Remarks
Claims 1-3, 5, 6, 8-10, 12, 13, 15-17, 19, and 20 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/26/2022 has been entered.
 
Response to Arguments
Applicant's arguments filed 8/26/2022 have been fully considered but they are not persuasive.
Applicant appears to copy in every limitation from claim 1, provides Applicant’s understanding of a portion of the rejection, and alleges “The cited paragraphs are entirely silent with regard to selecting a system file.  The Examiner further states that any selection of a file, such as by intercepting an API call or other call from that file, where the file is a system file, such as by being part of the operating system’s kernel mode, for example...’.  However, Sandoval fails to disclose an interception where the file is a system file.  However, in order to add clarity, claim 1 is amended reciting...” and discusses the amendment.  However, Applicant fails to provide any actual argument here with respect to “The cited paragraphs are entirely silent with regard to selecting a system file.  The Examiner further states that ‘any selection of a file, such as by intercepting an API call or other call from that file, where the file is a system file, such as by being part of the operating system’s kernel mode, for example...’.  However, Sandoval fails to disclose an interception where the file is a system file.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  In fact, these arguments have been fully responded to previously:
Applicant alleges “In the Office Action, page 5, the Examiner argues that ‘Sandoval discloses selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file...’.  The cited paragraphs are entirely silent with regard to selecting a system file.  The Examiner further states that ‘any selection of a file, such as by intercepting an API call or other call from that file, where the file is a system file, such as by being part of the operating system’s kernel mode, for example...’.  However, Sandoval fails to disclose an interception where the file is a system file.”  However, Applicant fails to provide any actual argument here.  Sandoval does, indeed, disclose that the file is a system file, such as by being part of the operating system’s kernel mode, for example.  Sandoval further discloses selecting a file, such as by intercepting an API call or other call from that file.  These disclosures are found in the citations provided in the office action and Applicant fails to provide any argument against these facts.  
As Applicant provides no actual argument, no further response is possible.  
Applicant then alleges that Sandoval does not disclose the amended portion of this limitation.  Sandoval is not cited as disclosing such.  Therefore, Applicant’s allegations are moot.  
Applicant then alleges “In the Office Action, the Examiner argues that Sandoval discloses ‘...obtaining, using the security application, attributes of the selected at least one system file from a repository at which one or more of: system files of an operating system, and attributes of the system files, are stored, wherein information about the at least one system file or the attributes of the at least one system file is contained in the repository, the information including at least one of: a copy of the at least one system file, a path along which the at least one system file is located, data and time at which the at least one system file is added to the repository, and a hash sum of the at least one system file...’.  The Examiner cannot find this quotation in the final office action dated 7/13/2022.  Applicant is hereby respectfully requested to point out precisely where this quotation is found in the final office action dated 7/13/2022.   
Applicant goes on to reference the amendment to claim 1, provides Applicant’s understanding of a portion of the rejection and of the Ballard reference, appears to quote paragraph 42 of Ballard, and alleges “Ballard describes file path with regard to header information used to correlate critical area data blocks to corresponding original files.  Ballard’s file path which is in the header information has nothing to do with identification of attributes of selected system files by a security application and obtaining the identified attributes from the repository.  As such, the teaching of Ballard is not the same as or equivalent to the claim.”  The rejection does not cite Ballard as a 102 reference.  Therefore, Applicant’s allegations are moot.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  The Examiner thanks Applicant for admitting that Ballard discloses the file path for which Ballard is cited.  
Applicant then alleges “Moreover, the Examiner argues that it would be obvious to incorporate these features of Ballard into the malware detection system of Sandoval.  However, neither Ballard nor Sandoval suggests a motivation.  The Examiner appears to be using hindsight with the benefit of the present application to combine the references when neither reference provides such a motivation or suggestion.”  Applicant’s boilerplate argument does not provide any actual argument relevant to the instant application’s rejections.  The office action stated that “It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the accelerated scanning techniques of Ballard into the malware detection system of Sandoval in order to reduce the amount of data read from the hard drive, reduce the number of hard drive seeks that are required, to provide additional details regarding files for scanning, and/or to increase security in the system.”  Applicant has provided no argument against such, or even mentioned the motivation(s) whatsoever.  The motivation(s) are clearly found within the cited portions of Ballard, as cited in the office action.  Applicant has provided no argument against these facts, and Applicant’s general allegation with no actual argument is moot.  
