DETAILED ACTION
This Office Action is in response to the amendment on 05/21/2022
In the instant amendment, no claims were amended; claims 1, 10 and 14 are independent claims. Claims 1-20 are pending in this application. THIS ACTION IS MADE FINAL. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
The terminal disclaimer filed on 05/21/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of 10873588 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Arguments
The Non-Statutory Double Patenting Rejection has been withdrawn because applicant filed a terminal disclaimer on 05/21/2022 which was approved. 
Applicant’s arguments filed 05/21/2022 have been fully considered but they are not persuasive. 
Applicant argues on pages 3-6 that the cited references Bhargava in view of Polyakov fail to explicitly disclose applicant’s definition and use of two whitelists, one or signed programs and one for unsigned programs and has not found uploading of a program to a server for further analysis. Applicant asserts that the term “trust status” as taught by Bhargava is not the same as being signed which is based upon a digital signature. Bhargava makes no mention of digital signatures but instead uses a checksum or hash value of the entire file to compare two programs to determine if they are different. There is no test in Bhargava to determine if a digital signature is stored in a portion of the file meaning that the program is signed. Bhargava does not disclose signed executables or signed programs. The method of Bhargava does not use digital signature components in the whitelist and, therefore, does not use digital signature components in the whitelist, and therefore requires a separate whitelist entry for every file even if supplied by the same provider as part of a suite of programs. Bharagava does not disclose at least one element of the applicant’s claims, that being having separate whitelist for signed programs. Polyakov fails to disclose two whitelists, one for signed programs and one for unsigned programs. There is no mention that the program or part of be forwarded to a server for further analysis only that heuristics are performed locally. In Bhargava, there is 
no disclosure that the program (or part of) is sent to the server, so therefore, it is unclear how the program could be queued for "further research" by the server when the program is not at the server. Further, Polyakov does not analyze
programs, but data files. Polyakov is concerned with sending and
receiving data files that are potentially malicious, not execution of programs. Polyakov transmits the data files for expert analysis, but not an executable that a user is trying to run. Therefore, it is clear that Polyakov deals with data files and sends certain parts (non-confidential parts) to a server for analysis. As discussed above, digital signatures are known for executable files or programs, not for data files. Applicant's system deals with program files and sends the program file (or part of, e.g., when the program file is too big) to the server after execution is denied due to absence from one of the whitelists. There is no attempt to execute the data files of Polyakov (as in applicant's claims) and, therefore, no transmission of a program file (or part of) to a server upon blocking of execution of the program file (Polyakov does not attempt execution of the data file).
The Examiner disagrees with the Applicants. Under a broadest reasonable interpretation (BRI), words of the claim must be given their plain meaning, unless such meaning is inconsistent with the specification. The plain meaning of a term means the ordinary and customary meaning given to the term by those of ordinary skill in the art at the time of the invention. In this case, there is no mention of a digital signature in the claim. “Although the specifications may well indicate that certain embodiments are preferred, particular embodiments appearing in a specification will not be read into the claims when the claim language is broader than such embodiments.” (Electro Med. Sys. S.A. v. Cooper Life Sciences Inc., 34 F.3d 1048, 1054 (Fed. Cir. 1994)). Applicant’s claims are written very broadly and do not say how an element is signed or unsigned in the claims. Applicant is also arguing elements that are not in the claims such as signed programs and unsigned programs. The claim mentions signed and unsigned executables. There is no mention