Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefore, subject to the conditions and requirements of this title.

Claims 11-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter. Claim 11 recites “the computer program product comprising one or more computer readable storage media and program instructions collectively stored on the one or more computer readable storage media” and based on ¶110 and ¶111 in the specification of this application states “¶110: The computer readable storage medium may be an electronic, magnetic, optical, electromagnetic, infrared or a semi-conductor system for a propagation medium; ¶111: The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device.” The specification provides basis for CRM being a transitory medium and further states that the medium “can be” tangible which does not require the CRM to be tangible. An infrared storage medium cannot be patented as it falls under the category of a 35 USC §101 signal per se’ rejection. Therefore, applicant is advised to amend the claims to recite a hardware storage medium or positively recite a hardware component associated with the apparatus. Dependent claims 12-15 fail to cure the deficiency and thus are rejected for the same reason.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6, 10, 11, 16, and 20 and are rejected under 35 U.S.C as be unpatentable over US 2018/0167403A1 (hereinafter ‘Smith’), and in further view of US 2019/0227881 A1 (hereinafter ‘Patro’).
Regarding Claim 1
	Smith discloses:
A computer-implemented method for ransomware detection and mitigation, the method comprising: performing, in predetermined time-intervals, snapshot backups of data in a block-oriented storage device; determining at least one interval malware index value between a last snapshot backup and a next planned snapshot backup (Abstract: “A system and method detects malware by processing notifications from an intrusion detection system and baseline snapshots from an image capture utility. The image capture utility constructs an image of the suspected malware intrusion and links the suspected malware intrusion to the baseline snapshots.; ¶14: The snapshot may occur in response to a request from a malware impact engine 122 or updated via a schedule at preconfigured time intervals. The remote image capture utility 118 may capture baseline images at synchronous and/or asynchronous intervals too. The remote image capture utility 118 may update the baseline image periodically every day, while the same or another remote image capture utility 118 may update baseline images every thirty minutes, for example.”); 
	Smith does not disclose the following limitation “and in response to determining that the interval malware index value is larger than a predefined interval malware index threshold value, triggering an emergency snapshot”
	Patro discloses:
wherein the interval malware index value is indicative of a changed block rate in stored data of storage blocks of the block-oriented storage device and in response to determining that the interval malware index value is larger than a predefined interval malware index threshold value, triggering an emergency snapshot (¶0014: In one example, the snapshot interval 112 may be based on the variables that are monitored. For example, if the rate of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high rates of data changes may be implemented. In another example, if the volume of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high volumes of data changes may be implemented. In another example, if none of the respective thresholds 110 are exceeded for any variable, then a predefined time interval may be implemented as the snapshot interval 112.; ¶0025: The volume of data change variable may similarly have different thresholds 110 for different snapshot intervals 112. It should be noted that each variable may have a different number of thresholds and associated snapshot intervals or the same number of thresholds and associated snapshot intervals.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith in order to include a feature where a system can be configured to take an emergency snapshot of a database if data rate change (malware index threshold value) exceeds a certain threshold as taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a snapshot would be able to properly recover as much data as possible within a database (¶0014).
Regarding Claim 6  
Patro discloses:
The computer-implemented method of claim 1, further comprising: storing the interval malware index value in persistent storage (Claim 9: “A non-transitory computer readable storage medium encoded with instructions executable by a processor of a memory device, the non-transitory computer-readable storage medium comprising: instructions to monitor write operations of the memory device; instructions to select a time interval from a plurality of different time intervals for a snapshot interval based on the write operations that are monitored; and instructions to record a snapshot of the memory device at the time interval.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith in order to include a feature where a system can be configured to store an interval malware index value in storage as taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a computer system can restore a previous database of a system in the case that is under a ransomware attack (¶5).
