DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This action is in response to the communications and remarks filed on 10/11/2022. Claims 1, 2, 4, and 19 are amended. Claim 17 is canceled. Claim 21 is newly added. Claims 1-16 and 18-21 have been examined and are pending.
Response to Arguments
Acknowledgement to applicant’s amendment to trademarks and typographical errors in the specification have been noted. The claim has been reviewed, entered and found obviating to previously raised objection for minor informalities. Objection to the specification is hereby withdrawn.
Acknowledgement to Applicant's amendment to claims 1 and 19-20 have been noted. The claim has been reviewed, entered and found obviating to previously raised rejection under 35 USC 112 2nd. Rejection under 35 USC 112 2nd to claims 1 and 19-20 is hereby withdrawn.
Acknowledgement to Applicant's amendments to claims 1 and 19-20 have been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 112 6th after reviewing a 101 rejection may have been initiated; yet through an interview an agreement was made to clarify the hardware. Rejection under 35 USC 112 6th to claims 1 and 19-20 is hereby withdrawn.
Acknowledgement of Applicant's response to obviousness-type double patenting and is further noted as set forth in the Non-Final Office Action mailed 07/11/2022. After further review of co-pending application 16/383315 and US Patent: 9,984,248 B2, both do not specifically claim or recite similar scope or concept and is distinct from the instant application. Examiner withdraws the Double Patenting rejection.
	
Applicants’ arguments in the instant Amendment, see pages 10-11, filed 10/11/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Claim Rejections - 35 U.S.C. § 103 Independent claims 1, 4, and 19 are rejected under AIA  35 U.S.C. § 103 as being unpatentable over Berger (US 2017/0302458) in view of Bedhapudi (US 2019/0108341). However, Berger and Bedhapudi, alone or in any valid combination have not been shown to have described or made obvious all of the limitations recited in independent claims 1, 4, and 19. 
Berger describes "an environment for threat management."8 In this context: 
[A]n administration facility 134 may configure policy rules that determine interactions, such as developing rules for accessing applications, as in who is authorized and when applications may be used; establishing rules for ethical behavior and activities; rules governing the use of entertainment software such as games, or personal use software such as IM and VoIP; rules for determining access to enterprise facility 102 computing resources, including authentication, levels of access, risk assessment, and usage history tracking; rules for when an action is not allowed, such as whether an action is completely deigned or just modified in its execution; and the like.9
However, use of "an administration facility" to "configure policy rules that determine interactions" as described by Berger is different than "updating the one or more additional rules based on one or more events detected on the compute instance indicative of a change in a security posture of the compute instance" as recited in independent claims 1 and 4, and is different than "updating the number of file integrity monitoring rules based on one or more events detected on the compute instance indicative of a change in security posture of the compute instance," as recited in independent claim 19.” 
The Examiner disagrees with the Applicant’s arguments. The Examiner respectfully submits that Berger does disclose "updating the one or more additional rules based on one or more events detected on the compute instance indicative of a change in a security posture of the compute instance;" as well as "updating the number of file integrity monitoring rules based on one or more events detected on the compute instance indicative of a change in security posture of the compute instance”. First, these independent claims 1 and 4, as well as independent claim 19, are conceptually similar and a restriction was not conducted. The Examiner broadly interpreted the “additional rules” as conceptually similar to “file integrity monitoring rules.” The specification states: “supports monitoring of system-critical, enterprise-critical and user-critical data by reporting events to a threat management facility in response to changes in certain files, folders, registry keys and registry values of the computing environment in which the system is operating and/or monitoring; and dynamically create, adapt and apply context-based rules to improve the sensitivity and relevance of reported events to undesirable changes in the data footprint of a monitored device" [specification, para 0004]. Hence, these are the rules to be performed by the computer program product and method presented in independent claims 1 and 4, respectively, of the invention. There does not appear to be any additional rule beyond what is presented; as such, the Examiner interpreted conceptually similar in the system of independent claim 19.
