Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1 and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The claims recite “transmit, from an enterprise monitoring process, to a computing machine that: is set to be accessed only by a group of users;” – it is not clearly and definitively stated what is transmitted. Therefore the corresponding dependent claims are also rejected. It is understood from specification and drawings that some content is transmitted.

Claim Rejections - 35 USC § 101
Claim Rejections - 35 USC § 101 (Non-Statutory)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Include the ground of rejection (claim #). The claimed invention is directed to non-statutory subject matter.  The claim(s) 1 does/do not fall within at least one of the four categories of patent eligible subject matter because Claim 1 is directed to “An apparatus for security scanning, the apparatus comprising a data collection machine” (software per se) a non-statutory subject matter.  The claim(s) 1 does/do not fall within at least one of the four categories of patent eligible subject matter because apparatus comprising a data collection machine is non-statutory and does not fall in any of the four categories of process, manufacture, machine or composition – as it does not provide any hardware or tangible structure to the claim(s). Also, see para. [083-84] which recites ‘invention may be operational with numerous other general purpose or special purpose computing system environments or configurations… invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer… [138] Accordingly, the invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software, hardware and any other suitable approach or apparatus.’ and MPEP 2106.03. Therefore all corresponding dependent claims 2 – 10 are also rejected for the same rationale.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1 – 21 is/are rejected under 35 U.S.C. 102(a)(1)/(2) as being unpatentable by Dahan; Asher (US 20180293379), hereafter Dah.
Claim 1: Dah teaches an apparatus for security scanning, the apparatus comprising a data collection machine configured to (Fig. 2): transmit, from an enterprise monitoring process, to a computing machine that: is set to be accessed only by a group of users; ([062] the server configured to transmit data to client devices via the internal network, [012] a select number of the plurality of deployed data items is accessible to selected users of the system);
and does not have a pipeline to the Internet an executable file; ([063] internal network is formed of one or more networks, such as a private network, [087] an executable files);
cause the computing machine to execute the executable file; ([079] process chrome.exe is executed by the OS process explorer.exe);
and derive, from an output of the executable file, a monitoring condition in the computing machine. ([006] monitoring module monitors selected activities, including, but not limited to, file accesses, network accesses, application accesses, registry accesses, file creations, file modifications, process calls, and process creations).
Claim 11: Dah teaches a method for security scanning, the method comprising: transmitting, from an enterprise monitoring process, to a computing machine that: is set to be accessed only by a group of users; and does not have a pipeline to the Internet, an executable file; and, using the computing machine: executing the executable file; and deriving, from an output of the executable file, a monitoring condition in the computing machine. ([062] the server configured to transmit data to client devices via the internal network, [012] a select number of the plurality of deployed data items is accessible to selected users of the system; [063] internal network is formed of one or more networks, such as a private network, [087] an executable files; [079] process chrome.exe is executed by the OS process explorer.exe; [006] monitoring module monitors selected activities, including, but not limited to, file accesses, network accesses, application accesses, registry accesses, file creations, file modifications, process calls, and process creations).
Claim 2: Dah teaches the apparatus of claim 1 wherein the enterprise monitoring process includes only individuals that are not part of the group. ([014] ransomware detection component ... determines, whether a detected activity is ...by a third party not authorized to execute, and [072] computing device that is used to detect, deflect, or counteract attempts to gain unauthorized access to a computing device or computing system by an attacker (i.e., users not part of group)).
Claim 3: Dah teaches the apparatus of claim 1 wherein the data collection machine is further configured to send to the computing machine a configuration file that includes a security configuration record. ([019] receive a plurality of configuration data associated with configuration parameters for at least one of the at least one monitoring module, the trigger rule module, the action script module, the database, and combinations thereof).
Claim 4: Dah teaches the apparatus of claim 3 wherein the data collection machine is configured to block the configuration file from transmission to the Internet. ([016, 115]  restricting access to the system of at least one user associated with a detected activity that is determined to be indicative of a ransomware attack).
Claim 5: Dah teaches the apparatus of claim 3 wherein the executable file is configured to: retrieve from storage in the computing machine a security item; and compare the security configuration record to the security item. ([017] the database configured to store a plurality of action scripts associated with a plurality of detected activities executed on data files, and the action script module configured to access at least one action script associated with a selected detected activity ... the detected activity shall be a ransomware attack).
Claim 6: Dah teaches the apparatus of claim 5 wherein the security item includes file metadata. ([0105] 'attempt to alter a file' includes metadata of a file).
Claim 7: Dah teaches the apparatus of claim 6 wherein the metadata includes a filename. ([088, 105] attempt to alter a file includes a file is renamed).
