DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Amended claims 1-20 as submitted on 6/29/22 were considered.

Response to Arguments
	Applicant argues Butler does not teach the “automatically, adding, during a learning mode…” limitation as amended because as per paragraph 42, Butler relies on a human administrator to create an established applications list, thus the adding is not done automatically.  The examiner respectfully disagrees.
	First, it should be noted that paragraph 42 that applicant relies upon appears to refer to administrator applications, not human administrators, thus the basis of applicant’s argument is incorrect.  
Further, the reference as a whole must be considered.  Even assuming, arguendo, that the administrator in paragraph 42 could be human, there are other portions of the reference, some of which were cited in the previous Office action, which clearly and explicitly states that the list was built by a computer program during learning/training mode, thus how the list is established is in addition to how it is established in paragraph 42 of the reference.  For example, in paragraph 9: “The computer program then compiles the inventory recordation that is personal to the user, as the inventory recordation lists applications accessed by the user during the training mode.”  The list being built/compiled by a computer program rather than a human user during training mode means that it was done automatically.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Probert et al (US 2005/0091214).
Claim 1:
	Butler discloses:
detecting a computer resource process running or attempting to run on an operating system (paragraphs 26, 36, 63, and 74; When Butler’s invention is running in protected mode, it detects attempts to run a new instance of an application/computer resource process and determine if that process is listed in a user’s whitelist.  Butler’s invention could also be turned off and on at different points when the OS is already running. This means that when Butler’s invention is turned off, a process that’s not on a user’s whitelist could run.  As per paragraph 74, should this happen, Butler’s invention terminates execution of all processes/applications not listed in the user’s whitelist once Butler’s program is activated and switched to protected mode); 
comparing details of the computer resource process against an authorized processes database containing details of previously run computer resources processes to determine if the computer resource process is running or attempting to run for a first time on the operating system (paragraphs 26, 36-37, 63, and 74; In protected mode, Butler’s invention, when an application/computer resource process attempts to run for the first time during a particular computing session, checks to see if the application is listed in a user’s whitelist.  If it is not, the application is prevented from running or is terminated.  As discussed above, it is also possible for an application to already be running and when Butler’s invention switches to protected mode, it compares all currently running processes to ones found in the user’s whitelist and terminates any that aren’t on the list); 
automatically adding, during a learning mode, the details of the computer resource process to the authorized processes database when it is determined that the computer resource process is running for the first time or attempting to run for the first time on the operating system (paragraphs 9, 35, 59, and 72; Programs observed to be executed during training mode are added to the inventory recordation list by a computer program, thus the adding is done automatically); and 
suspending, during a protect mode, the computer resource process from running on the operating system when it is determined that the computer resource process is running or attempting to run for the first time on the operating system (paragraphs 74-75 and 87).

Butler does not disclose, but Probert discloses wherein the details of the computer resource process include at least one of semaphore data, mutex data or atom data for the computer resource process (paragraphs 24-26).  Note that as defined by applicant’s specification, an atomic table is a global table available, so it appears that a named object as discussed in paragraph 25-26 of Probert is an atom as it is a globally unique identifier.  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention using Probert’s teachings by having the Butler’s whitelist to identify processes on the list wherein the details of the computer resource process (in the list) include at least one of semaphore data, mutex data or atom data for the computer resource process.  Butler’s invention does not limit how processes are tracked and identified in his whitelist, nor does he place limits on the types of processes his invention protects against.  Thus, the rationale for why it would be obvious to utilize Probert’s teachings in Butler’s invention to track processes in the whitelist is that doing so is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Claim 2:
	Butler further discloses initializing an internal timer for the learning mode or the protect mode (paragraphs 59-60, 72, and 78).

Claim 3:
	Butler further discloses terminating the computer resource process (paragraph 63).

Claim 4:
	Butler further discloses generating an alert for the computer resource process, including the details of the computer resource process (paragraphs 63, 81, and 87).

Claim 5:
	Butler further discloses checking, during the protect mode, if the computing device is operating in a client- server mode; and generating an alert for the computer resource process, including the details of the computer resource process when the computing device is operating in the client-server mode (paragraphs 63, 68-69, 81; and Figure 8; Butler’s invention checks if certain types of programs are running to decide when to switch his invention to protected mode.  Such programs include an internet browser or email client.  Each of these programs turns a computer to one which operates in client-server mode as they communicate with the Internet).

