Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the amendment filed 6/07/2022.  Claims 1-15 and 21-25 are pending. Claims 1 (a method), 9 (a method), and 21 (a storage medium that excludes transmission media, App. Spec. ¶ 41) are independent.  Claims 1, 9, and 21 are amended. 

Response to Arguments
Applicant's arguments filed 6/07/2022 have been fully considered but they are not persuasive. 
On page 7 Applicant argues that the claims “generally recite two parts of an authentication process.  The first part is performed when a process is created for an application…. The second part is performed when the application subsequently initiates an I/O request…. 
The Office has failed to show that the prior art references teach or suggest any technique where an identifier of a first process I stored when an application creates the first process and then the same stored identifier is used to determine whether to allow an I/O request that the application makes.”
This argument is not persuasive.

Fanton discloses monitoring for process creation (see figure 3. “a monitoring step, step 310, monitors for process creation requests from code modules.” Fanton ¶ 84).  
Fanton utilizes a series of whitelists, starting with an MRU cache, to see if the process is allowed to execute (see Figure 6. “After the content authenticator for the code module is determined, at block 620, the next whitelist is checked for a matching entry.” Fanton ¶ 119, also ¶ 35, search for matching authenticator in whitelists.) 
After finding the process in a whitelist, the MRU cache is updated with the process identifier to reflect its allowance (“If during decision steps 610, 625, or 635 a entry corresponding to the code module is found, then processing proceeds to block 650. At block 650, a new MRU entry is created (or a least recently used MRU entry is overwritten) for the code module and the filename and run option found in the whitelist entry may be recorded in the new MRU entry.” Fanton ¶ 120. Update MRU cache with whitelist determination.)
After authorizing the process (Fanton Figure 3) a determination is made as to whether the process is allowed to execute additional code modules (Fanton Figure 4).  This allowance is based on the whitelist entry for the process (“At block 445, a decision has previously been made that the code module in question may continue to be mapped into memory…. the determination as to whether the load request should be granted may depend on the running process which is performing the loading request.” Fanton ¶ 98) 
This second authorizing, of Fanton Figure 4, is analogous to Applicant’s “when the application subsequently initiates an I/O request.”
Separately, MacLeod discloses filter drivers intercepting I/O requests and authorizing them based on a match of a process identifier in a whitelist. (“the minifilter driver is registered to intercept file operation requests, the filter manager 125 transmits the file operation request to the minifilter driver. Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120, the filter manager 125 may perform a search for the identified process on one or more of a blacklist of programs and a whitelist of programs to determine whether the identified process is a trusted process.” Macleod ¶ 39. See also ¶¶ 93, 94, 110).