Regarding Claim 10
Patro discloses:
The computer-implemented method of claim 1, wherein the interval malware index value is determined based, at least in part, on the following formula: (1+ DeltaChange) * (1- DeltaComp) * (1- DeltaDedup) wherein: DeltaChange is a block change rate of a current snapshot backup minus an average block change rate of a predefined plurality of earlier snapshot backups, DeltaComp is a compression rate of the current snapshot backup minus an average compression rate of the predefined plurality of earlier snapshot backups, and DeltaDedup is a deduplication rate of the current snapshot minus an average deduplication rate of the predefined plurality of earlier snapshot backups (¶0014: “In one example, the snapshot interval 112 may be based on the variables that are monitored. For example, if the rate of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high rates of data changes may be implemented. In another example, if the volume of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high volumes of data changes may be implemented. In another example, if none of the respective thresholds 110 are exceeded for any variable, then a predefined time interval may be implemented as the snapshot interval 112.”; ¶0025: “The volume of data change variable may similarly have different thresholds 110 for different snapshot intervals 112. It should be noted that each variable may have a different number of thresholds and associated snapshot intervals or the same number of thresholds and associated snapshot intervals.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith in order to include a feature where a system can be configured to take an emergency snapshot of a database if data rate change (malware index threshold value) exceeds a certain threshold as taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a snapshot would be able to properly recover as much data as possible within a database (¶0014).
Regarding Claim 11
Smith discloses:
A computer program product for ransomware detection and mitigation, the computer program product comprising one or more computer readable storage media and program instructions collectively stored on the one or more computer readable storage media, the stored program instructions comprising: program instructions to perform, in predetermined time-intervals, snapshot backups of data in a block-oriented storage device; program instructions to determine at least one interval malware index value between a last snapshot backup and a next planned snapshot backup (Abstract: “A system and method detects malware by processing notifications from an intrusion detection system and baseline snapshots from an image capture utility. The image capture utility constructs an image of the suspected malware intrusion and links the suspected malware intrusion to the baseline snapshots.; ¶14: The snapshot may occur in response to a request from a malware impact engine 122 or updated via a schedule at preconfigured time intervals. The remote image capture utility 118 may capture baseline images at synchronous and/or asynchronous intervals too. The remote image capture utility 118 may update the baseline image periodically every day, while the same or another remote image capture utility 118 may update baseline images every thirty minutes, for example.”), 
Smith does not disclose the following limitation “wherein the interval malware index value is indicative of a changed block rate in stored data of storage blocks of the block-oriented storage device; and program instructions to, in response to determining that the interval malware index value is larger than a predefined interval malware index threshold value, trigger an emergency snapshot”
Patro discloses:
wherein the interval malware index value is indicative of a changed block rate in stored data of storage blocks of the block-oriented storage device; and program instructions to, in response to determining that the interval malware index value is larger than a predefined interval malware index threshold value, trigger an emergency snapshot (¶0014: In one example, the snapshot interval 112 may be based on the variables that are monitored. For example, if the rate of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high rates of data changes may be implemented. In another example, if the volume of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high volumes of data changes may be implemented. In another example, if none of the respective thresholds 110 are exceeded for any variable, then a predefined time interval may be implemented as the snapshot interval 112.; ¶0025: The volume of data change variable may similarly have different thresholds 110 for different snapshot intervals 112. It should be noted that each variable may have a different number of thresholds and associated snapshot intervals or the same number of thresholds and associated snapshot intervals.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith in order to include a feature where a system can be configured to take an emergency snapshot of a database if data rate change (malware index threshold value) exceeds a certain threshold as taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a snapshot would be able to properly recover as much data as possible within a database (¶0014).
Regarding Claim 16
Smith discloses:
A computer system for ransomware detection and mitigation, the computer system comprising: a processor(s) set; and a computer readable storage medium; wherein: the processor(s) set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the stored program instructions comprise: program instructions to perform, in predetermined time-intervals, snapshot backups of data in a block-oriented storage device; program instructions to determine at least one interval malware index value between a last snapshot backup and a next planned snapshot backup (Abstract: “A system and method detects malware by processing notifications from an intrusion detection system and baseline snapshots from an image capture utility. The image capture utility constructs an image of the suspected malware intrusion and links the suspected malware intrusion to the baseline snapshots.; ¶14: The snapshot may occur in response to a request from a malware impact engine 122 or updated via a schedule at preconfigured time intervals. The remote image capture utility 118 may capture baseline images at synchronous and/or asynchronous intervals too. The remote image capture utility 118 may update the baseline image periodically every day, while the same or another remote image capture utility 118 may update baseline images every thirty minutes, for example.”), 
Smith does not disclose the following limitation “wherein the interval malware index value is indicative of a changed block rate in stored data of storage blocks of the block-oriented storage device; and program instructions to, in response to determining that the interval malware index value is larger than a predefined interval malware index threshold value, trigger an emergency snapshot”
Patro discloses:
wherein the interval malware index value is indicative of a changed block rate in stored data of storage blocks of the block-oriented storage device; and program instructions to, in response to determining that the interval malware index value is larger than a predefined interval malware index threshold value, trigger an emergency snapshot (¶0014: In one example, the snapshot interval 112 may be based on the variables that are monitored. For example, if the rate of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high rates of data changes may be implemented. In another example, if the volume of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high volumes of data changes may be implemented. In another example, if none of the respective thresholds 110 are exceeded for any variable, then a predefined time interval may be implemented as the snapshot interval 112.; ¶0025: The volume of data change variable may similarly have different thresholds 110 for different snapshot intervals 112. It should be noted that each variable may have a different number of thresholds and associated snapshot intervals or the same number of thresholds and associated snapshot intervals.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith in order to include a feature where a system can be configured to take an emergency snapshot of a database if data rate change (malware index threshold value) exceeds a certain threshold as taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a snapshot would be able to properly recover as much data as possible within a database (¶0014).
