DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant’s amendment filed 10 March 2022 amends claims 8 and 16. Applicant’s amendment has been fully considered and entered.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-15 of U.S. Patent No. 10,867,043. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘043 patent include all the limitations of the instant claims.
Instant Application
US Patent No. 10,867,043
calculating a first hash of a portion of the file; (Claim 1)
synchronously calculating a first hash of a portion of the file; (Claim 1)
searching for the first hash in a local database that contains a verdict cache containing hashes of known malicious files and trusted files; (Claim 1)
synchronously searching for the first hash in a verdict cache containing hashes of known malicious files; (Claim 1)
the local database further containing decisions on malicious files and trusted files. (Claim 2)
when the first hash is found in the verdict cache and the first hash indicates that the file is malicious, calculating a second hash of the file, searching for the second hash in the verdict cache and/or a remote server, and pronouncing a final decision as to a harmfulness or safety of the file based on the results of the search; (Claim 1)
when the first hash is found in the verdict cache, synchronously calculating a second hash of the file, synchronously searching for the second hash in the verdict cache and/or a remote server, and pronouncing a final decision as to a harmfulness or safety of the file based on the results of the synchronous search; (Claim 1)
and when either the first hash is not found in the verdict cache or the first hash is found in the verdict cache and indicates that the file is a trusted file, granting access to the file, calculating a second hash of the file, generating a request for information about the file including at least an indication as to harmfulness of the file, sending the request to a remote server to search for the second hash in a verdict cache of the remote server, and pronouncing a decision as to harmfulness or safety of the file based on results of the search received from the remote server in response to the request. (Claim 1)
and when the first hash is not found in the verdict cache, granting access to the file, asynchronously calculating a second hash of the file…asynchronously generating a request for the information about the file including at least an indication as to harmfulness of the file, sending the request to the remote server to asynchronously search for the second hash in a verdict cache of the remote server, and pronouncing a decision as to harmfulness or safety of the file based on the results of the asynchronous search. (Claim 1)


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2, 4, 10, 12, 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claims 2 and 10 recite “the second hash”, in line 2, which renders the claims indefinite because independent claims 1 and 9, include recitations of two separate recitations of “a second hash” (Claim 1 on lines 6 and 10-11; Claim 9 on lines 8 and 13). Therefore, it is generally unclear to which “second hash” is being referred.
Referring to claims 4, 12, and 18, the claims include a recitation of “the second hash”, which renders the claims indefinite for the same rationale presented above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 7, 8-12, 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Kailash, U.S. Patent No. 8,607,066, in view of Nachenberg, U.S. Patent No. 9,202,050. Referring to claims 1, 9, 17, Kailash discloses a content inspection system that includes a processor (Col. 18, line 5) and wherein a request for a content file is received by a content analyzer (Col. 11, lines 21-26) such that the file is received by the content analyzer and stored in a buffer (Col. 11, lines 48-49 & Figure 3), which meets the limitation of at least one processor. A hash signature (Col. 8 lines, 4-5: MD5 is a hash) is generated for a file segment in the buffer (Col. 11, lines 49-51), which meets the limitation of calculating a first hash of a portion of the file. The hash signature is compared with signatures generated from the segments of known trustworthy content items such that the hash signatures of known trustworthy segments are stored locally in threat data storage 114 (Col. 6, lines 23-26), and if the signature matches one of the trustworthy segment signatures, the corresponding segment is forwarded to the client (Col. 11, lines 52-60: finding a signature match in a list of known good files would represent a positive determination that the signature is not found in a list of bad files since the signature would not be in both lists), which meets the limitation of searching for the first hash in a local database that contains a verdict cache containing hashes of known [malicious files and] trusted files, when the first hash is found in the verdict cache and indicates that the file is a trusted file, granted access to the file. After forwarding the segment, a determination is made if additional segments of the file are stored in the buffer (Col. 12, lines 1-2). If additional file segments are stored in the buffer, a hash signature (Col. 8 lines, 4-5: MD5 is a hash) is generated for the next segment (Col. 12, lines 3-7), which meets the limitation of calculating a second hash of the file, generating a request for the information about the file including at least an indication as to harmfulness of the file. The additional file segment signature is then compared with signatures generated from the segments of known trustworthy content items such that if the signature matches one of the trustworthy segment signatures, the corresponding segment is forwarded to the client (Figure 4b & Col. 11, lines 52-60), which meets the limitation of [sending the request to a remote server to] search for the second hash in the verdict cache [of the remote server]. If no additional file segments are included in the buffer (Col. 12, lines 7-9) and the content has passed inspection, the file is considered to not contain malware (Col. 12, lines 14-17), which meets the limitation of pronouncing a decision as the harmfulness or safety of the file based on the results of the search [received from the remote server in response to the request]. The signatures of known trustworthy segment signatures can be stored locally in a threat data storage 114 (Col. 6, lines 23-26) and that trustworthy signature information also stored remotely in master threat storage (Col. 6, lines 56-58 & Col. 6, line 66 – Col. 7, line 2), which meets the limitation of a verdict cache located on a remote server.