Therefore, the combination of Fanton in view of Macleod discloses two checks, one for initial execution of a process which adds the process to a whitelist (Fanton Figure 3 and ¶ 120) and a second check for access requests by the application previously added to the whitelist (Fanton Figure 4 and Macleod).  For at least the above reasons Applicant’s arguments are not persuasive.
 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-3, 5, 14, 15, 21-23, and 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al., US 2006/0150256 (filed 2005-12), in view of MacLeod et al., US 2018/0351969 (filed 2018-05).
	As to claims 1 and 21, Fanton discloses the method/CRM comprising:
registering to be notified when a process is created; (“a monitoring step, step 310, monitors for process creation requests from code modules. In one embodiment, the kernel mode driver 115 is activated as new processes are created, just before execution. For example, in the context of the Windows operating system, the OS process creation activity monitor 150 may intercept new process creation activity by hooking to the Windows ® CreateSection API call…” Fanton ¶ 84)
in response to a notification that a first process is being created (“a monitoring step, step 310, monitors for process creation requests from code modules.” Fanton ¶ 84), identifying an application for which the first process is being created; (“At block 605, the MRU cache is scanned to determine, see decision block 610, if an entry associated with the requested code module is present.” Fanton ¶ 119.  The entries being the pathname, see Fanton Figure 6. See also Fanton ¶¶ 11, 50, 52, 55, 118-119.)
obtaining a precomputed hash for the application; (“After the content authenticator for the code module is determined, at block 620, the next whitelist is checked for a matching entry.” Fanton ¶ 119, stored in the whitelists, Fanton ¶¶ 50 and 52. The authenticator being a hash.)
computing a hash for the application and comparing the computed hash to the precomputed hash; (“if the request cannot be authenticated with reference to the MRU cache, then a content authenticator associated with the code module may be generated. The content authenticator may be a cyptographically-secure hash value. In some embodiments, a hash algorithm such as secure hash algorithm 256 (SHA-256) may be utilized to generate a content authenticator.” Fanton ¶ 11)
(“After the content authenticator for the code module is determined, at block 620, the next whitelist is checked for a matching entry.” Fanton ¶ 119, also ¶ 35, search for matching authenticator in whitelists.) upon determining that the computed hash matches the precomputed hash, storing an identifier of the first process; and (“If during decision steps 610, 625, or 635 a entry corresponding to the code module is found, then processing proceeds to block 650. At block 650, a new MRU entry is created (or a least recently used MRU entry is overwritten) for the code module and the filename and run option found in the whitelist entry may be recorded in the new MRU entry.” Fanton ¶ 120. Update MRU cache with whitelist determination.) to thereby enable the identifier of the first process to be used to authenticate the application (“At block 445, a decision has previously been made that the code module in question may continue to be mapped into memory…. the determination as to whether the load request should be granted may depend on the running process which is performing the loading request.” Fanton ¶ 98) when the application subsequently initiates I/O requests; (“FIG. 4 is a flow diagram illustrating a method 400 for authorization of loading of code modules by running processes” Fanton ¶ 95, the running process being the previously authenticated process whose execution updated the MRU cache in Fanton ¶ 120)
in response to receiving an I/O request that was initiated by the application, (“FIG. 4 is a flow diagram illustrating a method 400 for authorization of loading of code modules by running processes” Fanton ¶ 95, the running process being the previously authenticated process whose execution updated the MRU cache in Fanton ¶ 120) authenticating the application by determining that a process identifier associated with the I/O request (see Fanton Figure 6, step 605 “check MRU Cache for RunOption this path/filename”)

Fanton suggests that the process loading the code module (Fanton Figure 4) is based on checking the MRU cache for the process performing the loading (Fanton ¶ 98).  However, Fanton does not explicitly disclose the matching identifiers use case:
 matches the stored identifier of the first process.

Macleod discloses a whitelist for authorizing applications to perform file I/O (¶ 97).  Macleod discloses:
in response to receiving an I/O request that was initiated by the application, (“Responsive to determining that the minifilter driver is registered to intercept file operation requests, the filter manager 125 transmits the file operation request to the minifilter driver. Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120” Macleod ¶ 39) authenticating the application by determining that a process identifier associated with the I/O request matches the stored identifier of the first process.
(“the minifilter driver is registered to intercept file operation requests, the filter manager 125 transmits the file operation request to the minifilter driver. Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120, the filter manager 125 may perform a search for the identified process on one or more of a blacklist of programs and a whitelist of programs to determine whether the identified process is a trusted process.” Macleod ¶ 39. See also ¶¶ 93, 94, 110).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton with Macleod by monitoring all file accesses by a program and using a whitelist to authorize said file accesses, as done in Macleod.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton with Macleod in order to prevent malware or ransomware from corrupting or otherwise compromising stored files in real-time, see Macleod ¶¶ 24-28.

