Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-28 are pending in this office action. 

Priority
No foreign priority is claimed. The application is a continuation of US application # 16/709,379, filed on 12/10/2019.

Claim Objections
Claim 26 is objected to because of the following informalities:
Claim 26 incorrectly depends from claim 15 which appears to be a typographical error. Please change the claim to depend from the system of claim 25.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Omum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1-28 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over various claims of application# 16/709,379, now patent# 11,277,438 (referred to as ‘438 hereinafter). With regards to ‘438, claims 1-20 of ‘438 patent claim all the limitations set forth in the instant claims. Particularly, the instant independent claims 1, 14 and 25 are covered by the subject matter of the comparatively narrower independent claims 1 and 12 each of ‘438. Similarly, the instant claims 2-4 each are covered by one or more limitations of claim 1 of ‘438. The instant claims 5-13 are covered by claims 2-4, 6-11 respectively of ‘438. The instant claims 14-21 are covered by claims 12-14, 16-20 respectively of ‘438. The instant claims 22-24 each are covered by one or more limitations of claim 12 of ‘438. The instant claims 25-28 each are covered by one or more limitations of claim 12 of ‘438. As various limitations in the above claims of ‘438 cover the limitations of the instant claims, the instant claims are not patentably distinct from the specified claims of ‘438 as discussed above. 
Further, the system and computer program product (computer-readable medium) claims carry out method steps in a computing environment of the device/system. Therefore, it would be obvious to be able to carry out steps of a method, using a system or device or by computer executable computer program product code stored in a statutory computer readable medium executed by a processor, thereby making the limitations of the independent claims 1 and 12 of ‘438 read interchangeably on various respective limitations of instant claims cited above.
This is a non-provisional obviousness type double patenting rejection because the conflicting claims have been patented.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-7, 11, 13, 14-17, 21-28 are rejected under 35 U.S.C. 102(a)(1), 102(a)(2) as being anticipated by Brewer et al. (US 2019/0235973 A1, hereinafter Brewer).
For claim 1, Brewer teaches a method comprising: receiving, by a processing resource associated with a sandbox service, a file containing malware via a communication network from an endpoint device and contextual information associated with the file, wherein the endpoint device has been infected by the malware (Fig. 1, 6; para 0004, 0064-0070, 0077, 0087 - malicious activity detected at a device (endpoint) that is infected, and the respective file/code is sent to the sandboxing service using file or its backup, and wherein the journal file (snapshots) and other data (as contextual information) pertaining to restoration from the ransomware damage based on restore operations); 
capturing, by the processing resource, information regarding a first series of actions performed by the malware, wherein the capturing is done based at least in part upon receiving the file and the contextual information (para 0063, 0066-0067, 0084-0086 - infection point based on time, and the events represented by snapshots at specific times corresponding to activity recorded in the snapshot or in the incremental backup associated with anomaly or the malware activities); 
generating, by the processing resource, a remediation script specifying a second series of actions that are configured to restore the endpoint device to a pre-infected state representing a state of the endpoint device prior to being infected by the malware, wherein the generating is based at least in part on the first series of actions (para 0063-0066, 0087 - steps or scripting of process that performs restoration based on pertinent and required data for restoring the system/file state to the pre-infected state); and 
transferring, by the processing resource, the remediation script to the endpoint device via the communication network (para 0062-0064, 0087-0089 - disaster recovery system receives the script that can cause the endpoint device to be restored to a good previous state via series of steps or scripted execution involving snapshots or incremental backups in a series).

For claim 2, Brewer teaches the method further comprising: causing, but the processing resource, the endpoint device to execute the remediation script (para 0062-0064, 0087-0089 - disaster recovery system causes the endpoint device to be restored to a good previous state via series of steps or scripted execution involving snapshots or incremental backups in a series).

For claim 3, Brewer teaches the method of claim 2, wherein executing the remediation script returns the endpoint device to the pre-infected state (para 0063-0066, 0087 - steps or scripting of process that performs restoration based on pertinent and required data for restoring the system/file state to the pre-infected state).

For claim 4, Brewer teaches wherein each action of the first series of actions is associated with a time stamp (para 0063, 0066-0067, 0084-0086 - infection point based on time, and the events represented by snapshots at specific times wherein the time corresponds to activity recorded in the snapshot or in the incremental backup associated with anomaly or the malware activities).

For claim 5, Brewer teaches wherein the contextual information is captured by the endpoint device responsive to detection of a suspicious or malicious event detected by the endpoint device that relates to a process running on the endpoint device that is associated with the file (para 0063, 0065-0067, 0084-0086 - the events represented by snapshots at specific times corresponding to activity recorded in the snapshot or in the incremental backup associated with anomaly or the malware activities also based on detection of divergence from the expected normal activities).

For claim 6, Brewer teaches the method of claim 5, wherein the contextual information includes: command line information associated with the process; an execution chain associated with the process; a memory dump associated with the process, information indicative of an application with which the process is associated; information identifying an end user associated with the process; or environment variables associated with the process (para 0044-0045, 0064-0067 - application details are captured in snapshots that include anomalies associated therewith).

For claim 7, Brewer teaches wherein the sandbox service is a cloud-based security service (Fig. 1, 2; para 0017, 0021, 0028, 0044-0045 - cloud-based security platform including disaster recovery system).