in the claim about an encoded signature that is issued by a certification authority. There is no mention in the claims about determining if a digital signature is stored in a portion of the file meaning that the program is signed. There are no digital signature components in the whitelist in the claims. There is no mention of a central trusted cache is updated in the claims. Further there is no mention in the claims about current heuristics that include what is being received from many other users who might be trying to run the same program and therefore the server is able to modify the heuristics based upon many occurrences of the program not just one. Bhargava discloses two whitelists (Bhargava, FIG 12, item 1230), a first whitelist of the two whitelists for signed executables and a second of the two whitelists for unsigned executables (Bhargava, Col. 7, Lines 4-16; Col. 3, Lines 23-61); a server, the server having storage containing the two whitelists (Bhargava, 1220, FIG 12 & FIG 2); a computer protected by the system for computer security (Bhargava, FIG 11, Col. 3, Lines 23-61), the software determining if the executable is signed, if the executable is signed, the software searches the first whitelist to see if the executable is present on the first whitelist and if the executable is present on the first whitelist, the software allows the running of the executable (Bhargava, Col. 7, Lines 4-16), if the executable is unsigned, the software searches the second whitelist to see if the executable is present on the second whitelist, (Bhargava, Col. 2, Lines 50-62); and if the executable is present on the second whitelist (Bhargava, Col. 2, Lines 50-62), the software allows the running of the executable (Bhargava, Col. 12, Lines 58-63; Col. 17, Lines 12-17); if the executable is not found in the respective whitelist of the two whitelists (Bhargava, 1240, FIG 12), at least a portion of the executable is forwarded to the server and software running on the server further analyzes the executable using heuristics (Bhargava, Col. 11, Lines 47-65; Col. 26, Lines 7-22); when the server determines the malicious software exists in the executable, the server notifies a user of the computer regarding the malicious software and the executable is locked (Bhargava, Col. 5, Lines 27-56), when the server determines that malicious software exists in the executable, the server notifies a user of the computer regarding the malicious software and the executable is blocked (Bhargava, Col. 5, Lines 27-56), when the server determines that no malicious software exists in the executable, the server updates the respective whitelist of the two whitelists and sends a transaction to the computer, responsive to the transaction, the computer allows running of the executable (Bhargava, Col. 12, Lines 58-63; Col. 17, Lines 12-17). Polyakov was used in combination to disclose the limitation of if the server determines that there may be malicious software in the executable, the server queues the executable for further research and execution of the executable is blocked (See Polyakov, Col. 10, Lines 30-65). Specifically, Polyakov discloses if the server determines that there may be malicious software in the program files, the server sends this information to either automated for human security expert and the malicious software files are blocked. 
Applicant's arguments (pages: 7-11): Additionally, as to the dependent claims 2-9, 11-13 and 15-20 the Applicant argues that the claims are dependent directly or indirectly from a respective one of claims of independent claims 1, 10 and 14 and are therefore distinguished from the cited art at least by virtue OR allowable at least based on of their additionally recited patentable subject matter.
The Examiner disagrees with the Applicants. The Examiner respectfully submits that the dependent claims 2-9, 11-13 and 15-20 are rejected at least based on the rationale and response presented to the argument for their respective base claims, and the reference applied to claims 2-9, 11-13 and 15-20. Therefore, in view of the above reasons, the Examiner maintains the rejection with the cited prior art references.
Therefore, in view of the above reasons, the Examiner maintains the rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 10-11 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101) and further in view of Polyakov et al (“Polyakov,” US 8,863,284).  