As to claims 2 and 22, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 and further discloses: 
wherein identifying the application for which the process is being created comprises obtaining a name of the application's executable. (“the MRU cache is an in-memory list of code module file path names (identifying EXEs, DLLs, Scripts, etc.) and associated run-options for the corresponding file path names.” Fanton ¶ 55. See Fanton Fig. 5 showing a full path and executable name.  The path name being obtained and used to check the MRU cache in ¶ 119)

As to claims 3 and 23, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 and further discloses: 
wherein identifying the application for which the process is being created comprises obtaining a full path of the application's executable. (“the MRU cache is an in-memory list of code module file path names (identifying EXEs, DLLs, Scripts, etc.) and associated run-options for the corresponding file path names.” Fanton ¶ 55. See Fanton Fig. 5 showing a full path and executable name.  The path name being obtained and used to check the MRU cache in ¶ 119)

As to claims 5 and 25, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 and further discloses: 
wherein the precomputed hash for the application is a precomputed hash of the application's executable (“a global whitelist may identify code modules …. the fields may include one or more of the following: a content authenticator, a file name and/or a file path, information identifying the user or process that created and/or last edited the entry, a run option, additional flags describing what processing should occur for this entry such as an “interpreter” flag, a time stamp, and/or the like.” Fanton ¶ 50) and wherein computing the hash for the aReply to Restriction Requirement mailed March 7, 2022pplication comprises computing a hash of the application's executable for which the first process is being created. (“a content authenticator is computed for the requested code module at block 615.” Fanton ¶ 119. An authenticator comprises a hash, Fanton ¶ 49).

As to claim 14, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 and further discloses: 
Maintaining a white list that identifies process identifiers of running applications that have been authenticated, (“If during decision steps 610, 625, or 635 a entry corresponding to the code module is found, then processing proceeds to block 650. At block 650, a new MRU entry is created (or a least recently used MRU entry is overwritten) for the code module and the filename and run option found in the whitelist entry may be recorded in the new MRU entry.” Fanton ¶ 120.  The applications in the MRU being “running” at least after initial authentication.) wherein storing the identifier of the first process comprises storing the identifier of the first process in the white list (“new entries may be added to the MRU cache as code modules are authenticated and then allowed or disallowed to load or execute. In some embodiments, the MRU cache is an in-memory list of code module file path names (identifying EXEs, DLLs, Scripts, etc.) and associated run-options for the corresponding file path names.” Fanton ¶ 55)

As to claim 15, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 and further discloses: 
Wherein authenticating the application by determining that the process identifier associated with the I/O request matches the stored identifier of the first process comprises accessing the white list. (“the minifilter driver is registered to intercept file operation requests, the filter manager 125 transmits the file operation request to the minifilter driver. Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120, the filter manager 125 may perform a search for the identified process on one or more of a blacklist of programs and a whitelist of programs to determine whether the identified process is a trusted process.” Macleod ¶ 39. See also ¶¶ 93, 94, 110)

Claim 4, 9-11 and 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al., US 2006/0150256 (filed 2005-12), in view of MacLeod et al., US 2018/0351969 (filed 2018-05), and Mclean, US 2010/0275026 (filed 2009-04).
As to claims 4 and 24, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 but does not disclose: 
wherein obtaining the precomputed hash for the application comprises sending a name of the application's executable to a security service, wherein the security service uses the name to access a policy in which the name is mapped to the precomputed hash.

Mclean discloses:
wherein obtaining the precomputed hash for the application comprises sending a name of the application's executable to a security service, wherein the security service uses the name to access a policy in which the name is mapped to the precomputed hash. (“a connection is established to the signing server 26 (i.e., test 118=“Yes”), the processor may request a signature 2 file and identify the particular application software for which the verification information is required, step 120. This information should be sufficient to enable the signing server 26 to locate a corresponding data file within the signing server's memory (e.g., within a countermeasures database maintained in the signing server). For example, the computing device 28, 30 may provide the name, identifier and/or serial number for the particular application software.” Mclean ¶ 41.  “Using the information provided by the computing device 28, 30, the signing server 26 can prepare and send a new signature 2 file 58 to the computing device 28, 30 which receives it in step 124.” Mclean ¶ 45)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton in view of MacLeod with Mclean by utilizing a pathname of Fanton to lookup an associated whitelist/hash entry in a global whitelist, as done in Mclean for performing local validation.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton in view of MacLeod with Mclean in order to request and obtain trusted hashes of an executable into the local whitelist in order to allow for the executable to be authenticated on the executing machine and added to the MRU cache, e.g. Mclean ¶ 39.