Claim 6:
	Butler further discloses analyzing, during the protect mode, the details of the computer resource process; and terminating, during the protect mode, the computer resource process based on a result of the analysis (paragraph 63).

Claim 7:
	Butler further discloses analyzing, during the protect mode, the details of the computer resource process; and allowing, during the protect mode, the computer resource process to run on the operating system based on a result of the analysis (paragraph 63).

Claim 8:
	Butler further discloses adding, during the protected mode, the details of the computer resource process to the authorized processes database (paragraphs 70-71).  Butler invention has a two sub-modes of the protected mode, each of which have variations which would allow new computer resource processes to be added to the whitelist even though protected mode is on.

Claim 10:
	Butler further discloses wherein the details of the computer resource process further include at least one of a process name, a file path, a cryptographic hash, or timestamp (paragraph 63 and Figure 3).



Claims 9 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Probert et al (US 2005/0091214) in further view of Challita et al (US 2018/0248896).

Claim 9:
	Butler discloses sending, during the protect mode, the details of the computer resource process to another computing device for analysis; receiving an analysis result from said another computing device (paragraph 88; Secondary protection device/system, such as a known virus/malware scanner could be used in conjunction with Butler’s invention).  
Butler does not disclose either terminating the computer resource process or allowing the computer resource process to run on the operating system based on the analysis result.  However, Challita discloses sending, during the protect mode, the details of the computer resource process to another computing device for analysis; receiving an analysis result from said another computing device; and either terminating the computer resource process or allowing the computer resource process to run on the operating system based on the analysis result (paragraphs 18, 20, and 47-48; Multiple analysis systems are used sequentially to analyze suspected ransomware and the ransomware’s process run is terminated upon detection, but the file could still be further analyzed after termination).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention to utilize Challita’s teachings discussed.  One skilled would have been motivated to do so because it would allow Butler’s invention to provide for not only detection, but also mitigation solution for possible malware (Challita: paragraph 13).

Claim 11:
	Butler does not disclose, but Challita discloses wherein the malware comprises crypto-ransomware (paragraph 5).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention in accordance with the discussed teachings of Challita.  The rationale for why it would be obvious is that Butler does not place any restriction on the type of malware his invention protects against, thus having the malware comprise crypto-ransomware is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007). 


Claims 12, 14-15, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Challita et al (US 2018/0248896).

Claim 12:
	Butler discloses:
a processor running an operating system (paragraph 35); 
an authorized processes database containing details of previously run computer resources processes (paragraph 9); and 
a malware monitor configured to operate in a learning mode or a protect mode (paragraph 26), the malware monitor being arranged to: 
detect a computer resource process running or attempting to run on an operating system (paragraphs 26, 36, 63, and 74; When Butler’s invention is running in protected mode, it detects attempts to run a new instance of an application/computer resource process and determine if that process is listed in a user’s whitelist.  Butler’s invention could also be turned off and on at different points when the OS is already running. This means that when Butler’s invention is turned off, a process that’s not on a user’s whitelist could run.  As per paragraph 74, should this happen, Butler’s invention terminates execution of all processes/applications not listed in the user’s whitelist once Butler’s program is activated and switched to protected mode); 
compare details of the computer resource process against an authorized processes database containing details of previously run computer resources processes to determine if the computer resource process is running or attempting to run for a first time on the operating system (paragraphs 26, 36-37, 63, and 74; In protected mode, Butler’s invention, when an application/computer resource process attempts to run for the first time during a particular computing session, checks to see if the application is listed in a user’s whitelist.  If it is not, the application is prevented from running or is terminated.  As discussed above, it is also possible for an application to already be running and when Butler’s invention switches to protected mode, it compares all currently running processes to ones found in the user’s whitelist and terminates any that aren’t on the list); 
automatically add, during a learning mode, the details of the computer resource process to the authorized processes database when it is determined that the computer resource process is running for the first time or attempting to run for the first time on the operating system (paragraphs 9, 35, 59, and 72; Programs observed to be executed during training mode are added to the inventory recordation list by a computer program, thus the adding is done automatically); and 
suspend, during a protect mode, the computer resource process from running on the operating system when it is determined that the computer resource process is running or attempting to run for the first time on the operating system (paragraphs 74-75 and 87)

Butler does not disclose, but Challita discloses wherein the malware monitor is ransomware monitor (abstract and paragraph 5).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention in accordance with the discussed teachings of Challita so that the malware monitor was a ransomware monitor.  The rationale for why it would be obvious is that Butler does not place any restriction on the type of malware his invention protects against, thus having the malware comprise ransomware and the malware monitor be a ransomware monitor is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007). 