Moreover, when broadly interpreted and after further review of the specification; update "additional rules based on events" versus "file monitoring rules based on events" are conceptually the same. The claim limitations apply to rules or policies. There are no further distinctions between these grouping of independent claims discussed in the specifications; as such, Examiner treated the same yet with slightly different embodiments of Berger as independent claim 1 presents "...a data integrity monitor..."; independent claim 4 presents "a file integrity monitor..." and independent claim 10 presents "a file integrity monitor..." For clarity, Examiner has parsed out the claim limitations for independent claim 19 as well. Keep in mind Examiner did not interpret this independent claim 19 as another distinct invention which may have required a restriction.  
Therefore, independent claims 4 and 19 have similar mapped citations referring to the embodiment in Fig. 7 rejected below. Further, a file contains and/or or is data. As such, Berger is maintained to reject these aforementioned limitations of independent claims 1, 4, and 19.   
Applicant’s arguments: “Bedhapudi describes "ransomware detection and data pruning management” 10 embodiment, Bedhapudi describes a method "for improving the anomaly detection engine 320 based on user feedback."11 In this context an "anomaly detection engine 320 updates the anomaly detection threshold based on the feedback."12 However, "improving the anomaly detection engine 320 based on user feedback" as described by Bedhapudi is different than "updating the one or more additional rules based on one or more events detected on the compute instance indicative of a change in a security posture of the compute instance" as recited in independent claims 1 and 4, and is different than "updating the number of file integrity monitoring rules based on one or more events detected on the compute instance indicative of a change in security posture of the compute instance." as recited in independent claim 19. 
Because the Office has not shown that Berger and Bedhapudi, alone or in any valid combination, describe or make obvious at least these claim limitations, the independent claims are believed to be patentable over the cited art. The remaining claims depend from an allowable base claim and are likewise believed to be in condition for allowance.”
The Examiner disagrees with the Applicant’s arguments. The objective of the invention appears to be an improved monitoring approach to data interaction events to ensure addressing/investigating potential threats to file integrity of system-critical and enterprise-critical data of enterprise networks; where the system dynamically creates, adapts, and applies context-based rules to improve sensitivity and relevance of reported events to undesirable changes in the data footprint of a monitored device [specification, paras 0003-0004]. 
Bedhapudi does describes a ransomware detection and data pruning management application where “ransomware attacks may be detected by analyzing the I/O activity in a given file system. In some embodiments, a software module running on a client machine manages copying, archiving, migrating, and/or replicating of primary data and restoring and/or pruning secondary data (e.g., backup copies of the primary data). When a potential ransomware attack is detected, the software module is immediately stopped so that the software module does not prune any data that may need to be restored” [Bedhapudi, Abstract].
The Examiner respectfully submits that Bedhapudi also discloses aspects of "updating the one or more additional rules based on one or more events detected on the compute instance indicative of a change in a security posture of the compute instance;" as well as "updating the number of file integrity monitoring rules based on one or more events detected on the compute instance indicative of a change in security posture of the compute instance.” 
However, Bedhapudi was brought in as a secondary reference to teach changes in the number of files based on a file monitoring specification received from a user or number of files based on a file monitoring specification received from a user. As such, the Bedhapudi reference is maintained below.