Regarding claim 1, Bhargava discloses a system for computer security, the system comprising:
two whitelists, (Bhargava, FIG 12, 1230, whitelists)
a first whitelist of the two whitelists for signed executables and a second of the two whitelists for unsigned executables; (Bhargava, FIG 12, 1230, whitelists; Col. 7, Lines 4-16, Whitelists a may be implemented using checksums where a unique checksum for each program file is stored, which can be readily compared to a computed checksum of a program file sought to be evaluated. A checksum can be a mathematical value or hash sum ( e.g., a fixed string of numerical digits) derived by applying an algorithm to a software program file. If the algorithm is applied to a second software program file that is identical to the first software program file, then the checksums should match. However, if the second software program file is different ( e.g., it has been altered in some way, it is a different version of the first software program file, it is a wholly different type of software, etc.) then the checksums are very unlikely to match; Col. 3, Lines 23-61 describes a trusted status [signed] and an untrusted status [unsigned] and using one or more trust evaluation techniques (e.g. whitelist comparisons etc) and policies used to define blocking rules for software processes associated with untrusted program files)
a server, the server having storage containing the two whitelists; (Bhargava, 1220, FIG 12, check to see if all program files are found in the central trusted cache, if no then step 1230, search one or more whitelists for program files not found in the central trusted cache; FIG 2 shows the central trusted cache 245 being apart of the central server as shown in 200)
a computer protected by the system for computer security; (Bhargava, 120a, FIG 1 shows a host computer with executable software and local protection components)
software running on the computer detecting an attempt to run an executable, the software determining if the executable is signed, (Bhargava, FIG 11, 1110 local protection module intercepts network access attempt, 1120 determine program files corresponding to network access attempt, 1132 check to see if the program file checksum is in the checksum cache, if yes then proceed to step 1136; Col. 3, Lines 23-61 describes a trusted status [signed] and using one or more trust evaluation techniques (e.g. whitelist comparisons etc))
the software determining if the executable is signed, if the executable is signed, the software searches the first whitelist to see if the executable is present on the first whitelist and if the executable is present on the first whitelist, the software allows the running of the executable, (Bhargava, Col. 7, Lines 4-16, Whitelists a may be implemented using checksums where a unique checksum for each program file is stored, which can be readily compared to a computed checksum of a program file sought to be evaluated. A checksum can be a mathematical value or hash sum ( e.g., a fixed string of numerical digits) derived by applying an algorithm to a software program file. If the algorithm is applied to a second software program file that is identical to the first software program file, then the checksums should match. However, if the second software program file is different ( e.g., it has been altered in some way, it is a different version of the first software program file, it is a wholly different type of software, etc.) then the checksums are very unlikely to match; 1190, FIG 11, allow network access attempt)
if the executable is unsigned, the software searches the second whitelist to see if the executable is present on the second whitelist (Bhargava, Col. 2, Lines 50-62  describes having an untrusted status [untrusted], the program searches the one or more whitelists for the program files not found in the central trusted cache)
and if the executable is present on the second whitelist, (Bhargava, Col. 2, Lines 50-62  describes having an untrusted status [untrusted], the program searches the one or more whitelists for the program files not found in the central trusted cache)
the software allows the running of the executable; (Bharagava, Col. 12, Lines 58-63, this embodiment allows program files that have previously been categorized as untrusted (e.g. a new internal program file not updated in internal whitelists and not known to global/external whitelists etc) to be recategorized to trusted once one of the internal or external whitelists has been updated to identify the new program file; Col. 17, Lines 12-17, if the trusted status is not overridden by policy (i.e. policy allows network access or no policy is applicable in step 770, however, then flow passes to step 790 where the software process is allowed network access)
if the executable is not found in the respective whitelist of the two whitelists, (Bhargava, 1240, FIG 12, update central trusted cache with any program files found in the whitelist)
at least a portion of the executable is forwarded to the server and software running on the server further analyzes the executable using heuristics, (Bhargava, Col. 11, Lines 47-65 describes heuristic considerations; Col. 26, Lines 7-22, logic may be included in modules of the host or central server providing for evaluation of heuristic conditions)
when the server determines that malicious software exists in the executable, the server notifies a user of the computer regarding the malicious software and the executable is blocked, (Bhargava, Col. 5, Lines 27-56 describes the central server determines that the program file is untrusted (malicious), the central server notifies the system regarding the untrusted program file and the untrusted file is blocked)
when the server determines that no malicious software exists in the executable, the server updates the respective whitelist of the two whitelists and sends a transaction to the computer, responsive to the transaction , the computer allows running of the executable,  (Bhargava, Col. 12, Lines 58-63; Col. 17, Lines 12-17, describes when the server determines that no malware exists in the executable the server updates the whitelist of whitelists and sends the transaction to the computer responsive to the transaction, the computer allows running the executable)
Bhargava fails to explicitly disclose when the server determines that there may be malicious software in the executable, the server queues the executable for further research and execution of the executable is blocked.
However, in an analogous art, Polyakov discloses if the server determines that there may be malicious software in the executable, the server queues the executable for further research and execution of the executable is blocked (Polyakov, Col. 10, Lines 30-65, describes if the server determines that there may be malicious software in the program files, the server sends the requested files for further analysis that is either automated or done by a human security expert and the malicious files are then blocked)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Polyakov with the method/system of Bhargava to include if the server determines that there may be malicious software in the executable, the server queues the executable for further research and execution of the executable is blocked provide users with a means for providing a system and method for determining a security status of potentially malicious files (Polyakov, Col. 10, Lines 30-65). 