Applicant then alleges that “Ballard is also silent as to” the selecting limitation.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Furthermore, Ballard does disclose that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed in Ballard’s disclosure of scanning a file if that file has been accessed/modified within last 6 months, for example.  
Applicant then alleges “With regard to the features previously recited in claim 4, the Office Action refers to Andruss for support.  However, Andruss merely describes time intervals for scanning files.  However, Andruss fails to disclose or suggest that the selected file is stored within a predetermined time interval from a time at which the selection is performed, or the selected file is accessed or modified by a user within a predetermined time interval from a time at which the selection is performed.”  To the contrary, Applicant just admitted that “Andruss ... describes time intervals for scanning files”, which precisely meets this, since such a file being stored on the device within the last interval will be scanned at the next scan.  Furthermore, Andruss was cited as disclosing that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed in Andruss’s disclosure of “add modified files to scan list for scanning at the end of the period, for example”.  Applicant has provided no argument there against.  Thus, such stands as fact.  
Applicant then appears to provide a general allegation with respect to Xie on pages 11-12.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  
Applicant then appears to argue Park with respect to subject matter for which Park was not cited on pages 12-13.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  
Applicant then appears to argue Ballard with respect to subject matter for which Ballard was not cited on pages 13-14 and provides a general allegation with respect to subject matter already argued above.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Furthermore, all relevant arguments here have already been fully responded to above.  
Applicant alleges “Muttik is silent as to” the selecting limitation.  However, Applicant fails to provide any reasons as to why Applicant believes this to be the case.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Muttik clearly discloses this subject matter as previously noted with respect to claims 1, 4, and 5, and not argued by Applicant.  
Applicant then provides a general allegation with respect to Xie.  However, Applicant fails to provide any reasons as to why Applicant believes this to be the case.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Xie clearly discloses this subject matter as previously noted with respect to claims 1, 4, and 5, and not argued by Applicant.  
Applicant then provides additional duplicate general allegations on pages 15 and on.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Please see the above.  

Claim Interpretation
It is noted that the claims include subject matter that has no patentable weight.  As an example, claim 1 states “selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file, wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed”.  However, this is a step of selecting a system file and does not define wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed, since this is not part of the selecting step.  Furthermore, these appear to be actions of a human user.  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-3, 5, 6, 8-10, 12, 13, 15-17, 19, and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 1 states “wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed”.  However, the application as originally filed does not have basis for this limitation.  In particular, the application as originally filed does not mention any user modifying any system file within a predetermined time interval from a time at which the selection is performed.  All independent claims have a similar issue and are rejected for the same reasons.  
Claim 1 states “wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed”.  Assuming that “the pre-determined time interval” is meant to reference “the predetermined time interval” (please see the antecedent basis rejection below), the application as originally filed does not have basis for both of these time intervals being the same, but rather, the application as originally filed references them completely separately as “a predetermined time interval” or the like.  All independent claims have a similar issue and are rejected for the same reasons.  
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-3, 5, 6, 8-10, 12, 13, 15-17, 19, and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  
Claim 1 states “wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed”.  However, Applicant appears to be claiming human actions here, since a user is performing some function, which cannot be claimed.  Therefore, the claim is indefinite.  All independent claims have a similar issue and are rejected for the same reasons.  
Claim 1 recites the limitation "the pre-determined time interval" in the selecting limitation.  There is insufficient antecedent basis for this limitation in the claim.  All independent claims have a similar issue and are rejected for the same reasons.  
Claim 5 refers to “a pre-determined time interval”.  It is unclear if this is intended to be the same “pre-determined time interval” of claim 1, the “predetermined time interval” of claim 1 or some other time interval.  Applicant must amend the claim to properly reference an already set forth time interval or set forth a completely new time interval (e.g., “a first pre-determined time interval” and “a second pre-determined time interval”).  Claims 12 and 19 have the same issue and are rejected for the same reasons.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 6, 8, 12, 13, 15, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sandoval (U.S. Patent Application Publication 2019/0318090) in view of Ballard (U.S. Patent Application Publication 2007/0266436).
