Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Examiner’s Amendment and Examiner’s Reasons for Allowance action is in response to the filing of 07/13/2022. Claims 1, 3-5, 15, 17-19 have been amended and claims 2 and 16 have been cancelled per applicants request, therefore claims 1, 3-8, 15 and 17-20 are presently pending in the application and have been considered as follows.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/19/2018 has been entered.


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner' s amendment was given in an interview with Mohammad Zaryab (Reg. No. 77957) on 08/02/2022.
The application has been amended as follows: 

1. (Currently Amended) A method for protecting network resources comprising:
starting, by a processor, copy-on-write snapshotting for modifications to a plurality of files in storage, the modification initiated by a suspicious application;
detecting, by the processor, a modification of a file of the plurality of files;
determining, by the processor, whether the file is stored on a shared network resource or a local resource;
in response to determining that the file is stored on a shared network resource, determining, by the processor, that a current region of the file being modified is not already saved in a snapshot, and if the current region is not saved, saving the current region to a snapshot;
marking, by the processor, the current region as being saved; in response to determining that the file is stored on the local resource, determining whether the file is using non-cached I/O;
in response to determining that the file is using the non-cached I/O and determining that the file is stored on the local resource, saving original data of the file to the snapshot during the non-cached I/O, otherwise:
determining that the file is stored on a remote volume and saving original data of the file to the snapshot during both cached and non-cached I/O [[IO]] analyzing all saved regions that were modified and are associated with the snapshot for malicious activity; and
determining, based on the analyzing, that the suspicious application modifying the saved regions is malicious.

Claims 9-14 (Cancelled)

15. (Currently Amended) A system for protecting network resources comprising:
a hardware processor configured to:
start copy-on-write snapshotting for modifications to a plurality of files in storage, the modification initiated by a suspicious application;
detect a modification of a file of the plurality of files;
determine whether the file is stored on a shared network resource or a local resource;
in response to determining that the file is stored on a shared network resource, determine that a current region of the file being modified is not already saved in a snapshot, and if the current region is not saved, save the current region to a snapshot;
mark the current region as being saved; in response to determining that the file is stored on the local resource, determine whether the file is using non-cached I/O;
in response to determining that the file is using the non-cached I/O and determining that the file is stored on the local resource, save original data of the file to the snapshot during the non- cached I/O, otherwise:
determine that the file is stored on a remote volume and save original data of the file to the snapshot during both cached and non-cached I/O [[IO]] analyze all saved regions that were modified and are associated with the snapshot for malicious activity; and determine, based on the analyzing, that the suspicious application modifying the saved regions is malicious.
Allowance
Acknowledgement to applicant’s amendment to claims 1 and 15 has been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 112(b) of claims 1, 3-8, 15 and 17-20 which is hereby withdrawn.

Acknowledgement to applicant’s amendment to claims3, 4, 17 and 18 has been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 112(d) of claims 3, 4, 7 and 8 which is hereby withdrawn.

Acknowledgement to applicant’s amendment to claims 1 and 15 has been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 103 of claims 1, 3-8, 15 and 17-20 which is hereby withdrawn.

Claims 1, 3-8, 15 and 17-20 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: although the prior art of record (such as Chatterjee et al. (US 8046547)) Techniques for continuous data protection can include creating snapshots of one or more underlying storage volumes upon specific file system events. Generating snapshots upon every file close event can protect the files in a storage system by keeping a snapshot of every version or modification of each file. Removal of redundant snapshots can mitigate the impact on storage capacity associated with creating these large numbers of volume snapshots upon each file close event. Additionally, file closure lists can be employed to allow generating snapshots only when a previously closed file is reopened. Such an approach can protect the previous version of a file prior to the opening of a new version of the file. Such an approach can also mitigate storage capacity impact without the creation of redundant snapshots. (Abstract)

none of the prior art, alone or in combination, teaches

 Independent Claim 1:  “…in response to determining that the file is stored on the local resource, determining whether the file is using non-cached I/O; in response to determining that the file is using the non-cached I/O and determining that the file is stored on the local resource, saving original data of the file to the snapshot during the non-cached I/O, otherwise: determining that the file is stored on a remote volume and saving original data of the file to the snapshot during both cached and non-cached I/O analyzing all saved regions that were modified and are associated with the snapshot for malicious activity; and determining, based on the analyzing, that the suspicious application modifying the saved regions is malicious.”.


in view of other limitations of claim 1.

Independent Claims 15 is allowed based on reasons mentioned above in regards to independent claim 1.

Dependent claims are allowed as they depend from an allowable independent claim.

The closest prior art made of record are:
Chatterjee et al. (US 8046547)) Techniques for continuous data protection can include creating snapshots of one or more underlying storage volumes upon specific file system events. Generating snapshots upon every file close event can protect the files in a storage system by keeping a snapshot of every version or modification of each file. Removal of redundant snapshots can mitigate the impact on storage capacity associated with creating these large numbers of volume snapshots upon each file close event. Additionally, file closure lists can be employed to allow generating snapshots only when a previously closed file is reopened. Such an approach can protect the previous version of a file prior to the opening of a new version of the file. Such an approach can also mitigate storage capacity impact without the creation of redundant snapshots 
Crofton et al. (US 20180330088) The present disclosure describes systems and methods for detection and mitigation of malicious activity regarding user data by a network backup system. In a first aspect, a backup system receiving and deduplicating backup data from a plurality of computing devices may detect, based on changes in uniqueness or shared rates for files, atypical modifications to common files, and may take steps to mitigate any potential attack by maintaining versions of the common files prior to the modifications or locking backup snapshots. In a second aspect, the backup system may monitor file modification behaviors on a single device, relative to practices of an aggregated plurality of devices. Upon detection of potentially malicious modification activity, a previously backed up or synchronized store of data may be locked and/or duplicated, preventing any of the malicious modifications from being transferred to the backup system.
Mandgere et al. (US 20110258164) Embodiments of the invention detect inadvertent or malicious data corruption and for recovering data including receiving a query specifying corrupted application data; analyzing transaction logs to find update operations related to the data; determining where the data are stored, by mapping the table data to locations within the file system and mapping the file system locations to volume logical blocks; and analyzing snapshot volume bitmaps to determine if the bitmaps show changes to the table data stored in the volume logical blocks. Changes which are reflected in the bitmaps for the data, but which do not have corresponding entries in the transaction logs are flagged as unauthorized changes. Snapshots of the data, from a time prior to the time at which a flagged snapshot was taken, are identified for use in restoring data to its status prior to the unauthorized change.
 Continella et al. (US 20180157834)   A protection system and a protection method for protecting a computer system against ransomware attacks is provided. The system and method effectively detect the effects of ransomware attacks by combining automatic detection and transparent file-recovery capabilities at the filesystem level.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Conclusion



Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841.  The examiner can normally be reached on Monday through Friday between 8:00 AM to 4:00 PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432