DETAILED ACTION
This action is in response to amendments filed 6/28/2022. Claims 1-21 are pending with claims 1, 2, 7-9, 14-16 and 21 having been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/9/2022 and 3/9/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant’s arguments with respect to the nonstatutory double patenting rejection have been fully considered and are persuasive.  The nonstatutory double patenting rejection of 1-21 has been withdrawn since terminal disclaimed filed 6/28/2022 has been approved. 
Applicant’s arguments with respect to amended claim(s) 1, 8 and 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-10, 12- 17 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al (US 8,307,443) in view of Armstrong et al (US 2006/0136720) in view of Patton et al (US 10,229,269).
With respect to claim 1 (system), 8 (method) and 15 (machine-readable medium) Wang teaches a data management system, comprising: 
one or more processors in communication with the storage appliance, the one or more processors configured to perform operations including: 
a storage appliance configured to store a snapshot of a virtual machine (see Wang column 7 line 60 – column 8 lines 6 i.e. Checker component 310 periodically retains a snapshot of a virtual disk or file system of guest virtual machine 120. For example, checker component 310 utilizes copy-on-write disks to efficiently generate snapshots);
receiving a plurality of writes made to the virtual machine (see Wang column 6 lines 20-25 i.e. Guest initiated logging system 200 employs append-only log 220 to monitor file system operations of guest virtual machine 120. A write operation in the guest virtual machine 120 must be logged to an append-only log 220 in the secure virtual machine 110 before the write operation is allowed to proceed); 
computing, outside of the virtual machine, a fingerprint of the write (see Wang column 6 lines 29-34 i.e. Once the write operation is logged in the append-only log 220, the presence of the malware is essentially permanent. Thus, even with zero-day malware, the malware is logged and, upon the distribution of a matching signature, is detected by anti-virus component 114 based upon the corresponding write entry in append-only log 220); 
comparing, outside of the virtual machine, the computed fingerprint to malware fingerprints in a malware catalog (see Wang column 6 line 66 – column 7 line 5 i.e. In secure virtual machine 110, anti-virus component 114 monitors the log 220 in real time. Real time monitoring enables anti-virus component 114 to detect known malware. After anti-virus component 114 receives an update or a new set of signatures from a developer or malware analyst, anti-virus component 114 can rescan the log 220 to detect malware unknown at the time it was written and logged);
Wang does not specifically disabling the virtual machine based at least in part on a match between the plurality of fingerprints and the plurality of malware fingerprints breaching a threshold within a threshold duration of time.
Armstrong disclose disabling the virtual machine based at least in part on a match between the fingerprints and the plurality of malware fingerprints (see Armstrong paragraph 0031 periodic snapshots, restore to the latest state before the virus/malware and paragraph 0056).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide a device to take a snapshot of a virtual machine (storing the snapshot on a different system for security) and if malware found on the virtual machine to install a previous version of the virtual machine before the introduction of the malware in order to protect the system and safely continue running the virtual server.
Wand in view of Armstrong does not disclose the match between the plurality of fingerprints and the plurality of malware fingerprints breaching a threshold within a threshold duration of time.
Patton teaches the match between the plurality of fingerprints and the plurality of malware fingerprints breaching a threshold within a threshold duration of time (see Patton column 6 lines 28-55 i.e. the scoring module 210 generates a score for the process based on combined scores of indicators associated with a process in log storage 212 that may relate to detecting that the process encrypts a file or to other behaviors indicative of ransomware. Each of the indicators for different types of behaviors may have a score and a timestamp indicating the time of detection of the behavior. For each executing process, the scoring module 208 generates a respective running score based on the combined scores of active indicators (e.g., within a predefined time period) associated with that process in the log storage 212).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wang in view of Patton to have used a scoring module that generates a score for the process based on combined scores of indicators associated within a predefined time period as a way to trigger a ransomware detection when the combined score exceeds a predefined threshold with a low rate of false positives. Therefore one would have been motivated to have used a scoring module to generates a score for the process based on combined scores of indicators associated within a predefined time.

	

With respect to claims 2, 9 and 16 Wang teaches the system of claim 1, but does not disclose wherein the operations further include restoring the virtual machine using the snapshot stored in the storage appliance to a state before the threshold was breached.
 Armstrong teaches wherein the operations further include restoring the virtual machine using the snapshot stored in the storage appliance to a state before the predetermined threshold was breached (see Armstrong paragraph 0031 i.e. snapshot, restore to the latest state before the virus/malware).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide a device to take a snapshot of a virtual machine (storing the snapshot on a different system for security) and if malware found on the virtual machine to install a previous version of the virtual machine before the introduction of the malware in order to protect the system and safely continue running the virtual server.