Regarding Claim 1,
Sandoval discloses a method for identifying system files to be checked for malware using a remote service, the method comprising:
Selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; any selection of a file, such as by intercepting an API call or other call from that file, where the file is a system file, such as by being part of the operating system’s kernel mode, for example);
Obtaining, using the security application, attributes of the selected at least one system file from a repository at which one or more of system files of an operating system and attributes of the system files are stored (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Wherein information about the at least one system file or the attributes of the at least one system file is obtained in the repository, the information including data and at least one of a copy of the at least one system file, data and time at which the at least one system file is added to the repository, and a hash sum of the at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Checking the selected at least one system file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
Comparing, using the security application, the attributes of the selected at least one system file obtained from the repository against the identified at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
When the identified at least one attribute of the selected at least one system file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one system file to a remote service for determining whether or not the at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; sending data to the security service or other remote device, for example); and
Receiving a response from the remote service indicating whether or not the selected at least one system file contains malware, wherein when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; getting reputation information, whitelist, blacklist, etc., from security service or other remote device, where reputation information includes threat type, score, severity, threat name, description, corrective actions, etc., for example);
But does not explicitly disclose that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed and that the data comprises a path along which the at least one system file is located.  
Ballard, however, discloses that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures; file has been accessed/modified within last 6 months, for example); and
That the data comprises a path along which the at least one system file is located (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, and associated figures; information for a given file includes a variety of information, such as OS file name, file path, file number, hash of file path, checksum, file type, modification date, etc., as examples).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the accelerated scanning techniques of Ballard into the malware detection system of Sandoval in order to reduce the amount of data read from the hard drive, reduce the number of hard drive seeks that are required, to provide additional details regarding files for scanning, and/or to increase security in the system.  
Regarding Claim 8,
Claim 8 is a system claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 5,
Sandoval as modified by Ballard discloses the method of claim 1, in addition, Ballard discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures).  
Regarding Claim 12,
Claim 12 is a system claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 19,
Claim 19 is a medium claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 6,
Sandoval as modified by Ballard discloses the method of claim 1, in addition, Sandoval discloses that the identified at least one attribute of the selected at least one system file comprise at least a hash sum of the system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68-72, and associated figures; hash, for example).  
Regarding Claim 13,
Claim 13 is a system claim that corresponds to method claim 6 and is rejected for the same reasons.  
Regarding Claim 20,
Claim 20 is a medium claim that corresponds to method claim 6 and is rejected for the same reasons.  

Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sandoval in view of Ballard and Xie (U.S. Patent Application Publication 2014/0136893).
Regarding Claim 2,
Sandoval does not appear to explicitly disclose that the system file is contained in a server on which backups of the system files of the operating system are stored.  
Xie, however, discloses that the system file is contained in a server on which backups of the system files of the operating system are stored (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; intact files stored at server for backups to send for repair as necessary, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the system file repair techniques of Xie into the malware detection system of Sandoval as modified by Ballard in order to allow the system to work on system files, to increase accuracy of file repair, to allow for multiple versions of each file and for repair of each, and/or to increase security in the system.  
Regarding Claim 9,
Claim 9 is a system claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 16,
Claim 16 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.  

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sandoval in view of Ballard and Park (U.S. Patent Application Publication 2009/0150997).
Regarding Claim 3,
Sandoval does not explicitly disclose that the at least one system file is selected randomly.  
Park, however, discloses that the at least one system file is selected randomly (Exemplary Citations: for example, Paragraph 39 and associated figures; randomly select file for scanning, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the file selection techniques of Park into the malware detection system of Sandoval as modified by Ballard in order to allow the system to spot check files, to provide additional selection techniques, to verify that the target file is valid for the file’s format prior to performing additional scanning, and/or to increase security in the system.  
Regarding Claim 10,
Claim 10 is a system claim that corresponds to method claim 3 and is rejected for the same reasons.  
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to method claim 3 and is rejected for the same reasons.  

Claims 1, 5, 6, 8, 12, 13, 15, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sandoval (U.S. Patent Application Publication 2019/0318090) in view of Ballard (U.S. Patent Application Publication 2007/0266436) and Andruss (U.S. Patent 7,854,006).