Claim 9: Dah teaches the apparatus of claim 1 wherein: the computing machine is a machine of a plurality of computing machines, each of which: is set to be accessed only by the group of users; and does not have a pipeline to the Internet; the plurality of computing machines is contained within a security airgap; and the security airgap encompasses a software distribution server that is in electronic communication with each of the computing machines. ([012] a select number of the plurality of deployed data items is accessible to selected users of the system, [063] internal network is formed of one or more networks, such as a private network, [087] an executable files, [064] Secure HTTP and/or virtual private networks (VPNs)).
Claim 10: Dah teaches the apparatus of claim 9 wherein the data collection machine is configured to transmit the executable file to the server. ([018] transmit at least a portion of the generated event data to a select number of a remainder of the plurality of monitoring modules via the network for processing thereby, [0107] event data is transmitted to the Central Monitoring Module and/or the Monitored Activity Detection Database).
Claim 12: Dah teaches the method of claim 11 further comprising, when the group of users is a first group of users, providing the report to a second group of users that: are part of the enterprise monitoring process; and are not part of the first group. ([014] ransomware detection component ... determines, whether a detected activity is ...by a third party not authorized to execute, and [072] computing device that is used to detect, deflect, or counteract attempts to gain unauthorized access to a computing device or computing system by an attacker (i.e., users not part of group)).
Claim 13: Dah teaches the method of claim 11 further comprising transmitting, from the enterprise monitoring process, to the computing machine, a configuration file that includes a security configuration record. ([019] receive a plurality of configuration data associated with configuration parameters for at least one of the at least one monitoring module, the trigger rule module, the action script module, the database, and combinations thereof).
Claim 14: Dah teaches the method of claim 13 further comprising blocking the configuration file from transmission to the Internet from the enterprise process. ([016, 115]  restricting access to the system of at least one user associated with a detected activity that is determined to be indicative of a ransomware attack).
Claim 15: Dah teaches the method of claim 13 wherein the executing includes using the executable file to compare the security configuration record to a security item retrieved from storage in the computing machine. ([017] the database configured to store a plurality of action scripts associated with a plurality of detected activities executed on data files, and the action script module configured to access at least one action script associated with a selected detected activity ... the detected activity shall be a ransomware attack).
Claim 16: Dah teaches the method of claim 15 wherein the deriving includes providing a comparison of the security configuration record and the security item. ([008] the anti-ransomware comprises a trigger rule module that analyzes at least a portion of activities monitored by the at least one monitoring module, particularly those activities with respect to one or more of the deployed honeypot drives and/or honeypot files).
Claim 17: Dah teaches the method of claim 11 wherein: the computing machine is a machine of a plurality of computing machines, each of which: is set to be accessed only by the first group of users; and does not have a pipeline to the Internet; the plurality of computing machines is contained within a security airgap; and the security airgap encompasses a software distribution server that is in electronic communication with each of the computing machines. ([012] a select number of the plurality of deployed data items is accessible to selected users of the system, [063] internal network is formed of one or more networks, such as a private network, [087] an executable files, [064] Secure HTTP and/or virtual private networks (VPNs)).
Claim 18: Dah teaches the method of claim 17 wherein the transmitting includes sending the executable file to the server. ([018] transmit at least a portion of the generated event data to a select number of a remainder of the plurality of monitoring modules via the network for processing thereby, [0107] event data is transmitted to the Central Monitoring Module and/or the Monitored Activity Detection Database).
Claim 19: Dah teaches the method of claim 18 wherein: the enterprise monitoring process is owned by a first party; the server includes an application product sourced from a second party; and no application resident on any of the plurality of computing machines is sourced from a party other than the second party. ([007-008] the anti-ransomware application includes a honeypot deployment module which creates and strategically deploys honeypot drives and/or honeypot files in one or more shared resources resident on the computing system. The honeypot deployment module deploys honeypot drives surrounding each valid shared resource on the computing system. [084] the configuration shown in Figs. 5A-5D will only apply to server DC3 and the files stored on server DC3 and shared with server DC3).
Claim 20: Dah teaches the method of claim 12 wherein: the computing machine is a machine of a plurality of computing machines, each of which: is set to be accessed only by the first group of users; and does not have a pipeline to the Internet; the plurality of computing machines is contained within a security airgap; and the security airgap encompasses a software distribution server that is in electronic communication with each of the computing machines. ([012] a select number of the plurality of deployed data items is accessible to selected users of the system, [063] internal network is formed of one or more networks, such as a private network, [087] an executable files, [064] Secure HTTP and/or virtual private networks (VPNs)).
Claim 21: Dah teaches the method of claim 18 wherein the providing includes sending the report from the server. ([062] the server is a content or data server providing information to a client device).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dah as stated in the claims above further in view of Griggs (US 20200145439), hereafter Gri.
Claim 8: Dah teaches the apparatus of claim 6 but silent on wherein the metadata includes a version number.
But analogous art Gri teaches wherein the metadata includes a version number. ([047] header token mapping “VERSION_LABEL “version”).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dah to include the idea of version number as taught by Gri so that storing these renamed and formatted events in a JSON log file on the audited system for collection by security operations tools (068).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2496.