Claims 2, 3 ,12, 13, 17 and 18 are rejected under 35 U.S.C as be unpatentable over US 2018/0167403 A1 (hereinafter ‘Smith’), in view of US 2019/0227881 A1 (hereinafter ‘Patro’), and in further view of US 2016/0378988 A1 (hereinafter ‘Bhashkar’).
Regarding Claim 2
Smith and Patro do not disclose the following limitation “in response to performing one or more snapshot backups of the performed snapshot backups, storing an identification of changed data blocks in a commit table”. 
Bhashkar discloses: 
The computer-implemented method of claim 1, further comprising: in response to performing one or more snapshot backups of the performed snapshot backups, storing an identification of changed data blocks in a commit table (¶58: “Table 430 depicts a portion of snapshot data maintained by file system driver 350. Column 431 (“Snapshot ID”) specifies a unique identifier (such as SS101, SS102, etc.) of the snapshot, column 432 (“Process ID”) specifies the process for which the snapshot has been created, and column 433 (“Location”) specifies the location/path in the file system where the snapshot data has been created.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith and Patro in order to include a feature where a system can be configured to store the data of a snapshot in a commit table as taught by Bhashkar. One of ordinary skill in the art would have been motivated to do so because Bhashkar recognizes that by implementing this feature a snapshot can be saved with a unique identifier and can be stored in a specific location (¶58).
Regarding Claim 3
Smith and Bhashkar do not disclose the following limitation “determining a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups; and using the rate of the changed data blocks in determining the at least one interval malware index value”
Patro discloses: 
The computer-implemented method of claim 2, further comprising: determining a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups; and using the rate of the changed data blocks in determining the at least one interval malware index value (¶0014: In one example, the snapshot interval 112 may be based on the variables that are monitored. For example, if the rate of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high rates of data changes may be implemented. In another example, if the volume of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high volumes of data changes may be implemented. In another example, if none of the respective thresholds 110 are exceeded for any variable, then a predefined time interval may be implemented as the snapshot interval 112.; ¶0025: The volume of data change variable may similarly have different thresholds 110 for different snapshot intervals 112. It should be noted that each variable may have a different number of thresholds and associated snapshot intervals or the same number of thresholds and associated snapshot intervals.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the teachings of Smith, Patro and Bhashkar as described in claim 2 with additional teachings of Patro in order to include a feature where a system can be configured to determine a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a system can take a snapshot of a database data rate change (malware index threshold value) exceeds a certain threshold (¶0014).
Regarding Claim 12
Smith and Patro do not disclose the following limitation “the stored program instructions further comprising: program instructions to, in response to performing one or more snapshot backups of the performed snapshot backups, store an identification of changed data blocks in a commit table”
Bhashkar discloses: 
The computer program product of claim 11, the stored program instructions further comprising: program instructions to, in response to performing one or more snapshot backups of the performed snapshot backups, store an identification of changed data blocks in a commit table (¶58: “Table 430 depicts a portion of snapshot data maintained by file system driver 350. Column 431 (“Snapshot ID”) specifies a unique identifier (such as SS101, SS102, etc.) of the snapshot, column 432 (“Process ID”) specifies the process for which the snapshot has been created, and column 433 (“Location”) specifies the location/path in the file system where the snapshot data has been created.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith and Pat in order to include a feature where a system can be configured to store the data of a snapshot in a commit table as taught by Bhashkar. One of ordinary skill in the art would have been motivated to do so because Bhashkar recognizes that by implementing this feature a snapshot can be saved with a unique identifier and can be stored in a specific location (¶58).