Regarding Claim 1,
Sandoval discloses a method for identifying system files to be checked for malware using a remote service, the method comprising:
Selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; any selection of a file, such as by intercepting an API call or other call from that file, where the file is a system file, such as by being part of the operating system’s kernel mode, for example);
Obtaining, using the security application, attributes of the selected at least one system file from a repository at which one or more of system files of an operating system and attributes of the system files are stored (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Wherein information about the at least one system file or the attributes of the at least one system file is obtained in the repository, the information including data and at least one of a copy of the at least one system file, data and time at which the at least one system file is added to the repository, and a hash sum of the at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Checking the selected at least one system file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
Comparing, using the security application, the attributes of the selected at least one system file obtained from the repository against the identified at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
When the identified at least one attribute of the selected at least one system file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one system file to a remote service for determining whether or not the at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; sending data to the security service or other remote device, for example); and
Receiving a response from the remote service indicating whether or not the selected at least one system file contains malware, wherein when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; getting reputation information, whitelist, blacklist, etc., from security service or other remote device, where reputation information includes threat type, score, severity, threat name, description, corrective actions, etc., for example);
But does not explicitly disclose that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed and that the data comprises a path along which the at least one system file is located.  
Ballard, however, discloses that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures; file has been accessed/modified within last 6 months, for example); and
That the data comprises a path along which the at least one system file is located (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, and associated figures; information for a given file includes a variety of information, such as OS file name, file path, file number, hash of file path, checksum, file type, modification date, etc., as examples).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the accelerated scanning techniques of Ballard into the malware detection system of Sandoval in order to reduce the amount of data read from the hard drive, reduce the number of hard drive seeks that are required, to provide additional details regarding files for scanning, and/or to increase security in the system.  
Andruss also discloses that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract; Column 3, lines 10-29; Column 3, line 42 to Column 4, line 44; Column 4, line 55 to Column 5, line 50; and associated figures; scan files after time intervals, for example; add modified files to scan list for scanning at the end of the period, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the differential virus scan techniques of Andruss into the malware detection system of Sandoval as modified by Ballard in order to reduce performance degradation resulting from scanning by reducing the number of files or objects to be scanned, to shorten the scan operation period without weakening protection of the computers, and/or to increase security in the system.  
Regarding Claim 8,
Claim 8 is a system claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 5,
Sandoval as modified by Ballard and Andruss discloses the method of claim 1, in addition, Ballard discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures).  
Regarding Claim 12,
Claim 12 is a system claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 19,
Claim 19 is a medium claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 6,
Sandoval as modified by Ballard and Andruss discloses the method of claim 1, in addition, Sandoval discloses that the identified at least one attribute of the selected at least one system file comprise at least a hash sum of the system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68-72, and associated figures; hash, for example).  
Regarding Claim 13,
Claim 13 is a system claim that corresponds to method claim 6 and is rejected for the same reasons.  
Regarding Claim 20,
Claim 20 is a medium claim that corresponds to method claim 6 and is rejected for the same reasons.  

Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sandoval in view of Ballard, Andruss, and Xie (U.S. Patent Application Publication 2014/0136893).
Regarding Claim 2,
Sandoval does not appear to explicitly disclose that the system file is contained in a server on which backups of the system files of the operating system are stored.  
Xie, however, discloses that the system file is contained in a server on which backups of the system files of the operating system are stored (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; intact files stored at server for backups to send for repair as necessary, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the system file repair techniques of Xie into the malware detection system of Sandoval as modified by Ballard and Andruss in order to allow the system to work on system files, to increase accuracy of file repair, to allow for multiple versions of each file and for repair of each, and/or to increase security in the system.  
Regarding Claim 9,
Claim 9 is a system claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 16,
Claim 16 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.  

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sandoval in view of Ballard, Andruss, and Park (U.S. Patent Application Publication 2009/0150997).
Regarding Claim 3,
Sandoval does not explicitly disclose that the at least one system file is selected randomly.  
Park, however, discloses that the at least one system file is selected randomly (Exemplary Citations: for example, Paragraph 39 and associated figures; randomly select file for scanning, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the file selection techniques of Park into the malware detection system of Sandoval as modified by Ballard and Andruss in order to allow the system to spot check files, to provide additional selection techniques, to verify that the target file is valid for the file’s format prior to performing additional scanning, and/or to increase security in the system.  
Regarding Claim 10,
Claim 10 is a system claim that corresponds to method claim 3 and is rejected for the same reasons.  