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-4, 7, 9-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Berger et al., hereinafter (“Berger”), US PG Publication (20170302458 A1), in view of Bedhapudi et al., hereinafter (“Bedhapudi”), US PG Publication (20190108341 A1).
Regarding currently amended claims 1, 4, and 19-20, Berger teaches a computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing one or more computing devices, performs the steps of; a method comprising; and a system comprising: 
instrumenting a compute instance with a data integrity monitor, the data integrity monitor configured with a number of rules to report events; [Berger, ¶¶0053 and 0058 : The security management facility 122 provide reporting on suspect devices and the like. The threat management facility 100 may provide a policy management facility 112 that include rules to determine allowable request, type of access to be granted, etc. ¶0068: the network access rules facility 124 may send an information file to the client facility containing; where the data file may contain a number of commands, definitions, instructions...]  
instrumenting a compute instance with a file integrity monitor, the file integrity monitor configured with a number of rules to detect interactions with files on the compute instance; [Berger, ¶¶0165 and 0169-0170: Fig. 7 shows endpoint protection in an enterprise network security system, include a processing environment 702, a file system 706, a threat monitor 720 and a key wrapper 730. The threat monitor 720 may also or instead use reputation to evaluate the security state, source files or executable code of processes 704. The extension 710 communicates with a threat monitor 720 in order to receive updates, monitors and reports on the security status and exposure status of the processes 704 on the endpoint.]
dynamically managing one or more additional rules in the number of rules for the file integrity monitor to detect interactions with the files based on a context of the compute instance, wherein the context includes an attempt to tamper with one or more protected files on the compute instance. [Berger, ¶0071: policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction. ¶0106: coloring system 310 for improved tracking and detection of potentially harmful activity; variety of technique dynamically label software objects, as well as rules for propagating , inheriting, changing, or otherwise manipulating such labels]
updating the one or more additional rules based on one or more events detected on the compute instance indicative of a change in a security posture of the compute instance; [Berger, ¶¶0070-0071: In an embodiment, the network administration facility 134 may be able to maintain a set of access rules manually by adding rules, changing rules, deleting rules, or the like. The policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction. Detection techniques, such as scanning a computer's stored files, may provide the capability of checking files for stored threats, either in the active or passive state (indicative of a change in a security posture of the compute instance).]
monitoring data usage on the compute instance according to one or more rules of the number of rules; and [Berger, ¶¶0110-0114: system 400 shown in Fig. 4 include a number of endpoints 402, 412 and a threat management facility 404; which monitors any stream of data from an endpoint 402 exclusively, or use the full context of intelligence from the stream of all protected endpoints, in an enterprise 410.]
reporting one or more events impacting file integrity based on one or more rules of the number of rules. [Berger, ¶¶0053 and 0058 : The security management facility 122 provide reporting on suspect devices and the like. The threat management facility 100 may provide a policy management facility 112 that include rules to determine allowable request, type of access to be granted, etc.
a file integrity monitor deployed on a compute instance, the file integrity monitor executing on a processor and configured to report file integrity impacting events in response to indications of interactions with data on the compute instance; [Berger, ¶¶0165 and 0169-0170: Fig. 7 shows endpoint protection in an enterprise network security system, include a processing environment 702, a file system 706, a threat monitor 720 and a key wrapper 730. The threat monitor 720 may also or instead use reputation to evaluate the security state, source files or executable code of processes 704. The extension 710 communicates with a threat monitor 720 in order to receive updates, monitors and reports on the security status and exposure status of the processes 704 on the endpoint.] 
a rules engine, executing on a processor, that adapts the number of file integrity monitoring rules based on a context of the compute instance in order to dynamically adjust the set of file integrity monitoring rules based on additional information about the compute instance provided by the context [See Berger, ¶0071: policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction. ¶0106: coloring system 310 for improved tracking and detection of potentially harmful activity; variety of technique dynamically label software objects, as well as rules for propagating , inheriting, changing, or otherwise manipulating such labels], the rules engine further updating the number of file integrity monitoring rules based on one or more events detected on the compute instance indicative of a change in security posture of the compute instance, [See Berger, ¶¶0070-0071: In an embodiment, the network administration facility 134 may be able to maintain a set of access rules manually by adding rules, changing rules, deleting rules, or the like. The policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction. Detection techniques, such as scanning a computer's stored files, may provide the capability of checking files for stored threats, either in the active or passive state (indicative of a change in a security posture of the compute instance).]
wherein the file integrity monitor is further configured for monitoring data usage on the compute instance according to one or more rules of the number of rules [See Berger, ¶¶0110-0114: system 400 shown in Fig. 4 include a number of endpoints 402, 412 and a threat management facility 404; which monitors any stream of data from an endpoint 402 exclusively, or use the full context of intelligence from the stream of all protected endpoints, in an enterprise 410.] and for reporting one or more events impacting file integrity based on one or more rules of the number of rules. [See Berger, ¶¶0053 and 0058 : The security management facility 122 provide reporting on suspect devices and the like.
While Berger teaches a file integrity monitor  [Berger, ¶¶0165 and 0169-0170: extension 710 communicates with a threat monitor 720]; however, Berger fails to explicitly teach but Bedhapudi teaches creating a first set of rules in the number of rules for the file integrity monitor to detect changes in the files based on an operating system for the compute instance; [Bedhapudi, ¶0004: The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. ¶0118: administrators and others may configure/initiate information management policy 148 that include information source that specifies parameters (i.e. rules).]
creating a second set of rules in the number of rules for the file integrity monitor to detect changes in the number of files based on a file monitoring specification received from a user; [See Bedhapudi, ¶0118. ¶0004: The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed. The recorded number is compared against a threshold.]
a number of file integrity monitoring rules including a first set of rules by which the file integrity monitor detects indications of changes in files based on characteristics of an operating system for the compute instance [See Bedhapudi, ¶0004: The software module records the number of times the files in the file system are modified, created, deleted, and/or renamed... ¶0063: inspection director 110A may include a first client component and a second server executed by ADP analytics server computing device 104/ ADP accelerator 106. ¶¶0069-0070: Specific data may be identified to be associated with a particular inspection class policy through use of various data rules; Criteria used to identify specific data may include data rule] and a second set of rules by which the file integrity monitor detects indications of changes in the data based on a data monitoring specification received from a user; [Bedhapudi, ¶¶0061 and 0063: input device allows user of client computing device 102 to manipulate user interface of inspection director 110 providing inputs to inspection director 110A may include a first client component and a second server executed by ADP analytics server computing device 104/ ADP accelerator 106. ¶0069: inspection class policy may define inspection operation: a data protection pattern change] and 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings just-in-time of Berger before him or her by including the teachings ransomware detection and data pruning management of  Bedhapudi. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi [Bedhapudi, ¶0083 and 0201].  
 