Kailash does not explicitly disclose that the additional file segment signatures are sent to a remote server for comparison against the threat data storage. However, Kailash discloses that the threat data storage can be stored at a plurality of distributed processing nodes that are monitored by an authority node (Col. 6, lines 56-58 & Col. 6, line 66 – Col. 7, line 2) such that each of the plurality of distributed processing nodes are utilized to compare file segment signatures against the threat data storage system (Col. 6, lines 23-26 & Col. 6, line 67 – Col. 7, line 10), which meets the limitation of sending the request to a remote server to search for the second hash in a verdict cache of the remote server, results of the search received from the remote server in response to the request. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the additional file segment signatures to have been transmitted to a remote processing node for comparison against the threat data storage in order provide load balancing performance benefits as discussed in Kailash (Col. 7, lines 3-10).
Kailash does not disclose comparing the segment signatures with signatures of known malicious content. Nachenberg discloses generating a fingerprint of a first portion of a file (Col. 4, lines 60-63 & Col. 6, lines 29-32) and comparing that fingerprint to a list of known malicious and finding a match (Col. 7, lines 4-9), which meets the limitation searching for the first hash in a local database that contains a verdict cache containing hashes of known malicious files. Another hash of the file is generated based on an additional portion of the file (Col. 8, lines 3-7: an additional hash of the file…based at least in part on the part of the file excluded in the generation of the initial fingerprint) such that the new hash is also compared to the list of malicious files to determine a match (Col. 8, lines 32-39), which meets the limitation of calculating a second hash of the file, searching for the second hash in the verdict cache and/or a remote server. If a match is found the file is determine to be malicious (Col. 8, lines 45-58), which meets the limitation of pronouncing a final decision as to a harmfulness or safety of the file based on the results of the search. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the content inspection system of Kailash to have additionally compared each segment signature against a list of known malicious files in the manner described in Nachenberg in order to provide accurate identification of malicious files quickly and with fewer resources utilized as suggested by Nachenberg (Col. 3, lines 52-54).
Referring to claims 2, 10, Kailash does not disclose comparing the segment signatures with signatures of known malicious content. Nachenberg discloses generating a fingerprint of a first portion of a file (Col. 4, lines 60-63 & Col. 6, lines 29-32) and comparing that fingerprint to a list of known malicious and finding a match (Col. 7, lines 4-9). Another hash of the file is generated based on the complete file (Col. 8, lines 8-12, 21-24: generate the additional hash by generating a complete hash of the file), which meets the limitation of wherein the second hash is calculated based on all portions of the file. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the content inspection system of Kailash to have additionally compared each segment signature against a list of known malicious files in the manner described in Nachenberg in order to provide accurate identification of malicious files as suggested by Nachenberg (Col. 3, lines 52-54).
Referring to claims 3, 11, Kailash discloses that the signature generator will generate the partial signatures for each segment differently depending on the type of content (Col. 8, lines 45-67 & Col. 9, lines 13-24: web pages will have segments of increasing length while audio/video will have segments of decreasing length such that the type of content would be considered the claimed metadata), which meets the limitation of wherein the portion of the file used for calculating the first hash is selected based on a predetermined criteria, the predetermined criteria being base on at least metadata of the file.