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to method claim 3 and is rejected for the same reasons.  

Claims 1, 2, 5, 6, 8, 9, 12, 13, 15, 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Muttik (U.S. Patent 6,963,978) in view of Xie, Sandoval, and Ballard.
Regarding Claim 1,
Muttik discloses a method for identifying files to be checked for malware using a remote service, the method comprising:
Selecting, using a security application, at least one file and identifying at least one attribute of the selected at least one file, wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; determining file to scan, for example; scan newly received file, for example);
Obtaining, using the security application, attributes of the selected at least one file from a repository at which one or more of files and attributes of the files are stored (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; any attribute of the file, such as fingerprint, file itself, checksum, or the like, as examples);
Wherein information about the at least one file or the attributes of the at least one file is contained in the repository, the information including data and at least one of: a copy of the at least one file, a data and time at which the at least one file is added to the repository, and a hash sum of the at least one file (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; any attribute of the file, such as fingerprint, file itself, checksum, or the like, as examples);
Checking the selected at least one file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; checking the above vs. fingerprints of innocent data and/or virus definitions, for example);
Comparing, using the security application, the attributes of the selected at least one file obtained from the repository against the identified at least one attribute of the selected at least one file (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; checking the above vs. fingerprints of innocent data and/or virus definitions, for example);
When the identified at least one attribute of the selected at least one file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one file to a remote service for determining whether or not the at least one file contains malware (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; no match, send to the server for comparison with the database of backups of system files and/or attributes, for example); and
Receiving a response from the remote service indicating whether or not the selected at least one file contains malware (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; server notifies client if the file is malicious or not, for example);
But does not explicitly disclose that the file is a system file, that the data comprises a path along which the at least one system file is located, that the repository may contain system files of an operating system, and when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware.  
Xie, however, discloses that the file is a system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; system files, for example);
Selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file, wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 26, and associated figures; system file selected via trigger or set time point, as examples, for scanning, for example; Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; system file scans discussed above can occur at predetermined times, for example);
Obtaining, using the security application, attributes of the selected at least one system file from a repository at which one or more of system files of an operating system and attributes of the system files are stored (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; attribute, such as hash or signature, for example);
Wherein information about the at least one system file or the attributes of the at least one system file is contained in the repository, the information including data and at least one of: a copy of the at least one system file, a data and time at which the at least one system file is added to the repository, and a hash sum of the at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; attribute, such as hash or signature, for example);
Checking the selected at least one system file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; comparing hash/signature/etc. to catalog, for example.  It is noted that the corruption discussed in Xie matches with the malware detection of Muttik);
Comparing, using the security application, the attributes of the selected at least one system file obtained from the repository against the identified at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; comparing hash/signature/etc. to catalog, for example);
When the identified at least one attribute of the selected at least one system file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one system file to a remote service for determining whether or not the at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; sending system file to server if the hash/signature does not match, for example.  It is noted that the corruption discussed in Xie matches with the malware detection of Muttik); and
Receiving a response from the remote service indicating whether or not the selected at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; response may include intact system file hash, intact system file itself, or the like, as examples.  It is noted that the corruption discussed in Xie matches with the malware detection of Muttik).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the system file repair techniques of Xie into the malware detection system of Muttik in order to allow the system to work on system files, to increase accuracy of file repair, to allow for multiple versions of each file and for repair of each, and/or to increase security in the system.  
Sandoval, however, discloses when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; getting reputation information, whitelist, blacklist, etc., from security service or other remote device, where reputation information includes threat type, score, severity, threat name, description, corrective actions, etc., for example).  