As to claim 9, Fanton discloses a method comprising:
registering a first callback routine to be called when a process is being created; (“a monitoring step, step 310, monitors for process creation requests from code modules. In one embodiment, the kernel mode driver 115 is activated as new processes are created, just before execution. For example, in the context of the Windows operating system, the OS process creation activity monitor 150 may intercept new process creation activity by hooking to the Windows ® CreateSection API call…” Fanton ¶ 84)
registering a second callback routine for handling I/O requests; (“loading of code modules by running processes …. For example, in the context of the Windows operating system, the OS module load activity monitor 145 may intercept module loading activity by hooking to the Windows® CreateSection API call” Fanton ¶ 95)
to thereby enable the identifier of the first process to be used to authenticate the application (“At block 445, a decision has previously been made that the code module in question may continue to be mapped into memory…. the determination as to whether the load request should be granted may depend on the running process which is performing the loading request.” Fanton ¶ 98) when the application subsequently initiates I/O requests; (“FIG. 4 is a flow diagram illustrating a method 400 for authorization of loading of code modules by running processes” Fanton ¶ 95, the running process being the previously authenticated process whose execution updated the MRU cache in Fanton ¶ 120)
in response to the first callback routine being called when a first process is being created, (“a monitoring step, step 310, monitors for process creation requests from code modules.” Fanton ¶ 84) performing the following within the first callback routine: 
identifying a name of an application's executable for which the first process is being created; (“At block 605, the MRU cache is scanned to determine, see decision block 610, if an entry associated with the requested code module is present.” Fanton ¶ 119.  The entries being the pathname, see Fanton Figure 6. See also Fanton ¶¶ 11, 50, 52, 55, 118-119.)
…
calculating a hash of the application's executable; (“if the request cannot be authenticated with reference to the MRU cache, then a content authenticator associated with the code module may be generated. The content authenticator may be a cyptographically-secure hash value. In some embodiments, a hash algorithm such as secure hash algorithm 256 (SHA-256) may be utilized to generate a content authenticator.” Fanton ¶ 11)
…
 storing an identifier of the first process in a white list; (“If during decision steps 610, 625, or 635 a entry corresponding to the code module is found, then processing proceeds to block 650. At block 650, a new MRU entry is created (or a least recently used MRU entry is overwritten)
in response to the second callback routine being called to handle a first I/O request, (“FIG. 4 is a flow diagram illustrating a method 400 for authorization of loading of code modules by running processes” Fanton ¶ 95, the running process being the previously authenticated process whose execution updated the MRU cache in Fanton ¶ 120) performing the following within the second callback routine: 
obtaining a process identifier associated with the first I/O request; and 
accessing the white list to determine that the process identifier associated with the first I/O request matches (“At block 445, a decision has previously been made that the code module in question may continue to be mapped into memory…. the determination as to whether the load request should be granted may depend on the running process which is performing the loading request.” Fanton ¶ 98)
….

Fanton does not disclose:
sending the name to a security service; 
receiving, from the security service, a precomputed hash that is associated with the name; 
comparing the calculated hash to the precomputed hash; and 
in response to determining that the calculated hash matches the precomputed hash,
matches the stored identifier of the first process
in response to determining that the process identifier associated with the first I/O request matches the stored identifier of the first process, allowing the first I/O request.