Regarding claim 10, claim 10 is directed to a method. Claim 10 is
similar in scope to claim 1 and is therefore rejected under similar rationale.

Regarding claim 11, Bhargava and Polyakov disclose the method of claim 10. 
Bhargava further discloses further comprising: 
providing a second whitelists, the second whitelist having second identifications for executable software that is signed whereas the first whitelist having identification for executable software that is unsigned; (Bhargava, FIG 12, 1230, whitelists; Col. 7, Lines 4-16, Whitelists a may be implemented using checksums where a unique checksum for each program file is stored, which can be readily compared to a computed checksum of a program file sought to be evaluated. A checksum can be a mathematical value or hash sum ( e.g., a fixed string of numerical digits) derived by applying an algorithm to a software program file. If the algorithm is applied to a second software program file that is identical to the first software program file, then the checksums should match. However, if the second software program file is different ( e.g., it has been altered in some way, it is a different version of the first software program file, it is a wholly different type of software, etc.) then the checksums are very unlikely to match; Col. 3, Lines 23-61 describes a trusted status [signed] and an untrusted status [unsigned] and using one or more trust evaluation techniques (e.g. whitelist comparisons etc) and policies used to define blocking rules for software processes associated with untrusted program files)
upon the attempt to initiate a signed executable on the computer, determining if the signed executable corresponds to one of the second identifications in the second whitelist and if the signed executable corresponds to any one of the second
identifications in the second whitelist, allowing the signed executable to run; (Bhargava, FIG 11, 1110 local protection module intercepts network access attempt, 1120 determine program files corresponding to network access attempt, 1132 check to see if the program file checksum is in the checksum cache, if yes then proceed to step 1136; Col. 3, Lines 23-61 describes a trusted status [signed] and using one or more trust evaluation techniques (e.g. whitelist comparisons etc))
if the signed executable does not correspond to one of the second identifications in the second whitelist, (Bhargava, 1240, FIG 12, update central trusted cache with any program files found in the whitelist)
forwarding the signed executable to the server; (Bhargava, Col. 11, Lines 47-65 describes heuristic considerations; Col. 26, Lines 7-22, logic may be included in modules of the host or central server providing for evaluation of heuristic conditions)
upon reception of the signed executable, the server analyzing the signed executable at the server using the heuristics to determine if the malware exists in the signed executable, when the heuristics determine that the malware exists in the signed executable, (Bhargava, Col. 11, Lines 47-65 describes heuristic considerations; Col. 26, Lines 7-22, logic may be included in modules of the host or central server providing for evaluation of heuristic conditions)
notifying regarding the malware and blocking execution of the signed executable; (Bhargava, Col. 5, Lines 27-56 describes the central server determines that the program file is untrusted (malicious), the central server notifies the system regarding the untrusted program file and the untrusted file is blocked)
and when the analyzing the signed executable at the server using the heuristics determines that the malware is absent from the executable, (Bhargava, Col. 11, Lines 47-65 describes heuristic considerations; Col. 26, Lines 7-22, logic may be included in modules of the host or central server providing for evaluation of heuristic conditions)
updating the first whitelist and sending the transaction to the computer indicating that the signed executable is absent of the malware; (Bhargava, Col. 12, Lines 61-63, trusted once one of the internal or external whitelists has been updated to identify the new program file)
responsive to the transaction, the computer allowing the signed executable to run; (Bharagava, Col. 12, Lines 58-63, this embodiment allows program files that have previously been categorized as untrusted (e.g. a new internal program file not updated in internal whitelists and not known to global/external whitelists etc) to be recategorized to trusted once one of the internal or external whitelists has been updated to identify the new program file; Col. 17, Lines 12-17, if the trusted status is not overridden by policy (i.e. policy allows network access or no policy is applicable in step 770, however, then flow passes to step 790 where the software process is allowed network access)
when the analyzing the signed executable at the server using the heuristics determines that the malware may exists in the executable, (Bhargava, Col. 11, Lines 47-65 describes heuristic considerations; Col. 26, Lines 7-22, logic may be included in modules of the host or central server providing for evaluation of heuristic conditions; Col. 5, Lines 27-56 describes the central server determines that the program file is untrusted (malicious), the central server notifies the system regarding the untrusted program file and the untrusted file is blocked)
Bhargava fails to explicitly disclose the server queuing the executable for further research. 
However, in an analogous art, Polyakov discloses the server queuing the executable for further research, (Polyakov, Col. 10, Lines 30-65, describes if the server determines that there may be malicious software in the program files, the server sends the requested files for further analysis that is either automated or done by a human security expert and the malicious files are then blocked)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Polyakov with the method/system of Bhargava to include if the server determines that there may be malicious software in the executable, the server queues the executable for further research and execution of the executable is blocked provide users with a means for providing a system and method for determining a security status of potentially malicious files (Polyakov, Col. 10, Lines 30-65).