Regarding Claim 13
Smith and Bhashkar do not disclose the following limitation “the stored program instructions further comprising: program instructions to determine a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups; and program instructions to use the rate of the changed data blocks in determining the at least one interval malware index value”
Patro discloses: 
The computer program product of claim 12, the stored program instructions further comprising: program instructions to determine a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups; and program instructions to use the rate of the changed data blocks in determining the at least one interval malware index value (¶0014: In one example, the snapshot interval 112 may be based on the variables that are monitored. For example, if the rate of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high rates of data changes may be implemented. In another example, if the volume of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high volumes of data changes may be implemented. In another example, if none of the respective thresholds 110 are exceeded for any variable, then a predefined time interval may be implemented as the snapshot interval 112.; ¶0025: The volume of data change variable may similarly have different thresholds 110 for different snapshot intervals 112. It should be noted that each variable may have a different number of thresholds and associated snapshot intervals or the same number of thresholds and associated snapshot intervals.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the teachings of Smith, Patro and Bhashkar as described in claim 12 with additional teachings of Patro in order to include a feature where a system can be configured to determine a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a system can take a snapshot of a database data rate change (malware index threshold value) exceeds a certain threshold (¶0014).
Regarding Claim 17
Smith and Patro do not disclose the following limitation “in response to performing one or more snapshot backups of the performed snapshot backups, storing an identification of changed data blocks in a commit table”
Bhashkar discloses: 
The computer system of claim 16, the stored program instructions further comprising: program instructions to, in response to performing one or more snapshot backups of the performed snapshot backups, store an identification of changed data blocks in a commit table (¶58: “Table 430 depicts a portion of snapshot data maintained by file system driver 350. Column 431 (“Snapshot ID”) specifies a unique identifier (such as SS101, SS102, etc.) of the snapshot, column 432 (“Process ID”) specifies the process for which the snapshot has been created, and column 433 (“Location”) specifies the location/path in the file system where the snapshot data has been created.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith and Pat in order to include a feature where a system can be configured to store the data of a snapshot in a commit table as taught by Bhashkar. One of ordinary skill in the art would have been motivated to do so because Bhashkar recognizes that by implementing this feature a snapshot can be saved with a unique identifier and can be stored in a specific location (¶58).
Regarding Claim 18
Smith and Bhashkar do not disclose the following limitation “determining a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups; and using the rate of the changed data blocks in determining the at least one interval malware index value”
Patro discloses: 
The computer system of claim 17, the stored program instructions further comprising: program instructions to determine a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups; and program instructions to use the rate of the changed data blocks in determining the at least one interval malware index value (¶0014: In one example, the snapshot interval 112 may be based on the variables that are monitored. For example, if the rate of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high rates of data changes may be implemented. In another example, if the volume of data changes exceeds a respective threshold 110, a snapshot interval 112 associated with high volumes of data changes may be implemented. In another example, if none of the respective thresholds 110 are exceeded for any variable, then a predefined time interval may be implemented as the snapshot interval 112.; ¶0025: The volume of data change variable may similarly have different thresholds 110 for different snapshot intervals 112. It should be noted that each variable may have a different number of thresholds and associated snapshot intervals or the same number of thresholds and associated snapshot intervals.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the teachings of Smith, Patro and Bhashkar as described in claim 17 with additional teachings of Patro in order to include a feature where a system can be configured to determine a rate of changed data blocks between at least two snapshot backups of the performed snapshot backups taught by Patro. One of ordinary skill in the art would have been motivated to do so because Patro recognizes that by implementing this feature a system can take a snapshot of a database data rate change (malware index threshold value) exceeds a certain threshold (¶0014).
Claims 4, 14, and 19 are rejected under 35 U.S.C as be unpatentable over US 2018/0167403 A1 (hereinafter ‘Smith’), in view of US 2019/0227881 A1 (hereinafter ‘Patro’), in view of US 2016/0378988 A1 (hereinafter ‘Bhashkar’), and in further view of US 11,307,933 B2 (hereinafter ‘Wilson’).
Regarding Claim 4
Smith, Patro, and Bhashkar do not disclose the following limitation “deleting the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed”. 
