Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1.	This action is responsive to:  an original application filed on 6 August 2021 with acknowledgement that this application is a continuation of application 16/832,779 now patent 11,089,046 which is a continuation of 15/684,582 now patent 10,609,065 which claims the benefit of a provisional filing date of 30 August 2016.
2.	Claims 21-40 are currently pending.  Claims 21, 35, and 40, are independent claims. 
3.	The IDS submitted on 6 August 2021 has been considered. 
EXAMINER NOTES
4.	Although the application is a continuation or application 16/832,770 now patent 11,089,046 which is a continuation of 15/684,583 now patent 10,609,065, Claims 21-40 are also distinct from claims in the patents.  Therefore, no Double Patenting rejection is placed on the pending claim.  The patents do not contain the following limitations underlined below that are in this application’s independent claims:
	“the tool: executes in a background of the computer system, collects a system data set based on the threat parameters associated with the computing system, sends the system data set to ta data store, and after the system data is sent to the data store, performs a secure delete operation that removes the tool, the system data set, and data generated by the tool during data collection from the computer system”
 
The wording is considered distinct from the patent 10,609,065 because the only deletion performed deletes the “sensitive files from the computing system” and “deletes the tool from the computing system”, in claims 1, 6, and 11.  Nowhere do the claim teach deleting data generated by the tool during data collection in patent 10,609,065.  In addition, 10,609,065 claims do not state that the tool executes in a background of the computing system.

The wording is considered distinct from the patent 11,089,046 because the only deletion performed deletes the “sensitive files from the computing system” in claim 5 and “deletes the tool from the computing system”, in claims 1, 15, and 18.  Nowhere do the claims teach deleting data generated by the tool during data collection in patent 11,089,046.  In addition, 11,089,046 claims do not state that the tool executes in a background of the computing system.

In addition, there is support for the limitations in Applicant’s disclosure paragraphs 81 and 96, of the original specification submitted with application 15/684,583.  These paragraphs also appear in the continuing applications.  Paragraphs 81 and 96 are copied below with the text supporting the distinct limitations underlined.

“[0081] At step 308, the threat analysis tool is executed on each of the computing systems of the enterprise. The threat analysis tool is configured to collect system information associated with the threat parameters and transmit the collected information to a specific pre- determined/configured secure storage area. For example, when the threat analysis tool is pushed to a computing system, the tool may be copied to a temporary folder on the computer. At the end of execution, the tool encrypts and uploads the collected data text files via a local SFTP server. Once the data has been successfully uploaded, the tool and any artifacts or temporary data folders created by the threat analysis tool are automatically removed from the workstation via a secure delete operation. The collected information for each computing system may be named separately with a consistent naming convention that allows the threat analysis system to identify which data set was collected on which enterprise computer, from which module, and at what time”

“[0096] At step 404, the enterprise management system may copy and distribute the executable of the threat analysis tool to the many computing systems on the enterprise that are to be analyzed. For example, the enterprise management system may make a copy of the executable of the tool for each of the computing systems that are to be analyzed and send a separate 5 _ executable for the threat analysis tool to each of the computing systems. For instance, different copies of the executable are delivered to enterprise computing system A 130A and to enterprise computing system B 130B. The copies of the executable may be delivered to the various systems at the same time and may be delivered through any suitable method. For example, each executable may be pushed to each of the computing systems using the enterprise management systems administrator privileges to execute each executable on each computing system at substantially the same time. Further, the executable may be delivered, executed, and deleted without a user of the computing system knowing that anything was processed. Accordingly, the tool may execute in the background and may be hidden on the computer such that malicious software and/or users may not be aware of the presence or running of the threat analysis tool.  Further, the threat analysis tool may be distributed and executed by any number of different enterprise computing systems at the same time. For instance, the same process may be performed for two computers or for 20,000 computers on the enterprise. Accordingly, the process may be leveraged to process and analyze any number of computers on an enterprise at the same or substantially the same time”
Claim Rejections – 35 USC § 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 21-40 are rejected under 35 U.S.C. 103 as being unpatentable over Grondin et a. U.S. Patent Application Publication No. 2015/0326601 (hereinafter ‘601) in view of Tarbotton et al. U.S. Patent Application Publication No 2003/-120952 (hereinafter ‘952) in further view of Banzhof U.S. Patent Application Publication No 2013/0219493 (hereinafter ‘493) in further view of Rozenberg et al. U.S. Patent Application Publication No. 2008/0313734 (hereinafter ‘734).
As to independent claim 21, “A computer-implemented method for remote identification of enterprise threats, comprising: receiving, at a threat analysis system, threat parameters associated with an enterprise management system” is taught in ‘601 paragraphs 16-19 and 76, note a data management service identifies sensitive data stored on enterprise databases according to record classification rules;
“configuring a tool based on the threat parameters” is shown in ‘601 paragraphs 76-78, note “The data management service … and apply protection policies…includes …an assessment module (i.e. configuring a tool);
“distributing the tool to a plurality of computing systems in an enterprise managed by the enterprise management system, the tool configured to be executed by each of the plurality of computing systems” is disclosed in ‘601 paragraphs 82, 93, and 213-215;the following is not explicitly taught in ‘601:
“wherein at each computing system, the tool: executes in a background of the computing system” however ‘952 teaches pre-emptive malware scanning of storage location or as a background task in the Abstract and paragraph 16;
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention a data management service that identifies sensitive data taught in ‘601 to include a means to have the tool executing in a background computing system.  One of ordinary skill in the art would have been motivated to perform such a modification because if a file has been previously memory cache resources are reduced and measures which can maintain security are strongly desirable, see ‘952 paragraphs 4-7.

