Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/19/2022 has been entered.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Frank Liebenow (Reg. No: 48,688) on 09/07/2022. 



CLAIMS
The application has been amended as follows: 

(Currently Amended) A system for computer security, the system comprising:
two whitelists, a first whitelist of the two whitelists for signed executables and a second whitelist of the two whitelists for unsigned executables;
a server, the server having a server processor and storage containing the two whitelists;
a computer protected by the system for computer security, the computer having a processor and memory, the processor is configured to:
detect an attempt to run an executable, 
determine when the executable includes a digital signature stored within the executable, the digital signature having been issued by a certification authority; 
when the executable includes the digital signature, search the first whitelist for the executable and when the executable is present on the first whitelist, allow the executable to run; 
when the executable is without the digital signature, search the second whitelist for the executable and when the executable is present on the second whitelist, allow the executable to run;
when the executable is not found in a respective whitelist of the two whitelists, forward the executable, a metadata of the executable, or all or a portion of the executable to the server;
 the server processor is configured to:
further analyze[[s]] the executable and when malicious software exists in the executable, send an email to a user of the computer to notify the user of the malicious software and block the executable;
when no malicious software exists in the executable, update the respective whitelist of the two whitelists and send a transaction to the computer;
responsive to the computer receiving the transaction, the processor is configured to allow the executable to run; 
when there may be the malicious software in the executable, the server processor is configured to queue the executable for further research and execution of the executable is blocked;
wherein the further research includes the server processor being further configured to install the executable on a clean computer that is isolated, to run the executable on the clean computer, and to analyze a file system and registry of the clean computer to determine if the executable includes the malicious software; and
wherein the email includes a link to training on how to prevent future intrusions of the malicious software into the computer.
(Previously Presented) The system of claim 1, wherein the email further comprises training regarding malware.
(Original) The system of claim 2, wherein the storage associated with the server is cloud storage.
(Original) The system of claim 1, wherein the further research includes human analysis of the executable.
(Currently Amended) The system of claim 1, wherein the further research includes the server processor being further configured to install the executable on [[a]] the clean computer that is isolated and scanning the executable using a commercially available virus scanning software to determine if the executable includes the malicious software.
(Canceled) 
(Canceled).
(Previously Presented) The system of claim 1, wherein the email includes a description of the malicious software.
(Canceled) 
(Currently Amended) A method of protecting a computer, the method comprising:
providing two whitelists, a first whitelist of the two whitelists for signed executables and a second whitelist of the two whitelists for unsigned executables;
providing a server, the server having a server processor and storage containing the two whitelists;
providing a computer for being protected, the computer having a processor and memory;
the processor is configured for detecting an attempt to run an executable and determining when the executable includes a digital signature stored within the executable, the digital signature having been issued by a certification authority; 
when the executable includes the digital signature, the processor searching the first whitelist for the executable and when the executable is present on the first whitelist, the processor allowing the executable to run; 
when the executable is without the digital signature, the processor searching the second whitelist for the executable and when the executable is present on the second whitelist, the processor allowing the executable to run;
when the executable is not found in a respective whitelist of the two whitelists, the processor forwarding the executable, a metadata of the executable, or all or a portion of the executable to the server;
 the server processor is configured for further analyzing the executable and when malicious software exists in the executable, the server processor sending an email to a user of the computer to notify the user of the malicious software and the computer blocking the executable;
when no malicious software exists in the executable, the server processor updating the respective whitelist of the two whitelists and sending a transaction to the computer;
responsive to the computer receiving the transaction, the processor allowing the executable to run; and
when there may be the malicious software in the executable, the server processor queuing the executable for further research and blocking execution of the executable;
wherein the further research includes the server processor further installing the executable on a clean computer that is isolated, running the executable on the clean computer, and analyzing a file system and registry of the clean computer, determining if the executable includes the malicious software; and
wherein the email includes a link to training on how to prevent future intrusions of the malicious software into the computer.







(Canceled) 
(Currently Amended) The method of claim 10, wherein the further research comprises scanning the executable using commercially available virus scanning software to determine if the executable includes the malicious software 
(Canceled) 
(Currently Amended) A computer program product comprising:
a non-transitory storage medium of a computer having computer readable instructions stored therewith and two whitelists, a first whitelist of the two whitelists for signed executables and a second whitelist of the two whitelists for unsigned executables, the computer readable instructions being executable by a processor of a computer and comprising:
computer readable instructions running on the processor cause the processor to detect an attempt to run an executable, 
the computer readable instructions running on the processor cause the processor to determine when the executable includes a digital signature stored within the executable, the digital signature having been issued by a certification authority; 
when the executable includes the digital signature, the computer readable instructions running on the processor search the first whitelist for the executable and when the executable is present on the first whitelist, allow the executable to run; 
when the executable is without the digital signature, the computer readable instructions running on the processor search the second whitelist for the executable and when the executable is present on the second whitelist, allow the executable to run;
when the executable is not found in a respective whitelist of the two whitelists, the computer readable instructions running on the processor forwards the executable, a metadata of the executable, or all or a portion of the executable to a server computer;
 a second non-transitory storage medium of the server computer having computer readable instructions stored therewith, the computer readable instructions being executable by a server processor of the server computer and comprising:
computer readable instructions running on the server processor analyze the executable and when malicious software exists in the executable, send an email to a user of the computer to notify the user of the malicious software and block the executable;
when no malicious software exists in the executable, the computer readable instructions running on the server processor update the respective whitelist of the two whitelists and send a transaction to the computer;
responsive to the computer receiving the transaction, the computer readable instructions running on the processor allow the executable to run; and
when there may be the malicious software in the executable, the computer readable instructions running on the server processor queue the executable for further research and execution of the executable is blocked;
wherein the further research includes the computer readable instructions running on the server processor further install the executable on a clean computer that is isolated, then run the executable on the clean computer, and analyze a file system and registry of the clean computer to determine if the executable includes the malicious software; and
wherein the email includes a link to training on how to prevent future intrusions of the malicious software into the computer.