Claim 14:
	Butler further discloses wherein the details of the computer resource process further include at least one of a process name, a file path, a cryptographic hash, or timestamp (paragraph 63 and Figure 3).

Claim 15:
	Butler further discloses wherein the authorized processes database includes a computing resource process whitelist (paragraph 9).

Claim 18:
	Butler further discloses an internal timer arranged to be set to a learn time value or a protect time value (paragraphs 59-60, 72, and 78).

Claim 19:
	Butler further disclose wherein the malware monitor is further arranged to: check, during the protect mode, if the computing device is operating in a client- server mode; and generate an alert for the computer resource process, including the details of the computer resource process when the computing device is operating in the client-server mode (Butler: paragraphs 63, 68-69, 81; and Figure 8; Butler’s invention checks if certain types of programs are running to decide when to switch his invention to protected mode.  Such programs include an internet browser or email client.  Each of these programs turns a computer to one which operates in client-server mode as they communicate with the Internet).  The malware monitor being ransomware monitor was obvious over Challita’s teachings as previously discussed.

Claim 20:
	Butler discloses send, during the protect mode, the details of the computer resource process to another computing device for analysis; receive an analysis result from said another computing device (paragraph 88; Secondary protection device/system, such as a known virus/malware scanner could be used in conjunction with Butler’s invention).  
Butler does not disclose either, based on the analysis result, terminate the computer resource process or allowing the computer resource process to run on the processor.  However, Challita discloses send, during the protect mode, the details of the computer resource process to another computing device for analysis; and either, based on the analysis result, terminate the computer resource process or allowing the computer resource process to run on the processor (paragraphs 18, 20, and 47-48; Multiple analysis systems are used sequentially to analyze suspected ransomware and the ransomware’s process run is terminated upon detection, but the file could still be further analyzed after termination).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Butler’s invention to utilize Challita’s teachings discussed.  One skilled would have been motivated to do so because it would allow Butler’s invention to provide for not only detection, but also mitigation solution for possible malware (Challita: paragraph 13).



Claims 13 and 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Butler et al (US 2014/0150106) in view of Challita et al (US 2018/0248896) in further view of Probert et al (US 2005/0091214).
Claim 13:
Butler does not disclose, but Probert discloses wherein the details of the computer resource process include at least one of semaphore data, mutex data or atom data for the computer resource process (paragraphs 24-26).  Note that as defined by applicant’s specification, an atomic table is a global table available, so it appears that a named object as discussed in paragraph 25-26 of Probert is an atom as it is a globally unique identifier.  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Butler’s invention using Probert’s teachings by having the Butler’s whitelist to identify processes on the list wherein the details of the computer resource process (in the list) include at least one of semaphore data, mutex data or atom data for the computer resource process.  Butler’s invention does not limit how processes are tracked and identified in his whitelist, nor does he place limits on the types of processes his invention protects against.  Thus, the rationale for why it would be obvious to utilize Probert’s teachings in Butler’s invention to track processes in the whitelist is that doing so is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Claim 16:
	Butler further discloses wherein the authorized processes database includes a process table containing a process table value for each of the previously run computer resources processes (Fig 3).
Butler does not disclose the process table is a mutex table and the process table value is a mutex value, however, these limitations are taught by Probert (paragraph 24).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Butler’s invention using Probert’s as discussed.  Butler’s invention does not limit how processes are tracked and identified in his whitelist, nor does he place limits on the types of processes his invention protects against.  Thus, the rationale for why it would be obvious to utilize Probert’s teachings in Butler’s invention to track processes in the whitelist is that doing so is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Claim 17:
	Butler further discloses wherein the authorized processes database includes a process table containing a process table value for each of the previously run computer resources processes (Fig 3).
Butler does not disclose the process table is a semaphore table and the process table value is a semaphore value, however, these limitations are taught by Probert (paragraph 24).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Butler’s invention using Probert’s as discussed.  Butler’s invention does not limit how processes are tracked and identified in his whitelist, nor does he place limits on the types of processes his invention protects against.  Thus, the rationale for why it would be obvious to utilize Probert’s teachings in Butler’s invention to track processes in the whitelist is that doing so is nothing more than simple substitution of one known element for another to obtain predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495