the following is not explicitly taught in ‘601 and ‘952:
“collects a system data set based on the threat parameters associated with the computing system, sends the system data set to a data store, and after the system data set is sent to the data store, performs a secure delete operation that removes the tool, the system data set, and data generated by the tool during data collection from the computing system” however ‘493 teaches a system for self-assessment for a computer platform that invokes at least one scan tool and transmits results (i.e. system data set) to a remote computer and after completion of the security self-assessment, the scan tools, the security policies, and/or security self-assessment instructions(i.e. data generated by the tool) may be deleted from the device in paragraphs 8, and 32;
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention a data management service that identifies sensitive data taught in ‘601 and ‘952 to include a means to delete a threat parameter detection tool.  One of ordinary skill in the art would have been motivated to perform such a modification computers and computing devices are susceptible to a variety of security threats and/or vulnerabilities therefore different rules and/or auditing procedures may be imposed, therefore an adaptable self-assessment is an advantage, see ‘493 paragraphs 4-7 and 33.
the following is not explicitly taught in ‘601, ‘952, and ‘493:
“obtaining a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems; analyzing the plurality of system data sets to identify one or more potential threats at one or more computing systems of the plurality of computing systems; and generating a threat report including the one or more identified potential threats”
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention a data management service that identifies sensitive data taught in ‘601, ‘952, and ‘493 to include a means to generate reports.  One of ordinary skill in the art would have been motivated to perform such a modification because all of the above mentioned approaches, techniques and systems do not provide a complete and fully reliable solution to the problem of the spreading of eThreats within networks see ‘734 paragraphs 2-20. 