(Original) The computer program product of claim 14, wherein the further research is performed by a human being.
(Currently Amended) The computer program product of claim 14, wherein the further research includes the computer readable instructions running on the server processor cause the server processor to install the executable on a clean computer that is isolated from a wide area network and to scan the executable with a commercially available malicious software scan system to determine when the executable includes malicious software and when the executable include the malicious software, the computer readable instructions running on the server processor cause the server processor to send the email to the user of the computer, the email including a description of the malicious software 
(Canceled) 
(Canceled)
(Canceled) 
(Canceled)


Examiner’s Statement of Reasons for Allowance

Claims 1-5, 8, 10, 12, and 14-16 (renumbered as claims 1-11) are allowed.
The present invention is directed to: a system for protecting a computer from malicious software that uses a whitelist to determine if a program is safe to run. As new malicious software is created, inadvertent attempts at execution of executables including such malicious software is prevented being that the new malicious software are not listed in the whitelist. When attempts are made to run unknown software, the executable is forwarded to the server where further analysis is performed to determine if the executable contains suspect code (e.g. malicious software). 
The closest prior art, as previously recited, are Bhargava et al (“Bhargava,” US 8,925,101), Polyakov et al (“Polyakov,” US 8,863,284) in view of Alpern et al (“Alpern,” US 20090070752) and further in view of Xue et al (“Xue,” US 20140298460). 
Bhargava is directed to: a method that includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the trust status is defined as trusted if the software program file is included in a whitelist of trustworthy program files and untrusted if the software program file is not included in a whitelist. In more specific embodiments, the method includes blocking the network access attempt if the software program file has an untrusted status. In further embodiments, an event is logged if the software program file associated with the network access attempt has an untrusted status.
Polyakov is directed to: systems, methods and computer program products for determining a security status of at least one potentially malicious file in a customer network. An example method comprising receiving, by a client computer system, client heuristics information from a server system for determining a security status of client data generated by at least one client application; monitoring and identifying at least one suspicious file of the client data as a potentially malicious file by analyzing metadata associated with the at least one suspicious file using the client heuristics information; collecting threat-identification information of the potentially malicious file to exclude confidential information associated with a content of the potentially malicious file; transmitting the threat-identification information to the server system for determining a security status of the potentially malicious file; and receiving security tools from the server system to block or remove the potentially malicious file.
Alpern is directed to: a method for creating a virtual machine image. According to the method, at least one application is provided on a computer system. After the application is provided on the computer system, at least one optimization of the application is performed based on a runtime environment of the application to produce an optimized application, and the optimized application and at least a portion of the runtime environment are packaged in a virtual machine image. In one embodiment, the computer system is a virtual machine. Also provided is a system for creating a virtual machine image.
Xue is directed to: a method and system for malicious uniform resource locator detection where training data is used to train classification models to detect malicious Uniform Resource Locators (URLs) that target authentic resources (e.g., Web page, Web site, or other network locations accessed via a URL). The techniques train the classification models using one or more machine learning algorithms. The training data may include known benign URLs and known malicious URLs (e.g., training URLs) that are associated with a target authentic resource. The techniques then use the trained classification models to determine whether an unknown URL is a malicious URL. The malicious URL determination may be based on one or more lexical features (e.g., brand name edit distances for a domain and path of the URL) and/or site/page features (e.g., a domain age and a domain confidence level) extracted.
For example, none of the cited prior art teaches or suggests the steps of independent claims 1, 10 and 14: determine when the executable includes a digital signature stored within the executable, the digital signature having been issued by a certification authority; when the executable includes the digital signature, search the first whitelist for the executable and when the executable is present on the first whitelist, allow the executable to run; when the executable is without the digital signature, search the second whitelist for the executable and when the executable is present on the second whitelist, allow the executable to run; when the executable is not found in a respective whitelist of the two whitelists, forward the executable, a metadata of the executable, or all or a portion of the executable to the server; the server processor is configured to: further analyze the executable and when malicious software exists in the executable, send an email to a user of the computer to notify the user of the malicious software and block the executable; when no malicious software exists in the executable, update the respective whitelist of the two whitelists and send a transaction to the computer; responsive to the computer receiving the transaction, the processor is configured to allow the executable to run; when there may be the malicious software in the executable, the server processor is configured to queue the executable for further research and execution of the executable is blocked; wherein the further research includes the server processor being further configured to install the executable on a clean computer that is isolated, to run the executable on the clean computer, and to analyze a file system and registry of the clean computer to determine if the executable includes the malicious software; and wherein the email includes a link to training on how to prevent future intrusions of the malicious software into the computer.
Therefore, the claims are allowable over the cited prior art. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/Examiner, Art Unit 2439     



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439