Sandoval also discloses a method for identifying system files to be checked for malware using a remote service, the method comprising:
Selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; any selection of a file, such as by intercepting an API call or other call from that file, where the file is a system file, such as by being part of the operating system’s kernel mode, for example);
Obtaining, using the security application, attributes of the selected at least one system file from a repository at which one or more of system files of an operating system and attributes of the system files are stored (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Wherein information about the at least one system file or the attributes of the at least one system file is obtained in the repository, the information including data and at least one of a copy of the at least one system file, data and time at which the at least one system file is added to the repository, and a hash sum of the at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Checking the selected at least one system file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
Comparing, using the security application, the attributes of the selected at least one system file obtained from the repository against the identified at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
When the identified at least one attribute of the selected at least one system file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one system file to a remote service for determining whether or not the at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; sending data to the security service or other remote device, for example); and
Receiving a response from the remote service indicating whether or not the selected at least one system file contains malware, wherein when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; getting reputation information, whitelist, blacklist, etc., from security service or other remote device, where reputation information includes threat type, score, severity, threat name, description, corrective actions, etc., for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malicious software detection techniques of Sandoval into the malware detection system of Muttik as modified by Xie in order to allow the system to detect malicious use of APIs, to allow for evaluation of call stacks in determining malware, to explicitly provide a variety of information regarding malware to devices, and/or to increase security in the system.  
Ballard, however, discloses that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures); and
That the data comprises a path along which the at least one system file is located (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the accelerated scanning techniques of Ballard into the malware detection system of Muttik as modified by Xie and Sandoval in order to reduce the amount of data read from the hard drive, reduce the number of hard drive seeks that are required, to provide additional details regarding files for scanning, and/or to increase security in the system.  
Regarding Claim 8,
Claim 8 is a system claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 2,
Muttik as modified by Xie, Sandoval, and Ballard discloses the method of claim 1, in addition, Xie discloses that the system file is contained in a server on which backups of the system files of the operating system are stored (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; as above, for example).  
Regarding Claim 9,
Claim 9 is a system claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 16,
Claim 16 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 5,
Muttik as modified by Xie, Sandoval, and Ballard discloses the method of claim 1, in addition, Muttik discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures);
Xie discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example); and
Ballard discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures).  
Regarding Claim 12,
Claim 12 is a system claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 19,
Claim 19 is a medium claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 6,
Muttik as modified by Xie, Sandoval, and Ballard discloses the method of claim 1, in addition, Muttik discloses that the identified at least one attribute of the selected at least one system file comprises at least a hash sum of the system file (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures); and
Xie discloses that the identified at least one attribute of the selected at least one system file comprises at least a hash sum of the system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example); and
Sandoval discloses that the identified at least one attribute of the selected at least one system file comprises at least a hash sum of the system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68-72, and associated figures).  
Regarding Claim 13,
Claim 13 is a system claim that corresponds to method claim 6 and is rejected for the same reasons.  
Regarding Claim 20,
Claim 20 is a medium claim that corresponds to method claim 6 and is rejected for the same reasons.  

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Muttik in view of Xie, Sandoval, Ballard, and Park.
Regarding Claim 3,
Muttik as modified by Xie and Sandoval does not explicitly disclose that the at least one system file is selected randomly.  
Park, however, discloses that the at least one system file is selected randomly (Exemplary Citations: for example, Paragraph 39 and associated figures; randomly select file for scanning, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the file selection techniques of Park into the malware detection system of Muttik as modified by Xie, Sandoval, and Ballard in order to allow the system to spot check files, to provide additional selection techniques, to verify that the target file is valid for the file’s format prior to performing additional scanning, and/or to increase security in the system.  
Regarding Claim 10,
Claim 10 is a system claim that corresponds to method claim 3 and is rejected for the same reasons.  
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to method claim 3 and is rejected for the same reasons.  

Claims 1, 2, 5, 6, 8, 9, 12, 13, 15, 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Muttik in view of Xie, Sandoval, Ballard, and Andruss.
Regarding Claim 1,
Muttik discloses a method for identifying files to be checked for malware using a remote service, the method comprising:
Selecting, using a security application, at least one file and identifying at least one attribute of the selected at least one file, wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; determining file to scan, for example; scan newly received file, for example);
Obtaining, using the security application, attributes of the selected at least one file from a repository at which one or more of files and attributes of the files are stored (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; any attribute of the file, such as fingerprint, file itself, checksum, or the like, as examples);
Wherein information about the at least one file or the attributes of the at least one file is contained in the repository, the information including data and at least one of: a copy of the at least one file, a data and time at which the at least one file is added to the repository, and a hash sum of the at least one file (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; any attribute of the file, such as fingerprint, file itself, checksum, or the like, as examples);
Checking the selected at least one file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; checking the above vs. fingerprints of innocent data and/or virus definitions, for example);
Comparing, using the security application, the attributes of the selected at least one file obtained from the repository against the identified at least one attribute of the selected at least one file (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; checking the above vs. fingerprints of innocent data and/or virus definitions, for example);
When the identified at least one attribute of the selected at least one file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one file to a remote service for determining whether or not the at least one file contains malware (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; no match, send to the server for comparison with the database of backups of system files and/or attributes, for example); and
Receiving a response from the remote service indicating whether or not the selected at least one file contains malware (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures; server notifies client if the file is malicious or not, for example);
But does not explicitly disclose that the file is a system file, that the data comprises a path along which the at least one system file is located, that the repository may contain system files of an operating system, and when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware.  
