresponding to the event using information shared with the client device; and compare the generated data with the record, issue an alert if at least a portion of the generated data is not found in the record (col. 2, lines 15-37 and col. 14, lines 7-22).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to have been motivated for a server to generate data on the server side that which is used for comparison of received data to determine if there exists matches or discrepancies which are used to determine if malware exists.  The teachings of Topan et al disclose of the need to determine if similarities exist in reference to client side generated hashes, whereby newly detected malware and new legitimate software portions can be determined using server side analysis that evolves over time easing the processing burden on the client side (col. 15, lines 46-55).  It is obvious that the teachings of Topan et al offer additional benefits to the teachings of Richards et al by using server side analysis to compensate for newly evolved malware patterns that the client may not be able to detect.
As per claim 15, it is disclosed wherein the event comprises at least one of: downloading a file, creating a file, running malware, running blacklisted code or non-whitelisted code, updating a signature list, updating a root certificate list, installing a new piece of software, disabling or changing at least one security checking function; disabling or change at least one security setting (col. 2, lines 37-46).

Allowable Subject Matter
Claims 1-4 and 6-8 are allowed.
Claim 16 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Khoruzhenko et al, U.S. Patent 9,846,584 is relied upon for disclosing of a server determines if files have been tampered with, then causes files to be updated, repaired, or replaced, see column 6, lines 12-19.
Mortensen et al, U.S. Patent 10,831,506 is relied upon for disclosing a remediation server determines if resources of a computer system have been tampered with, then repairs or replaces them, see column 6, lines 34-47.
Kleczynski, US 2015/0172304 is relied upon for disclosing of determining if a file retrieved from a cloud backup server is malware, then taking necessary precautions on the computing device, see paragraph 0009.
Lyons, U.S. Patent 10,375,050 is relied upon for disclosing of comparison of a server generated hash with a client generated hash to determine if an image file has been tampered with, see column 7, lines 49-61.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431