Regarding claim 14, claim 14 is directed to a computer program product comprising:  a non-statutory storage medium. Claim 14 is similar in scope to claim 1 and is therefore rejected under similar rationale.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101) in view of Polyakov et al (“Polyakov,” US 8,863,284) and further in view of Das et al ("Das," US 20130097659). 

Regarding claim 2, Bhargava and Polyakov disclose the system of claim 1.
Bhargava fails to explicitly disclose wherein the two whitelists are stored and accessed from storage associated with the server.
However, in an analogous art, Das discloses wherein the two whitelists are stored and accessed from storage associated with the server (Das, [0020], server may also support whitelists which may be stored in applications reputations database; FIG 3 shows a whitelist query for accessing whitelists)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Das with the method/system of Bhargava and Polyakov to include wherein the two whitelists are stored and accessed from storage associated with the server. One would have been motivated to whitelist applications in a mobile network environment (Das, [0020] & FIG 3). 

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101) Polyakov et al (“Polyakov,” US 8,863,284) in view of Das et al ("Das," US 20130097659) and further in view of Bursell et al ("Bursell," US 20180097843). 

Regarding claim 3, Bhargava and Polyakov disclose the system of claim 2.
Bhargava fails to explicitly disclose wherein the storage associated with the server is cloud storage.
However, in an analogous art, Bursell discloses wherein the storage associated with the server is cloud storage (Bursell, [0058], the server may include one or more cloud storage devices). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bursell with the method/system of Bhargava and Polyakov to include wherein the storage associated with the server is cloud storage. One would have been motivated to providing a networked peer device round-robin security controller (Bursell, [0058]). 


Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101) in view of Polyakov et al (“Polyakov,” US 8,863,284) and further in view of Muttik et al ("Muttik," US 20170006049)

Regarding claim 4, Bhargava and Polyakov disclose the system of claim 1.
Bhargava fails to explicitly disclose wherein the further research includes human analysis of the executable.
However, in an analogous art, Muttik discloses  wherein the further research includes human analysis of the executable (Muttik, [0058], For example, if the subroutine appears in many different applications, and is executed very infrequently across all applications, it may be flagged as a suspicious subroutine and subjected to additional human analysis). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Muttik with the method/system of Bhargava and Polyakov to include wherein the further research includes human analysis of the executable. One would have been motivated to analyze applications and other executable objects at the subroutine level (Muttik, [0010]). 

Regarding claim 15, Bhargava and Polyakov disclose the computer program product of claim 14. 
Bhargava and Polyakov fail to explicitly disclose wherein the further research is performed by a human being.  
However, in an analogous art, Muttik discloses wherein the further research is performed by a human being, (Muttik, [0058], For example, if the subroutine appears in many different applications, and is executed very infrequently across all applications, it may be flagged as a suspicious subroutine and subjected to additional human analysis). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Muttik with the method/system of Bhargava and Polyakov to include wherein the further research is performed by a human being. One would have been motivated to analyze applications and other executable objects at the subroutine level (Muttik, [0010]). 
 
Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101) in view of Polyakov et al (“Polyakov,” US 8,863,284) and further in view of Alpern et al (“Alpern,” US 20090070752). 

Regarding claim 5, Bhargava and Polyakov disclose the system of claim 1.
Bhargava and Polyakov fail to explicitly disclose wherein further research includes a static analysis that includes software running on the server installing the executable on a clean computer that is isolated and scanning the executable using commercially available virus scanning software to determine if the executable includes the malicious software. 
However, in an analogous art, Alpern discloses wherein further research includes a static analysis that includes software running on the server installing the executable on a clean computer that is isolated and scanning the executable using commercially available virus scanning software to determine if the executable includes the malicious software, (Alpern, [0089], [0046], [0041] & [0086] describes a static analysis that includes software running on the server installing the executable on a clean computer that is isolated and scanning the executable using commercially available virus scanning software to determine if the executable includes malicious software)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Alpern with the method/system of Bhargava and Polyakov to include wherein further research includes a static analysis that includes software running on the server installing the executable on a clean computer that is isolated and scanning the executable using commercially available virus scanning software to determine if the executable includes the malicious software. One would have been motivated to optimize an application (Alphern, [0001]). 

Regarding claim 6, Bhargava and Polyakov disclose the system of claim 1. 
Bhargava and Polyakov fail to explicitly disclose wherein the further research includes software running on the server installing the executable on a clean computer that is isolated, running the executable on the clean computer and analyzing a file system and registry of the clean computer to determine if the executable includes the malicious software. 
	However, in an analogous art, Alpern discloses wherein the further research includes software running on the server installing the executable on a clean computer that is isolated, running the executable on the clean computer and analyzing a file system and registry of the clean computer to determine if the executable includes the malicious software, (Alpern, [0048], [0046], [0065]-[0066], [0086] describes software running on the server installing the executable on a clean computer that is isolated, running the executable on the clean computer and analyzing a file system and registry of the clean computer to determine if the executable includes the malicious software)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Alpern with the method/system of Bhargava and Polyakov to include wherein the further research includes software running on the server installing the executable on a clean computer that is isolated, running the executable on the clean computer and analyzing a file system and registry of the clean computer to determine if the executable includes the malicious software. One would have been motivated to optimize an application (Alphern, [0001]).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) and further in view of Grubb et al ("Grubb," CN103180862, see the Google Translation of CN103180862)

Regarding claim 7, Bhargava and Polyakov disclose the system of claim 1.
Bhargava and Polyakov fail to explicitly disclose whereas the server notifies regarding the malicious software by sending an email to the user of the computer.
However, in an analogous art, Grubb discloses whereas the server notifies regarding the malicious software by sending an email to the user of the computer, (Grubb, [0202], the server can detect if the application shows malicious or undesirable behavior and can notify the user of this by email). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Grubb with the method/system of Bhargava and Polyakov to include whereas the server notifies regarding the malicious software by sending an email to the user of the computer. One would have been motivated to provide users with a means for providing a system and method for server-coupled malware prevention (Grubb, [0202]). 

Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) Grubb et al ("Grubb," CN103180862, see the Google Translation of CN103180862) in view of Mahaffey et al ("Mahaffey," US 20110047620) and further in view of Xue et al ("Xue," US 20140298460). 

Regarding claim 8, Bhargava, Polyakov and Grubb disclose the system of claim 7.
Bhargava, Polyakov and Grubb fail to explicitly disclose wherein the email includes a description of the malicious software.
However, in an analogous art, Xue discloses wherein the email includes a description of the malicious software, 
However, in an analogous art, Mahaffey discloses wherein the email includes a description of the malicious software, (Mahaffey, [0035] & [0124] describe wherein the email includes a description of the malicious software)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mahaffey with the method/system of Bhargava, Polyakov and Grubb to include wherein the email includes a description of the malicious software.  One would have been motivated to provide a system and method for server-coupled malware prevention (Mahaffey, [0035] & [0124]).  