Xie, however, discloses that the file is a system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; system files, for example);
Selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file, wherein the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 26, and associated figures; system file selected via trigger or set time point, as examples, for scanning, for example; Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; system file scans discussed above can occur at predetermined times, for example);
Obtaining, using the security application, attributes of the selected at least one system file from a repository at which one or more of system files of an operating system and attributes of the system files are stored (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; attribute, such as hash or signature, for example);
Wherein information about the at least one system file or the attributes of the at least one system file is contained in the repository, the information including data and at least one of: a copy of the at least one system file, a data and time at which the at least one system file is added to the repository, and a hash sum of the at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; attribute, such as hash or signature, for example);
Checking the selected at least one system file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; comparing hash/signature/etc. to catalog, for example.  It is noted that the corruption discussed in Xie matches with the malware detection of Muttik);
Comparing, using the security application, the attributes of the selected at least one system file obtained from the repository against the identified at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; comparing hash/signature/etc. to catalog, for example);
When the identified at least one attribute of the selected at least one system file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one system file to a remote service for determining whether or not the at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; sending system file to server if the hash/signature does not match, for example.  It is noted that the corruption discussed in Xie matches with the malware detection of Muttik); and
Receiving a response from the remote service indicating whether or not the selected at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; response may include intact system file hash, intact system file itself, or the like, as examples.  It is noted that the corruption discussed in Xie matches with the malware detection of Muttik).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the system file repair techniques of Xie into the malware detection system of Muttik in order to allow the system to work on system files, to increase accuracy of file repair, to allow for multiple versions of each file and for repair of each, and/or to increase security in the system.  
Sandoval, however, discloses when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; getting reputation information, whitelist, blacklist, etc., from security service or other remote device, where reputation information includes threat type, score, severity, threat name, description, corrective actions, etc., for example).  
Sandoval also discloses a method for identifying system files to be checked for malware using a remote service, the method comprising:
Selecting, using a security application, at least one system file and identifying at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; any selection of a file, such as by intercepting an API call or other call from that file, where the file is a system file, such as by being part of the operating system’s kernel mode, for example);
Obtaining, using the security application, attributes of the selected at least one system file from a repository at which one or more of system files of an operating system and attributes of the system files are stored (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Wherein information about the at least one system file or the attributes of the at least one system file is obtained in the repository, the information including data and at least one of a copy of the at least one system file, data and time at which the at least one system file is added to the repository, and a hash sum of the at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; attributes, such as ID, hash, signature, etc., as examples);
Checking the selected at least one system file for malware using a local database based at least on signature analysis (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
Comparing, using the security application, the attributes of the selected at least one system file obtained from the repository against the identified at least one attribute of the selected at least one system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; checking local whitelists, blacklists, reputations, hashes, signatures, etc., as examples);
When the identified at least one attribute of the selected at least one system file does not match the attributes obtained from the repository, sending, by the security application, the selected at least one system file to a remote service for determining whether or not the at least one system file contains malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; sending data to the security service or other remote device, for example); and
Receiving a response from the remote service indicating whether or not the selected at least one system file contains malware, wherein when the selected at least one system file contains malware, the response further includes a type of the malware and a harmfulness of the malware (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68, 69, 71, 72, and associated figures; getting reputation information, whitelist, blacklist, etc., from security service or other remote device, where reputation information includes threat type, score, severity, threat name, description, corrective actions, etc., for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malicious software detection techniques of Sandoval into the malware detection system of Muttik as modified by Xie in order to allow the system to detect malicious use of APIs, to allow for evaluation of call stacks in determining malware, to explicitly provide a variety of information regarding malware to devices, and/or to increase security in the system.  