For claim 11, Brewer further teaches wherein the sandbox service captures the information regarding the first series of actions by tracing operating system code of the endpoint device (para 0045, 0064, 0075- snapshot includes a copy of operating system code).

For claim 13, Brewer teaches the claimed subject matter as discussed above. Brewer further teaches wherein the sandbox service captures the information regarding the first series of actions based on at least one of static analysis or dynamic analysis of the file (para 0016, 0067 - recording new and modified files as a dynamic way of checking files for malware or anomaly; para 0070 - may be viewed as static file analysis using backup data).

For claim 14, the claim limitations are similar to those of claim 1, except the instant claim 14 is drawn to a non-transitory computer-readable storage medium embodying a set of instructions (Brewer - para 0098-0100), which when executed by one or more processing resources, performs the method as claimed in claim 1 above. Therefore, the instant claim 14 is rejected according to claim 1 as above.

As to claims 15-16, the claim limitations are similar to those of claims 5-6 respectively. Therefore, the instant claims 15-16 are rejected according to claims 5-6 respectively as above.

As to claim 17, Brewer teaches wherein the sandbox service is in a form of a virtual sandbox appliance (para 0077, 0087).

For claim 21, Brewer teaches the claimed subject matter as discussed above. Brewer further teaches wherein the sandbox service captures the information regarding the first series of actions based on at least one of static analysis or dynamic analysis of the file (para 0016, 0067 - recording new and modified files as a dynamic way of checking files for malware or anomaly; para 0070 - may be viewed as static file analysis using backup data).

As to claims 22-24, the claim limitations are similar to those of claims 2-4 respectively. Therefore, the instant claims 22-24 are rejected according to claims 2-4 respectively as above.

For claim 25, the claim limitations are similar to those of claim 1, except the instant claim 25 is drawn to a system for malware recovery, the system comprising: a processing resource associated with a sandbox service; and a non-transitory computer medium embodying accessible by the processing resource, wherein the non-transitory computer readable medium includes a set of instructions (Brewer - para 0037-0039, 0098-0100), which when executed by one or more processing resources associated with a sandbox service, causes the one or more processing resources to perform the method as claimed in claim 1 above. Therefore, the instant claim 25 is rejected according to claim 1 as above.

As to claims 26-28, the claim limitations are similar to those of claims 22-24 respectively. Therefore, the instant claims 26-28 are rejected according to claims 22-24 respectively as above.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 8-10, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al. (US 2019/0235973 A1, hereinafter Brewer), in view of Cohen et al. (US 2020/0143054 A1, Cohen hereinafter).
For claim 8, Although Brewer teaches series of steps to be taken to remediate the anomaly introduced by malware, wherein it would be obvious to one of ordinary skill in the art to integrate such steps into an actionable script, Brewer does not appear to explicitly teach, however Cohen further teaches wherein the second series of actions are based on reverse actions of the first series of actions (para 0024-0027, 0178, 0196 - undo operations which are opposite of what was executed). Based on Brewer in view of Cohen, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Cohen in the system of Brewer in order to use sequence of steps as a plan or a scripted sequence thereby better organizing the execution of remediation or any such operation which also facilitates associating such plan or series of steps to any of the vast variety of scripting tools at the users’ disposal thereby making the system organized, more efficient and extensible.

For claim 9, Although Brewer teaches series of steps to be taken to remediate the anomaly introduced by malware, wherein it would be obvious to one of ordinary skill in the art to integrate such steps into an actionable script, Brewer does not appear to explicitly teach, however Cohen further teaches wherein each action of the first series of action is associated with an undo recipe that is used to generate the remediation script specifying the second series of actions (para 0024-0028, 0178, 0196 - undo operations which are opposite of what was executed, resulting in an undo remediation plan corresponding to second series of actions). Based on Brewer in view of Cohen, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Cohen in the system of Brewer in order to use sequence of steps as a plan or a scripted sequence thereby better organizing the execution of remediation or any such operation which also facilitates associating such plan or series of steps to any of the vast variety of scripting tools at the users’ disposal thereby making the system organized, more efficient and extensible.

For claim 10, Brewer does not appear to explicitly teach, however Cohen further teaches wherein the first series of actions include one or more of: a change in a registry file of the endpoint device; a change in a system file of the endpoint device; addition of a new user account on the endpoint device; addition of a new firewall rule; and a change to an existing firewall rule (para 0011-0015, 0043, 0084, 0179 - registry or other rules changed by malware).

As to claims 18-20, the claim limitations are similar to those of claims 8-10 respectively. Therefore, the instant claims 18-20 are rejected according to claims 8-10 respectively as above.


Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al. (US 2019/0235973 A1, hereinafter Brewer), in view of Largman et al. (US 2010/0005531 A1, Largman hereinafter).
For claim 12, Brewer does not appear to explicitly teach, however Largman further teaches wherein a three-dimensional in-memory graph represents the first series of actions in an operating system of the endpoint device (para 0276-0280 - 3 and 4-dimensional virtual space is created in-memory to store events in the device operating system). Based on Brewer in view of Largman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Largman in the system of Brewer in order to use various memory-based structures to organize and utilize data during security processing of the data elements, thereby making the system more efficient and extensible.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433