Macleod discloses a whitelist for authorizing applications to perform file I/O (¶ 97).  Macleod discloses:
Callback (“The filter manager 125 may identify minifilter driver A 320 by a callback. First, the minifilter driver A 320 registers and then it identifies which events it is interested in.” Macleod ¶ 86.)
Accessing the white list to determine that the process identifier associated with the first I/O request matches the stored identifier of the first process.
(“the minifilter driver is registered to intercept file operation requests, the filter manager 125 transmits the file operation request to the minifilter driver. Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120, the filter manager 125 may perform a search for the identified process on one or more of a blacklist of programs and a whitelist of programs to determine whether the identified process is a trusted process.” Macleod ¶ 39. See also ¶¶ 93, 94, 110).
in response to determining that the process identifier associated with the first I/O request matches the stored identifier of the first process (“The whitelist may identify applications 225 based on their file name, size, and directory paths. In one embodiment, the whitelist may use a combination of cryptographic hash techniques and digital signatures linked to the manufacturer or developer of each component or piece of software 225.” Macleod ¶ 93), allowing the first I/O request. (“the managed node 100 may determine that the identified process 225 is a trusted process by locating the identified process 225 on the whitelist of programs. The minifilter driver then ignores the detected file operation request.” Macleod ¶ 94. “The whitelist of programs may include a list of acceptable entities (software applications, email addresses, users, processes, devices, etc.) that are allowed access to the managed node 100.” Macleod ¶ 93. Ignoring the file operation being the allowance of the file operation, instead of preventing the operation in Macleod ¶ 95)


A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton with Macleod by monitoring all file accesses by a program and using a whitelist to authorize said file accesses, as done in Macleod.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton with Macleod in order to prevent malware or ransomware from corrupting or otherwise compromising stored files in real-time, see Macleod ¶¶ 24-28.

Fanton in view of Macleod does not disclose:
sending the name to a security service; 
receiving, from the security service, a precomputed hash that is associated with the name; 
comparing the calculated hash to the precomputed hash; and 
in response to determining that the calculated hash matches the precomputed hash,

Mclean discloses:
sending the name to a security service; (“a connection is established to the signing server 26 (i.e., test 118=“Yes”), the processor may request a signature 2 file and identify the particular application software for which the verification information is required, step 120. This information should be sufficient to enable the signing server 26 to locate a corresponding data file within the signing server's memory (e.g., within a countermeasures database maintained in the signing server). For example, the computing device 28, 30 may provide the name, identifier and/or serial number for the particular application software.” Mclean ¶ 41.)
receiving, from the security service, a precomputed hash that is associated with the name; (“Using the information provided by the computing device 28, 30, the signing server 26 can prepare and send a new signature 2 file 58 to the computing device 28, 30 which receives it in step 124.” Mclean ¶ 45)

comparing the calculated hash to the precomputed hash; and (“If the signature 2 file is present the processor performs the verification routine within the signature 2 file on the unpacked software, step 104. As described below, the verification routine in the signature 2 file may be a standard hash function” Mclean ¶ 39)
in response to determining that the calculated hash matches the precomputed hash, (“If the two values are equal (i.e., test 112=“Yes”), the processor is informed that the software can be trusted and execution will proceed accordingly” Mclean ¶ 39)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton in view of MacLeod with Mclean by utilizing a pathname of Fanton to lookup an associated whitelist/hash entry in a global whitelist, as done in Mclean for performing local validation.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton in view of MacLeod with Mclean in order to request and obtain trusted hashes of an executable into the local whitelist in order to allow for the executable to be authenticated on the executing machine and added to the MRU cache, e.g. Mclean ¶ 39.

As to claim 10, Fanton in view of MacLeod and Mclean discloses the method of claim 9 and further discloses:
wherein sending the name to the security service includes sending a full path to the application's executable. (see Fanton figure 5, full path names, as combined with Mclean to do the lookup based on the pathname.)

As to claim 11, Fanton in view of MacLeod and Mclean discloses the method of claim 9 and further discloses:
in response to the second callback routine (“loading of code modules by running processes …. For example, in the context of the Windows operating system, the OS module load activity monitor 145 may intercept module loading activity by hooking to the Windows® CreateSection API call” Fanton ¶ 95) being called to handle a second I/O request, (“a monitoring step, step 310, monitors for process creation requests from code modules.” Fanton ¶ 84) performing the following within the second callback routine: 
obtaining a process identifier associated with the second I/O (Macleod ¶ 39. See also ¶¶ 93, 94, 110) request; (“At block 605, the MRU cache is scanned to determine, see decision block 610, if an entry associated with the requested code module is present.” Fanton ¶ 119.  The entries being the pathname, see Fanton Figure 6. See also Fanton ¶¶ 11, 50, 52, 55, 118-119.)
accessing the white list to determine that the process identifier associated with the second I/O request is not included in the white list; and (“If an entry is not found then…” Fanton ¶ 119. The initial search of the MRU cache yields no results, then search the other whitelists.)
associating context with the second I/O request, the context indicating that modifications to a file targeted by the second I/O request should be blocked. (“a run option may be set to an “unconditional deny” state in one or more of the whitelists.” Fanton ¶ 88, see also figure 5 showing the unconditional deny.)


Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al., US 2006/0150256 (filed 2005-12), in view of MacLeod et al., US 2018/0351969 (filed 2018-05), and Teal et al., US 8,950,007 (filed 2010-01).
As to claim 6, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 and further discloses: 
in response to a notification that the first process … discarding the stored identifier of the first process. (“when the kernel mode driver 115 intercepts file system write activity via the OS file system activity monitor 155 for any of the files in the MRU cache 160, the entry associated with the file may be removed from the list or marked as invalid” Fanton ¶ 66)

Fanton in view of MacLeod does not disclose:
is being deleted,

Teal discloses:
is being deleted,
(“administrator can then: … or 3. Reject each policy individually (removing them from the endpoint as soon as possible), preventing the use of the application--the recommended process is to uninstall the application manually or automatically and remove the policy, to avoid registry garbage.” Teal col. 31, ln. 25)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton in view of MacLeod with Teal by removing the entry from the MRU cache of Fanton in response to an administrators decision to uninstall the application.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton in view of MacLeod with Teal in order to remove undesired applications from the system while avoiding cache garbage (Teal col. 31, ln. 25) and to prevent the MRU of Fanton from authenticating an application that has been modified by uninstallation. 

Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al., US 2006/0150256 (filed 2005-12), in view of MacLeod et al., US 2018/0351969 (filed 2018-05), and Perrone et al., US 2008/0178256 (filed 2008-01).
As to claim 7, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 but does not disclose: 
further comprising: in conjunction with authenticating the application, accessing a policy to determine whether a current user is authorized to use the application to modify an artifact that is the target of the I/O request.

Perrone discloses:
further comprising: in conjunction with authenticating the application, accessing a policy to determine whether a current user is authorized to use the application to modify an artifact that is the target of the I/O request.
(“Users of client computers and client computers themselves are organized into roles. Executable files are organized into file groups. The intersection of file groups and roles determines policy for file execution and file write permissions. Therefore, a user on client computer and a client computer itself are either authorized or prohibited to execute files according to the intersection of the role in which the user of client computer or client computer itself intersects with the file group in which the file resides.” ¶ 7)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton in view of MacLeod with Perrone by including the permission check of Perrone in the system of Fanton in view of MacLeod.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton in view of MacLeod with Perrone in order to establish user policies for application execution in order to prevent  unauthorized users from changing system configurations or otherwise operating a companies assets in an undesired manner, Perrone ¶ 7.

Claim 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al., US 2006/0150256 (filed 2005-12), in view of MacLeod et al., US 2018/0351969 (filed 2018-05), and Goodwin et al., US 2005/0177539 (filed 2004-01).
As to claim 8, Fanton in view of Macleod discloses the method/CRM of claims 1 and 21 but does not disclose: 
wherein the I/O request is an IRP_MJCREATE request.

Goodwin discloses:
wherein the I/O request is an IRP_MJCREATE request.
(“An IRP containing the major function code IRP_MJ_CREATE also has one or more fields indicating the type of access that might be requested in a future IRP from the corresponding user-mode protected subsystem or a higher-level driver. In other words, an IRP containing the major function code IRP_MJ_CREATE is a precursor to a future IRP (which will represent a request for access to a volume) whose requested degree of access might be impermissible. An embodiment according to the invention, at least in part, is the recognition that failing such a precursor IRP (e.g., containing IRP_MJ_CREATE)” Goodwin ¶ 47)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton in view of MacLeod with Goodwin by monitoring the IRP_MC_CREATE command in the hook monitor of Fanton (¶¶ 61, 95).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton in view of MacLeod with Goodwin in order to scrutinize specific commands that may alter the filesystem and avoid the processing expense of scrutinizing read commands, Goodwin ¶¶ 48 and 49.


Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al., US 2006/0150256 (filed 2005-12), in view of MacLeod et al., US 2018/0351969 (filed 2018-05), Mclean, US 2010/0275026 (filed 2009-04), and Perrone et al., US 2008/0178256 (filed 2008-01).
As to claim 12, Fanton in view of Macleod and Mclean discloses the method of claims 9 and further discloses: 
in response to the second callback routine being called to handle the first I/O request, (“loading of code modules by running processes …. For example, in the context of the Windows operating system, the OS module load activity monitor 145 may intercept module loading activity by hooking to the Windows® CreateSection API call” Fanton ¶ 95) also performing the following within the second callback routine: 
querying the security service (“After the content authenticator for the code module is determined, at block 620, the next whitelist is checked for a matching entry. This whitelist may be another MRU cache, a local whitelist, or a global whitelist. If no matching entry is found, then at block 630, the next prioritized whitelist is checked.” Fanton ¶ 119) 

Fanton in view of Macleod and Mclean does not disclose
to determine whether a current user can modify a file targeted by the first I/O request.


Perrone discloses:
to determine whether a current user can modify a file targeted by the first I/O request.
 (“Users of client computers and client computers themselves are organized into roles. Executable files are organized into file groups. The intersection of file groups and roles determines policy for file execution and file write permissions. Therefore, a user on client computer and a client computer itself are either authorized or prohibited to execute files according to the intersection of the role in which the user of client computer or client computer itself intersects with the file group in which the file resides.” ¶ 7)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton in view of MacLeod and Mclean with Perrone by including the permission check of Perrone in the system of Fanton in view of MacLeod and Mclean.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton in view of MacLeod and Mclean with Perrone in order to establish user policies for application execution in order to prevent  unauthorized users from changing system configurations or otherwise operating a companies assets in an undesired manner, Perrone ¶ 7.


Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al., US 2006/0150256 (filed 2005-12), in view of MacLeod et al., US 2018/0351969 (filed 2018-05), Mclean, US 2010/0275026 (filed 2009-04), and Goodwin et al., US 2005/0177539 (filed 2004-01).
As to claim 13, Fanton in view of Macleod and Mclean discloses the method of claim 9 but does not disclose: 
wherein the second callback routine is registered for handling IRP_MJCREATE requests, and wherein the first I/O request is an IRP_MJCREATE request.

Goodwin discloses:
wherein the second callback routine is registered for handling IRP_MJCREATE requests, and wherein the first I/O request is an IRP_MJCREATE request. 
(“An IRP containing the major function code IRP_MJ_CREATE also has one or more fields indicating the type of access that might be requested in a future IRP from the corresponding user-mode protected subsystem or a higher-level driver. In other words, an IRP containing the major function code IRP_MJ_CREATE is a precursor to a future IRP (which will represent a request for access to a volume) whose requested degree of access might be impermissible. An embodiment according to the invention, at least in part, is the recognition that failing such a precursor IRP (e.g., containing IRP_MJ_CREATE)” Goodwin ¶ 47)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Fanton in view of MacLeod and Mclean with Goodwin by monitoring the IRP_MC_CREATE command in the hook monitor of Fanton (¶¶ 61, 95).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Fanton in view of MacLeod and Mclean with Goodwin in order to scrutinize specific commands that may alter the filesystem and avoid the processing expense of scrutinizing read commands, Goodwin ¶¶ 48 and 49.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Wyatt et al., US 2022/0188425 discloses a software analysis server that uses application IDs and whitelists. 
Mayo, US 2018/0082047, discloses a file execution security agent that authorizes application launch.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492