Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to RCE filed on 7/13/2022. Claims 1, 14 and 19 are independents. Claims 2, 5, 8 and 15-18 are canceled. Claims 21-27 are new. Claims 1, 3, 4, 6, 7, 9-14 and 19 are amended. Claims 1, 3, 4, 6, 7, 9-14 and 19-27 are currently pending.

Response To Argument
Applicant's arguments with respect to rejections to claims 1, 3, 4, 6, 7, 9-14 and 19 under 35 U.S.C. 103 are persuasive. The rejections are withdrawn.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
BEGIN AMENDMENT
1. (Currently Amended) A computing apparatus, comprising: 
a processor circuit and a memory; and 
instructions encoded within the memory to instruct the processor circuit to:
scan a plurality of files of computing apparatus, and for respective files, identify a first filename extension, and a first four-byte sequence that corresponds to the first filename extension, and store the first filename extensions and identifying information for the first four-byte sequences in a data structure; 
determine that a process has, within a temporal window, changed a number of existing files exceeding a threshold, wherein determining that the process has changed an existing file comprises detecting that the process has changed a file extension for the existing file to a second filename extension different from the first filename extension, and that a second four byte sequence for the changed file is different from the first four-byte sequence; and 
based on the determining, taking a ransomware remediation action.
END AMENDMENT
NOTE: a period “.” is added to the end of claim 1.

Allowable Subject Matter
Claims 1, 3, 4, 6, 7, 9-14 and 19-27 are allowed.
The following is an examiner’s statement for allowance: 
The closest prior art Adams (US 10121003 B1) teaches a method for detecting malware, particularly ransomware. Ransomware encrypts files, making them useless to the owner. The entropy value of files is calculated and, in response to a predetermined event, such as a write operation to the file, a new entropy value is calculated. If the change in entropy value exceeds a threshold, or if the magic number of a file is missing or is inconsistent with the file type, then malware may be present. Steps are then taken to prevent further encryption by the malware.
The closest prior art BEDHAPUDI et al. (US 20190108340 A1) teaches a method for detecting ransomware. Ransomware typically involves an I/O heavy process of encrypting data files and/or deleting or renaming the original files. Thus, ransomware attacks may be detected by analyzing the I/O activity in a given file system. In some embodiments, a software module running on a client machine monitors the I/O activity in a file system. The software module records the number of times the files in the file system are modified, created, deleted, and renamed. The recorded number is compared against a threshold. If the number exceeds the threshold, the software module provides an alert to the user of the client machine that the client machine may be under a ransomware attack. In some embodiments, index data gathered as part of backup operations is utilized, either alone or in combination with the continuously monitored I/O activity data, to detect ransomware attacks.
The closest prior art BALUPARI et al. (US 20200128028 A1) teaches a method for collecting metadata on files stored on the cloud-based file storage service. The files are manipulated. The cloud-based file storage service supports manipulation by creating. The collected metadata includes an extension of a file name, a magic number, and a size. The collected metadata is stored as historical metadata separate from and not under control of the cloud-based file storage service. Multiple artifacts of the ransomware attack are detected for resulting from ransomware manipulation of the files. The extension, the magic number and the size included in the historical metadata are compared to at least one of the extension. The magic number and the size included in current metadata of the files is provided to identify changes in the files.
None of the prior art of record, teaches or suggests, alone or in combination, the particular combination of step as recited below:
“determine that a process has, within a temporal window, changed a number of existing files exceeding a threshold, wherein determining that the process has changed an existing file comprises detecting that the process has changed a file extension for the existing file to a second filename extension different from the first filename extension, and that a second four byte sequence for the changed file is different from the first four-byte sequence; and based on the determining, taking a ransomware remediation action”.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday-Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 



/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437