	As to dependent claim 22, “The method of claim 21, further comprising: in response to identifying the one or more computing systems of the plurality of computing systems associated with the one or more identified potential threats, compiling an executable memory analysis tool” is taught in ‘601 paragraphs 16-19 and 76-78;
	“distributing the executable memory analysis tool to the one or more identified computing systems associated with the one or more identified potential threats, the executable memory analysis tool when executed at each computing system is configured to: collect a memory data set associated with the computing system comprising targeted volatile memory” is shown in ‘601 paragraphs 82, 93, and 213-215;
	“and send the memory data set to the data store; obtaining one or more memory data sets associated with the one or more identified computing systems; analyzing the one or more memory data sets to identify real threats; and generating a memory threat report including one or more identified real threats” is disclosed in ‘734 paragraphs 44 and 52.
	As to dependent claim 23, “The method of claim 22, wherein the memory data set comprises data collected from a volatile memory at said each computing system” is taught in ‘734 paragraphs 44 and 52.
	As to dependent claim 24, “The method of claim 21, wherein analyzing the plurality of system data sets to identify potential threats comprises: comparing each system data set of the plurality of system data sets to a database of known threat indicators; identifying at least one system data set matching one or more threat indicators of the database of known threat indicators; and for each of the at least one system data set matching the one or more threat indicators, logging a file identifier, a computing system identifier, a type of threat indicator, and a threat identifier associated with the at least one system data set matching the one or more threat indicators for use in the threat report” is shown in ‘734 paragraphs 44 and 51-52.
	As to dependent claim 25, “The method of claim 21, wherein analyzing the plurality of system data sets to identify potential threats comprises: comparing each system data set of the plurality of system data sets to a previously stored system data set for the computing system associated with the system data set; identifying one or more differences between the previously stored system data set for at least one of the plurality of computing systems; and for each of the at least one of the plurality of computing systems: for each difference of the one or more differences: comparing the difference to a database of behavioral threat indicators; identifying a behavioral threat indicator matching the difference; in response to identifying the behavior threat indicator, identifying a dormant threat, malware, a threat initiated between scans, or a combination thereof; adding data indicative of the identified dormant threat, the malware, the threat initiated between scans, or a combination thereof to a database as an identified potential real threat; and generating a threat report including one or more identified potential real threats” is disclosed in ‘734 paragraphs 44 and 51-52.
	As to dependent claim 26, “The method of claim 21, wherein analyzing the plurality of system data sets to identify potential threats comprises: for each system data set of the plurality of system data sets: comparing the system data set to a reference system data set; and identifying one or more differences between the system data set and the reference system data set for at least one of the plurality of system data sets; for each difference of the one or more differences: comparing the difference to a database of behavioral threat indicators; identifying a behavioral threat indicator matching the difference; determining a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and logging the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report” is taught in ‘734 paragraphs 44, 51-52, and 63.
	As to dependent claim 27, “The method of claim 21, further comprising: receiving confirmation that at least one of the one or more identified potential threats indicates a real threat; generating a hash of the system data set associated with the real threat; and updating the database of known threat indicators to include the hash of the system data set associated with the real threat” is shown in ‘734 paragraphs 44, 51-52, and 63.
	As to dependent claim 28, “The method of claim 21, further comprising: receiving confirmation that at least one of the one or more identified potential threats indicates a real threat; identifying one or more indicators of the system data associated with the at least one identified potential threat; and updating a database of known threat indicators to include the one or more indicators of the system data associated with the threat” is disclosed in ‘734 paragraphs 44, 51-52, and 63.
	As to dependent claim 29, “The method of claim 21, wherein before analyzing the plurality of system data sets, the method further comprises: identifying identical system data between the plurality of system data sets; and removing the identical system data from the plurality of system data sets” is taught in ‘734 paragraph 32.
	As to dependent claim 30, “The method of claim 21, further comprising: encrypting, by each executable threat analysis tool, a collected system data set prior to sending the collected system data to the data store, the sent collected system data being an encrypted version of the collected system data set; and decrypting, by the threat analysis system, a plurality of encrypted system data sets prior to analyzing to identify potential threats” is shown in ‘601 paragraphs 70 and 75.
	As to dependent claim 31, “The method of claim 30, wherein an encryption key is embedded within each executable threat analysis tool, and a corresponding encryption key is used by the threat analysis system to decrypt each of the plurality of encrypted system data sets” is disclosed in ‘601 paragraphs 70 and 75
	As to dependent claim 32, “The method of claim 21, further comprising: in response to identification of potential threats to one or more computing systems, causing an alert, including the threat report, to be provided to the enterprise management system” is taught in ‘734 paragraph 44.
	As to dependent claim 33, “The method of claim 21, wherein distributing the executable threat analysis tool to the plurality of computing systems comprises: distributing a copy of the executable threat analysis tool to the enterprise management system, wherein the enterprise management system is to distribute copies of the executable threat analysis tool to one or more of the plurality of computing systems in the enterprise” is shown in ‘601 paragraphs 82, 93, and 213-215.
	As to dependent claim 34, “The method of claim 21, wherein configuring the tool and distributing the tool further comprises: compiling an executable threat analysis tool; receiving, by the threat analysis system, addresses of one or more of the plurality of computing systems in the enterprise; and directly distributing, by the threat analysis system, a copy of the executable threat analysis tool to each of the plurality of computing systems in the enterprise for which an address was received, the executable threat analysis tool executable to generate system data sets based on the threat parameters” is disclosed in ‘601 82, 93, and 213-215.
	As to independent claim 35, this claim is directed to a non-transitory computer readable storage medium executing instructions that perform the method of claim 21; therefore, it is rejected along similar rationale”
	As to dependent claims 36-39, these claims contain substantially similar subject matter as claims 22-23 and 38-39; therefore, they are rejected along similar rationale.
	As to independent claim 40, this claims is directed to a threat analysis system, executing the method of claim 21; therefore it is rejected along similar rationale.
Conclusion
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ellen Tran whose telephone number is (571) 272-3842.  The examiner can normally be reached from 7:30 am to 4:00 pm.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

____________________________________________________________
/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        29 September 2022