Wilson discloses: 
The computer-implemented method of claim 2, further comprising: deleting the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed (Claim 18: “The non-transitory computer readable medium, according to claim 16, wherein the storage resource pool deletes initial snapshots in response to additional storage space being requested by a process that is independent of the initial snapshots and the new snapshots.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith, Patro, and Bhashkar in order to include a feature where a system can be configured to delete the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed as taught by Wilson. One of ordinary skill in the art would have been motivated to do so because Wilson recognizes that by implementing this feature a computer system can delete an old snapshot in order to conserve storage space for a new snapshot (Claim 18).
Regarding Claim 14
Smith, Patro, and Bhashkar do not disclose the following limitation “the stored program instructions further comprising: program instructions to delete the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed”
Wilson discloses: 
The computer program product of claim 12, the stored program instructions further comprising: program instructions to delete the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed (Claim 18: “The non-transitory computer readable medium, according to claim 16, wherein the storage resource pool deletes initial snapshots in response to additional storage space being requested by a process that is independent of the initial snapshots and the new snapshots.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith, Patro, and Bhashkar in order to include a feature where a system can be configured to delete the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed as taught by Wilson. One of ordinary skill in the art would have been motivated to do so because Wilson recognizes that by implementing this feature a computer system can delete an old snapshot in order to conserve storage space for a new snapshot (Claim 18).
Regarding Claim 19
Smith, Patro, and Bhashkar do not disclose the following limitation “deleting the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed”. 
Wilson discloses: 
The computer system of claim 17, the stored program instructions further comprising: program instructions to delete the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed (Claim 18: “The non-transitory computer readable medium, according to claim 16, wherein the storage resource pool deletes initial snapshots in response to additional storage space being requested by a process that is independent of the initial snapshots and the new snapshots.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith, Patro, and Bhashkar in order to include a feature where a system can be configured to delete the identification of the changed data blocks in the commit table in response to a new snapshot backup being performed as taught by Wilson. One of ordinary skill in the art would have been motivated to do so because Wilson recognizes that by implementing this feature a computer system can delete an old snapshot in order to conserve storage space for a new snapshot (Claim 18).
Claims 5, 15 and 20 are rejected under 35 U.S.C as be unpatentable over US 2018/0167403 A1 (hereinafter ‘Smith’), in view of US 2019/0227881 A1 (hereinafter ‘Patro’), US 2016/0378988 A1 (hereinafter ‘Bhashkar’), and in further view of US 2018/0107824 A1 (hereinafter ‘Gibbon’)
Regarding Claim 5
Smith, Patro and Bhashkar do not disclose the following limitation “in response to determining that a file has been affected by malware, repairing the file using unencrypted data blocks from previously taken snapshot backups, using the identification of the changed data blocks in the commit table”. 
Gibbon discloses:
The computer-implemented method of claim 2, further comprising: in response to determining that a file has been affected by malware, repairing the file using unencrypted data blocks from previously taken snapshot backups, using the identification of the changed data blocks in the commit table (¶5: “For instance, if the user detects ransomware infection within a filesystem early enough, the user may be able to restore a previous, uninfected backup of the filesystem before the uninfected backup ages out.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith, Patro, and Bhashkar in order to include a feature where a system can be configured to repair the file of a system using unencrypted data blocks from previously taken snapshot backup if the system is infected with as taught by Gibbon. One of ordinary skill in the art would have been motivated to do so because Gibbon recognizes that by implementing this feature a computer system can restore a previous database of a system in the case that is under a ransomware attack (¶5).

Regarding Claim 15
Smith, Patro and Bhashkar do not disclose the following limitation “the stored program instructions further comprising: program instructions to, in response to determining that a file has been affected by malware, repair the file using unencrypted data blocks from previously taken snapshot backups, using the identification of the changed data blocks in the commit table”
The computer program product of claim 12, the stored program instructions further comprising: program instructions to, in response to determining that a file has been affected by malware, repair the file using unencrypted data blocks from previously taken snapshot backups, using the identification of the changed data blocks in the commit table.
Gibbon discloses:
The computer-implemented method of claim 12, further comprising: in response to determining that a file has been affected by malware, repairing the file using unencrypted data blocks from previously taken snapshot backups, using the identification of the changed data blocks in the commit table (¶5: “For instance, if the user detects ransomware infection within a filesystem early enough, the user may be able to restore a previous, uninfected backup of the filesystem before the uninfected backup ages out.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith, Patro and Bhashkar in order to include a feature where a system can be configured to repair the file of a system using unencrypted data blocks from previously taken snapshot backup if the system is infected with as taught by Gibbon. One of ordinary skill in the art would have been motivated to do so because Gibbon recognizes that by implementing this feature a computer system can restore a previous database of a system in the case that is under a ransomware attack (¶5).