Referring to claims 4, 12, 18, Kailash discloses that the additional file segment signature is then compared with signatures generated from the segments of known trustworthy content items that is locally stored (Col. 6, lines 23-26) such that if the signature matches one of the trustworthy segment signatures, the corresponding segment is forwarded to the client (Figure 4b & Col. 3, line 59 – Col. 4, line 3 & Col. 5, lines 53-60 & Col. 11, lines 52-60: comparison of the file signatures effectively acts as a virus scanner since the signature comparison is utilized to identify viruses), which meets the limitation of performing an antivirus scanning of the file based on the second hash with the local database. 
Referring to claims 7, 15, Kailash discloses that the processing node that forwards the content to the user (Col. 11, line 18-60) also stores a local copy of the threat data (Col. 6, lines 23-26 & Figure 2, 114), which meets the limitation of wherein the local database is located on a same computing device performing the granting of access to the file.
Referring to claims 8, 16, Kailash discloses a content inspection system that includes a processor (Col. 18, line 5) and wherein a request for a content file is received by a content analyzer (Col. 11, lines 21-26: analyzed content is stored and buffer and not being executed; analysis performed on buffered content would be considered synchronous analysis as defined by Applicant’s specification [0007] since the buffered content is not being executed) such that the file is received by the content analyzer, stored in a buffer (Col. 11, lines 48-49 & Figure 3), and a hash signature (Col. 8 lines, 4-5: MD5 is a hash) is generated for a file segment in the buffer (Col. 11, lines 49-51), which meets the limitation of wherein the calculating of the first hash of the portion of the file is performed synchronously. The signature is compared with locally stored (Col. 6, lines 23-26: local storage reads on the claimed local database that contains the verdict cache) signatures generated from the segments of known trustworthy content items such that if the signature matches one of the trustworthy segment signatures, the corresponding segment is forwarded to the client (Col. 11, lines 52-60: finding a signature match in a list of known good files would represent a positive determination that the signature is not found in a list of bad files since the signature would not be in both lists), which meets the limitation of the searching for the first hash in the local database that contains the verdict cache is performed synchronously, when the first hash is found in the verdict cache and the first hash indicates that the file is [malicious]. A determination is made if additional segments of the file are stored in the buffer (Col. 12, lines 1-2). If additional file segments are stored in the buffer, a hash signature (Col. 8 lines, 4-5: MD5 is a hash) is generated for the next segment (Col. 12, lines 3-7), which meets the limitation of the calculating of the second hash of the file is performed synchronously. The additional file segment signature is then compared with signatures generated from the segments of known trustworthy content items (Figure 4b & Col. 11, lines 52-60), which meets the limitation of the search for the second hash in the verdict cache is performed synchronously. The signature is compared with signatures generated from the segments of known trustworthy content items such that if the signature matches one of the trustworthy segment signatures, the corresponding segment is forwarded to the client (Col. 11, lines 52-60: content segment received by user and is accessible to the user; content analysis performed while the content is accessible to the user would be considered asynchronous analysis as defined by Applicant’s specification [0007]) and subsequent to the segment forwarding, hash signature are generated for the additional file segments stored in the buffer (Col. 8, lines 4-5 & Col. 12, lines 3-7), which meets the limitation of when either the first hash is not found in the verdict case or the hash is found in the verdict cache and indicates that the file is a trusted file, the calculating of the second hash of the file, the generating a request for information about the file including at least an indication as the harmfulness of the file, [and the sending the request to a remote server to search for the second hash in a verdict cache of the remote server] are performed asynchronously.
Kailash does not explicitly disclose that the additional file segment signatures are sent to a remote server for comparison against the threat data storage. However, Kailash discloses that the threat data storage can be stored at a plurality of distributed processing nodes that are monitored by an authority node (Col. 6, lines 56-58 & Col. 6, line 66 – Col. 7, line 2) such that each of the plurality of distributed processing nodes are utilized to compare file segment signatures against the threat data storage system (Col. 6, lines 23-26 & Col. 6, line 67 – Col. 7, line 10), which meets the limitation of sending the request to a remote server to search for the second hash in a verdict cache of the remote server. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the additional file segment signatures to have been transmitted to a remote processing node for comparison against the threat data storage in order provide load balancing performance benefits as discussed in Kailash (Col. 7, lines 3-10).