With respect to claims 3, 10 and 17 Wang teaches the system of claim 1, wherein the operations further include transmitting a warning to a user of the virtual machine (see Wang column 10 lines 49-52 i.e. The shutdown command notifies patient malware that a shutdown is imminent. At reference numeral 850, any malware writing to disk is detected prior to the shutdown).

With respect to claims 5, 12 and 19 Wang teaches the system of claim 1, wherein the operations further include repeatedly generating snapshots of the virtual machine over time (see Wang column 7 line 60 – column 8 lines 6 i.e. Checker component 310 periodically retains a snapshot of a virtual disk or file system of guest virtual machine 120. For example, checker component 310 utilizes copy-on-write disks to efficiently generate snapshots).

With respect to claim 6, 13 and 20 Wang teaches the system of claim 1, but does not disclose wherein the operations are performed in a device that is not hosting the virtual machine (see Wang column 6 lines 20-25 i.e. Guest initiated logging system 200 employs append-only log 220 to monitor file system operations of guest virtual machine 120. A write operation in the guest virtual machine 120 must be logged to an append-only log 220 in the secure virtual machine 110 before the write operation is allowed to proceed).

With respect to claim 7, 13 and 21 Wang teaches the system of claim 1, but does not disclose wherein the operation further includes determining that malware is present on the virtual machine based at least in part on the number of matches breaching the threshold within the threshold duration of time, wherein disabling the virtual machine is based at least in part on determining that malware is present.

Patton teaches wherein the operation further includes determining that malware is present on the virtual machine based at least in part on the number of matches breaching the threshold within the threshold duration of time, wherein disabling the virtual machine is based at least in part on determining that malware is present (see Patton column 6 lines 28-55 i.e. the scoring module 210 generates a score for the process based on combined scores of indicators associated with a process in log storage 212 that may relate to detecting that the process encrypts a file or to other behaviors indicative of ransomware. Each of the indicators for different types of behaviors may have a score and a timestamp indicating the time of detection of the behavior. For each executing process, the scoring module 208 generates a respective running score based on the combined scores of active indicators (e.g., within a predefined time period) associated with that process in the log storage 212).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wang in view of Patton to have used a scoring module that generates a score for the process based on combined scores of indicators associated within a predefined time period as a way to trigger a ransomware detection when the combined score exceeds a predefined threshold with a low rate of false positives. Therefore one would have been motivated to have used a scoring module to generates a score for the process based on combined scores of indicators associated within a predefined time.

Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al (US 8,307,443) in view of Armstrong et al (US 2006/0136720) in view of Patton et al (US 10,229,269).
With respect to claims 4, 11 and 18 Wang teaches the system of claim 1, but does not disclose wherein the operations further include generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware. 
Cohen teaches wherein the operations further include generating the malware catalog including generating fingerprints of binaries and compressed binaries of known malware (see Cohen paragraph 0050  i.e. the database server 42 may store a plurality of fingerprints associated with known binaries of interest (e.g., malware), and these known binaries of interest (and their fingerprints) may form the basis for comparison with query files and their respective fingerprints to identify similarities therebetween).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Wang in view of Cohen to have used fingerprint of binaries as a way to detect malware. Therefore one would have been motivated to have used fingerprint of binaries.
	
Prior Art of Record
	Roundy (US 9,485,272) titled “Systems And Methods For Estimating Confidence Scores Of Unverified Signatures” teaches a computer-implemented method for estimating confidence scores of unverified signatures may include (1) detecting a potentially malicious event that triggers a malware signature whose confidence score is above a certain threshold, (2) detecting another event that triggers another signature whose confidence score is unknown, (3) determining that the potentially malicious event and the other event occurred within a certain time period of one another, and then (4) assigning, to the other signature, a confidence score based at least in part on the potentially malicious event and the other event occurring within the certain time period of one another.
	Fake et al (US 2012/0254416) titled “Mainframe Event Correlation” teaches certain security-related events occurring at the same time, or a threshold number of security violation events occurring within a threshold amount of time, may signal a heightened security risk (e.g., indicating that a hacker is attempting to access information, or a virus is spreading).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Devin Almeida whose telephone number is 571-270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).


/DEVIN E ALMEIDA/           Examiner, Art Unit 2492                                                                                                                                                                                             


/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492