Regarding claim 9, Bhargava, Polyakov and Grubb disclose the system the claim 7. 
Bhargava and Polyakov fail to explicitly disclose wherein the email links to training on how to prevent future intrusions of malicious software into the computer. 
Bhargava, Polyakov and Mahaffey fail to explicitly disclose wherein the email links to training on how to prevent future intrusions of malicious software into the computer.
However, in an analogous art, Xue discloses  wherein the email links to training on how to prevent future intrusions of malicious software into the computer (Xue, FIG 1 shows an email with description of malicious url's; FIG 2, 206, Training URLs), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xue with the method/system of Bhargava, Polyakov, Grubb and Mahaffey to include wherein the email links to training on how to prevent future intrusions of malicious software into the computer. One would have been motivated provide malicious uniform resource locator detection (Xue, Figures 1-2). 

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) in view of Edwards et al (“Edwards,” US 20030115479).  

Regarding claim 12, Bharagava and Polyakov disclose the method of claim 10. 
Bhargava and Polyakov fail to explicitly disclose wherein the further research comprises scanning the executable using commercially available virus scanning software to determine if the executable includes the malware.  
However, in an analogous art, Edwards discloses wherein the further research comprises scanning the executable using commercially available virus scanning software to determine if the executable includes the malware, (Edward, [0019] & [0031], describe scanning the executable using commercially available virus scanning software to determine if the executable includes the malware) 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Edwards with the method/system of Bhargava and Polyakov to include wherein the further research comprises scanning the executable using commercially available virus scanning software to determine if the executable includes the malware. One would have been motivated to scan process memory after initialization of the suspect process (Edwards, [0001]). 

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) in view of Thorell et al (“Thorell,” US 20080148060).  

Regarding claim 13, Bhargava and Polyakov disclose the method of claim 11. 
Bhargava and Polyakov fail to explicitly disclose wherein the further research comprising scanning the signed executable using commercially available virus scanning software to determine if the signed executable includes the malware. 
However, in an analogous art, Thorell discloses wherein the further research comprising scanning the signed executable using commercially available virus scanning software to determine if the signed executable includes the malware (Thorell, [0017], [0021], [0030] describes scanning the signed executable using commercially available virus scanning software to determine if the signed executable includes malicious code).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thorell with the method/system of Bhargava and Polyakov to include wherein the further research comprising scanning the signed executable using commercially available virus scanning software to determine if the signed executable includes the malware. One would have been motivated to maintain code integrity (Thorell, [0001]). 
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) in view of Alpern et al (“Alpern,” US 20090070752) and further in view of Grubb et al ("Grubb," CN103180862, see the Google Translation of CN103180862)

Regarding claim 16, Bhargava and Polyakov disclose the computer program product of claim 14. 
Bhargava and Polyakov fail to explicitly disclose wherein the further research includes a static analysis that comprises installing the executable on a clean computer that is isolated from a wide area network and scanning the executable with commercially available malicious software scan systems to determine if the executable includes the malicious software and when the executables include the malicious software, the computer readable instructions running on the server notifying regarding the malware by sending an email to a user of the computer, the email including the description of the malware.
However, in an analogous art, Alpern discloses wherein the further research includes a static analysis that comprises installing the executable on a clean computer that is isolated from a wide area network and scanning the executable with commercially available malicious software scan systems to determine if the executable includes the malicious software and when the executables include the malicious software, (Alpern, [0089], [0046], [0041] & [0086] describes a static analysis that includes software running on the server installing the executable on a clean computer that is isolated and scanning the executable using commercially available virus scanning software to determine if the executable includes malicious software)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Alpern with the method/system of Bhargava and Polyakov to include wherein the further research includes a static analysis that comprises installing the executable on a clean computer that is isolated from a wide area network and scanning the executable with commercially available malicious software scan systems to determine if the executable includes the malicious software and when the executables include the malicious software. One would have been motivated to optimize an application (Alphern, [0001]). 
Bhargava, Polyakov and Alpern fail to explicitly disclose the computer readable instructions running on the server notifying regarding the malware by sending an email to a user of the computer, the email including the description of the malware 
However, in an analogous art, Grubb discloses the computer readable instructions running on the server notifying regarding the malware by sending an email to a user of the computer, the email including the description of the malware (Grubb, [0202], the server can detect if the application shows malicious or undesirable behavior and can notify the user of this by email). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Grubb with the method/system of Bhargava, Polyakov and Alpern to include wherein the further research includes a static analysis that comprises installing the executable on a clean computer that is isolated from a wide area network and scanning the executable with commercially available malicious software scan systems to determine if the executable includes the malicious software and when the executables include the malicious software, the computer readable instructions running on the server notifying regarding the malware by sending an email to a user of the computer, the email including the description of the malware. One would have been motivated to provide users with a means for providing a system and method for server-coupled malware prevention (Grubb, [0202]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284), Alpern et al (“Alpern,” US 20090070752) in view of Grubb et al ("Grubb," CN103180862, see the Google Translation of CN103180862) and further in view of Xue et al ("Xue," US 20140298460). 