Kailash does not disclose comparing the segment signatures with signatures of known malicious content. Nachenberg discloses generating a fingerprint of a first portion of a file (Col. 4, lines 60-63 & Col. 6, lines 29-32) and comparing that fingerprint to a list of known malicious and finding a match (Col. 7, lines 4-9), which meets the limitation when the first hash is found in the verdict cache and the first hash indicates that the file malicious. Another hash of the file is generated based on an additional portion of the file (Col. 8, lines 3-7: an additional hash of the file…based at least in part on the part of the file excluded in the generation of the initial fingerprint) such that the new hash is also compared to the list of malicious files to determine a match (Col. 8, lines 32-39), which meets the limitation of the calculating a second hash of the file is performed synchronously, and the searching for the second hash in the verdict cache and/or a remote server is performed synchronously. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the content inspection system of Kailash to have additionally compared each segment signature against a list of known malicious files in the manner described in Nachenberg in order to provide accurate identification of malicious files quickly and with fewer resources utilized as suggested by Nachenberg (Col. 3, lines 52-54).
Claims 5, 13, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kailash, U.S. Patent No. 8,607,066, in view of Nachenberg, U.S. Patent No. 9,202,050, and further in view of Waldspurger, U.S. Patent No. 7,984,304. Referring to claim 5, 13, 19, Kailash does not disclose comparing the segment signatures with signatures of known malicious content such that the content can be halted. Nachenberg discloses generating a fingerprint of a first portion of a file (Col. 4, lines 60-63 & Col. 6, lines 29-32), comparing that fingerprint to a list of known malicious and finding a match (Col. 7, lines 4-9), generating another hash of the file based on an additional portion of the file (Col. 8, lines 3-7), and sending the additional hash to a server for comparison (Col. 8, lines 31-39), which meets the limitation of when the second hash is found in the local database, [halting execution of the file] and synchronously search for the second hash in a database of the remote server. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the content inspection system of Kailash to have additionally compared each segment signature against a list of known malicious files in the manner described in Nachenberg in order to provide accurate identification of malicious files quickly and with fewer resources utilized as suggested by Nachenberg (Col. 3, lines 52-54).
Waldspurger discloses hashing a portion of an executing program portion such that the generated hash is compared to a white list and black list stored in a local database (Col. 16, lines 53-63). If the hash is found in the black list, a response is triggered (Col. 18, lines 20-23) that could include suspension/termination of the executing program (Col. 20, lines 7-12), which meets the limitation of when the second hash is found in the local database, halting execution of the file. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the content inspection system of Kailash, as modified in view of Nachenberg above, to have halted execution of the content being inspected upon determination that a portion of the content is identified in a malicious database in order to provide the user with a chance to take appropriate remedial action as suggested by Waldspurger (Col. 20, lines 9-11).
Claims 6, 14, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kailash, U.S. Patent No. 8,607,066, in view of Nachenberg, U.S. Patent No. 9,202,050, and further in view of Krasser, U.S. Publication No. 2019/0026466. Referring to claims 6, 14, 20, Kailash does not disclose determining errors of a first kind and a second kind. Krasser discloses malware detection that allows for the correction of detected false positives and false negatives ([0022] & [0041]: false positive and false negatives would be considered the claims errors of a first kind and second kind), which meets the limitation of determining errors of a first kind and second kind in verdicts based on comparisons of first hashes and verdict cache in the local database. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the content inspection system of Kailash to have detecting false positives and false negatives in the manner described in Krasser in order to improve the efficiency of determining malware as suggested by Krasser ([0132]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Vlaznev, U.S. Patent No. 10,867,043, discloses an antivirus scanning system for files that is performed by hashing portions of the file for analysis.
Franklin, U.S. Publication No. 2011/0138465, disclose the mitigation of malicious file propagation by comparing file segments to known signatures.
Kirby, U.S. Patent No. 7,694,150, discloses virus detection utilizing behavior based analysis.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




                                                                                                                                                                                              /BENJAMIN E LANIER/Primary Examiner, Art Unit 2437