Regarding Claim 20
Smith, Patro and Bhashkar do not disclose the following limitation “in response to determining that a file has been affected by malware, repairing the file using unencrypted data blocks from previously taken snapshot backups, using the identification of the changed data blocks in the commit table”. 
Gibbon discloses:
The computer system of claim 17, the stored program instructions further comprising: program instructions to, in response to determining that a file has been affected by malware, repair the file using unencrypted data blocks from previously taken snapshot backups, using the identification of the changed data blocks in the commit table (¶5: “For instance, if the user detects ransomware infection within a filesystem early enough, the user may be able to restore a previous, uninfected backup of the filesystem before the uninfected backup ages out.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith, Patro and Bhashkar in order to include a feature where a system can be configured to repair the file of a system using unencrypted data blocks from previously taken snapshot backup if the system is infected with as taught by Gibbon. One of ordinary skill in the art would have been motivated to do so because Gibbon recognizes that by implementing this feature a computer system can restore a previous database of a system in the case that is under a ransomware attack (¶5).

Claim 7 is rejected under 35 U.S.C as be unpatentable over US 2018/0167403 A1 (hereinafter ‘Smith’), in view of US 2019/0227881 A1 (hereinafter ‘Patro’), and in further view of EP 3,514,719 B1 (hereinafter ‘Tomer’).
Regarding Claim 7
Tomer discloses:

The computer-implemented method of claim 1, further comprising: in response to triggering the emergency snapshot, triggering an alarm signal (¶3: “To provide a specific example, US 2007/150957 A1 discloses a malware analysis system for automating cause and effect analysis of malware infections. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith and Patro in order to include a feature where a system can be configured to trigger an alarm if an emergency snapshot is triggered as taught by Tomer. One of ordinary skill in the art would have been motivated to do so because Tomer recognizes that by implementing this feature a computer system can further analyze the malware that triggered the alarm (¶3).
Claim 8 is rejected under 35 U.S.C as be unpatentable over US 2018/0167403 A1 (hereinafter ‘Smith’), in view of US 2019/0227881 A1 (hereinafter ‘Patro’), and in further view of US 2017/0371750 A1 (hereinafter ‘Horowitz’). 
Regarding Claim 8
Horowitz discloses:

The computer-implemented method of claim 1, further comprising: in response to determining that a predefined condition is met, pausing the determination of the at least one interval malware index value (¶64: “For example, the system may periodically or a periodically capture snapshots of the data. In other examples, the system may change the timing of taking snapshots based on client interaction with the dataset. For example, the system may take snapshots every 10 milliseconds during time periods where the dataset is receiving change requests and pause snapshot generation during periods where no changes to the dataset are taking place).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith and Patro in order to include a feature where a system can be configured to trigger an alarm if an emergency snapshot is triggered as taught by Horowitz. One of ordinary skill in the art would have been motivated to do so because Horowitz recognizes that by implementing this feature a computer system can be configured to pause the determination of the at least one interval malware index value if no changes to a dataset are occurring (¶64). 
Claim 9 is rejected under 35 U.S.C as be unpatentable over US 2018/0167403 A1 (hereinafter ‘Smith’), in view of US 2019/0227881 A1 (hereinafter ‘Patro’) and in further view of US 2018/0107824 A1 (hereinafter ‘Gibbon’)
Regarding Claim 9
Smith and Patro do not disclose the following limitation “in response to determining that a previous snapshot backup is older than a current snapshot back up by a predetermined number of backups, deleting the previous snapshot backup”
Gibbon discloses: 
The computer-implemented method of claim 1, further comprising: in response to determining that a previous snapshot backup is older than a current snapshot back up by a predetermined number of backups, deleting the previous snapshot backup (¶44: “In some embodiments, snapshot server 103 can automatically delete previous-stored snapshots after a certain amount of time or after a certain number of snapshots have been taken—this is known as “aging out” old snapshots, and can be used to free up space for new snapshots”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Smith and Patro in order to include a feature where a system can be configured to repair the file of a system using unencrypted data blocks from previously taken snapshot backup if the system is infected with as taught by Gibbon. One of ordinary skill in the art would have been motivated to do so because Gibbon recognizes that by implementing this feature a computer system can restore a previous database of a system in the case that is under a ransomware attack (¶5).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information
Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or
Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more
information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-
786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431