Ballard, however, discloses that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures); and
That the data comprises a path along which the at least one system file is located (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the accelerated scanning techniques of Ballard into the malware detection system of Muttik as modified by Xie and Sandoval in order to reduce the amount of data read from the hard drive, reduce the number of hard drive seeks that are required, to provide additional details regarding files for scanning, and/or to increase security in the system.  
Andruss also discloses that the selected at least one system file was accessed by or modified by a user within a predetermined time interval from a time at which the selection is performed, or stored on a computing device of the user within the pre-determined time interval from the time at which the selection is performed (Exemplary Citations: for example, Abstract; Column 3, lines 10-29; Column 3, line 42 to Column 4, line 44; Column 4, line 55 to Column 5, line 50; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the differential virus scan techniques of Andruss into the malware detection system of Muttik as modified by Xie, Sandoval, and Ballard in order to reduce performance degradation resulting from scanning by reducing the number of files or objects to be scanned, to shorten the scan operation period without weakening protection of the computers, and/or to increase security in the system.  
Regarding Claim 8,
Claim 8 is a system claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 15,
Claim 15 is a medium claim that corresponds to method claim 1 and is rejected for the same reasons.  
Regarding Claim 2,
Muttik as modified by Xie, Sandoval, Ballard, and Andruss discloses the method of claim 1, in addition, Xie discloses that the system file is contained in a server on which backups of the system files of the operating system are stored (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example; as above, for example).  
Regarding Claim 9,
Claim 9 is a system claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 16,
Claim 16 is a medium claim that corresponds to method claim 2 and is rejected for the same reasons.  
Regarding Claim 5,
Muttik as modified by Xie, Sandoval, Ballard, and Andruss discloses the method of claim 1, in addition, Muttik discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures);
Xie discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example); and
Ballard discloses that the selected at least one system file was modified within a pre-determined time interval from a time at which the selection is performed (Exemplary Citations: for example, Abstract, Paragraphs 34, 37, 43-45, 62, 63, and associated figures).  
Regarding Claim 12,
Claim 12 is a system claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 19,
Claim 19 is a medium claim that corresponds to method claim 5 and is rejected for the same reasons.  
Regarding Claim 6,
Muttik as modified by Xie, Sandoval, Ballard, and Andruss discloses the method of claim 1, in addition, Muttik discloses that the identified at least one attribute of the selected at least one system file comprises at least a hash sum of the system file (Exemplary Citations: for example, Abstract; Column 4, line 59 to Column 6, line 16; Column 6, lines 23-57; Column 6, line 62 to Column 7, line 32; and associated figures); and
Xie discloses that the identified at least one attribute of the selected at least one system file comprises at least a hash sum of the system file (Exemplary Citations: for example, Abstract, Paragraphs 14-19, 21, 23, 25-30, 32-39, and associated figures, as well as corresponding disclosures in paragraphs 43-61, at least discussing the modules in figures 3 and 4, for example); and
Sandoval discloses that the identified at least one attribute of the selected at least one system file comprises at least a hash sum of the system file (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 21-25, 29, 31-37, 40, 41, 44, 45, 47, 48, 53-55, 61, 66, 68-72, and associated figures).  
Regarding Claim 13,
Claim 13 is a system claim that corresponds to method claim 6 and is rejected for the same reasons.  
Regarding Claim 20,
Claim 20 is a medium claim that corresponds to method claim 6 and is rejected for the same reasons.  

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Muttik in view of Xie, Sandoval, Ballard, Andruss, and Park.
Regarding Claim 3,
Muttik as modified by Xie and Sandoval does not explicitly disclose that the at least one system file is selected randomly.  
Park, however, discloses that the at least one system file is selected randomly (Exemplary Citations: for example, Paragraph 39 and associated figures; randomly select file for scanning, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the file selection techniques of Park into the malware detection system of Muttik as modified by Xie, Sandoval, Ballard, and Andruss in order to allow the system to spot check files, to provide additional selection techniques, to verify that the target file is valid for the file’s format prior to performing additional scanning, and/or to increase security in the system.  
Regarding Claim 10,
Claim 10 is a system claim that corresponds to method claim 3 and is rejected for the same reasons.  
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to method claim 3 and is rejected for the same reasons.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey D. Popham/Primary Examiner, Art Unit 2432