Regarding claim 17, Bhargava, Polyakov, Alpern and Grubb disclose the computer program product of claim 16. 
Bhargava, Polyakov, Alpern and Grubb fail to explicitly disclose wherein the email further comprises links to training on how to prevent future intrusions of the malware into the computer. 
However, in an analogous art, Xue discloses wherein the email further comprises links to training on how to prevent future intrusions of the malware into the computer (Xue, FIG 1 shows an email with description of malicious url's; FIG 2, 206, Training URLs), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xue with the method/system of Bhargava, Polyakov, Alpern and Grubb to include wherein the email further comprises links to training on how to prevent future intrusions of the malware into the computer. One would have been motivated provide malicious uniform resource locator detection (Xue, Figures 1-2). 

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101) in view of Polyakov et al (“Polyakov,” US 8,863,284) and further in view of Fanton et al (“Fanton,” US 20110029772).  

Regarding claim 18, Bhargava and Polyakov discloses the computer program product of claim 14. 
Bhargava and Polyakov fail to explicitly disclose wherein the whitelists are stored in network storage such as cloud storage. 
However, in an analogous art, Fanton discloses wherein the whitelists are stored in network storage such as cloud storage, (Fanton, [0044]-[0045], [0070] describes wherein the whitelists are stored in network storage such as cloud storage; also see the Title)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bursell with the method/system of Bhargava and Polyakov to include wherein the whitelists are stored in network storage such as cloud storage.  One would have been motivated to store whitelists in cloud storage (Fanton, [0044]-[0045] and [0070]). 

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) and further in view of Zhou et al ("Zhou," US 20110185417). 

Regarding claim 19, Bhargava and Polyakov disclose the computer program product of claim 14.  
Bhargava and Polyakov fail to explicitly disclose wherein the whitelists are stored in hash tables.
However, in an analogous art, Zhou discloses wherein the whitelists are stored in hash tables (Zhou, [0037]-[0038] describes where whitelists are stored in hash tables). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhou with the method/system of Bhargava and Polyakov to include wherein the whitelists are stored in hash tables. One would have been motivated to provide memory whitelisting (Zhou, [0037]-[0038]). 




Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) and further in view of Mittal et al (“Mittal,” US 20120310983).  

Regarding claim 20, Bhargava and Polyakov disclose the computer program product of claim 14. 
Bhargava and Polyakov fail to explicitly disclose wherein the executable includes metadata.
However, in an analogous art, Mittal discloses wherein the executable includes metadata (Mittal, [0059], describes metadata associated with the executable). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Polyakov with the method/system of Bhargava and Polyakov to include wherein the executable includes metadata to provide users. One would have been motivated to determine whether a particular executable is allowed to access a particular data file (Mittal, [0013]). 







Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/JAMES J WILCOX/           Examiner, Art Unit 2439                                                                                                                                                                                             


/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439