Regarding claim 2, the combination of Berger and Bedhapudi teach claim 1 as described above.
Berger teaches further comprising code that performs the step of monitoring the number of files with the file integrity monitor according to the number of rules. [Berger, ¶0064: threat management facility 100 create definition updates accessed by security management facility 122 that applies a number of commands/definitions/instructions]
 
Regarding claim 3, the combination of Berger and Bedhapudi teach claim 2 as described above.
Berger teaches further comprising reporting detections by the file integrity monitor based upon the number of rules to a threat management facility for an enterprise network associated with the compute instance. [Berger, ¶0053: reporting on suspect devices]

Regarding claim 7, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein the context includes an indication of compromise for the compute instance. [Berger, ¶0127: An indication of compromise (IOC) monitor 421 may be provided to instrument the endpoint 402 so that any observable actions by or involving various objects 418 can be detected.]

Regarding claim 9, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the additional rules specifies at least one of a reputation of an application interacting with the data, an authentication level of a source of interactions with the data, and a type of application interacting with the data. [Berger, ¶0067: threat management facility100 provides controlled access based on certain criteria: method of authentication, connection type, etc. ¶0059 and 0071: policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction]
 
Regarding claim 10, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the additional rules specifies a type of information in the data for a detected interaction. [Berger, ¶0056: type of feedback may be useful for any aspect of threat detection. Feedback of information may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like.]
 
Regarding claim 11, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the additional rules specifies a sensitivity of information in the data for a detected interaction. [Berger, ¶0129: ... the IOC monitor 421 applies rules to determine when there is an IOC 422 suitable for reporting to a threat management facility 404; identify inconsistencies or unexpected behavior within a group of actions with improved sensitivity]
 
Regarding claim 12, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the number of rules is a data control rule specifying a permitted file interaction based on at least one of a destination, a file name, a file extension, and a file type associated with a permitted file transfer or an excluded file transfer. [Berger, ¶0210 user interface 1005 presented on display by host 1004 of files selected from a remote location; where the file include file types/multiple file types described from a container 1014 for portable encrypted content. ¶0223: selection of file for encryption and outbound transfer via file transfer.]
 
Regarding claim 13, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein one of the number of rules is a content control rule specifying conditions for permitted interactions with a data type including at least one of confidential data, financial data, and personally identifiable data. [Berger, ¶0123: descriptor 420 provided to multi-tiered/hierarchical description of object 418; include financial]
 
Regarding claim 14, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, Berger fails to explicitly teach but Bedhapudi teaches wherein at least one of the number of rules is selected for compliance with a policy based on one or more of Payment Card Industry standards, Health Insurance Portability and Accountability Act standards, and General Data Protection Regulation standards. [Bedhapudi, ¶0254: information governance policies include: HIPAA (Health Insurance Portability and Accountability Ac) ]
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings just-in-time of Berger before him or her by including the teachings ransomware detection and data pruning management of  Bedhapudi. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the compliance policies of HIPAA as taught by Bedhapudi [Bedhapudi, ¶0254].  

Regarding claim 15, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches further comprising providing a user interface for interaction with the number of rules for the compute instance. [Berger, ¶0070: ... the network administration facility 134 may be able to maintain a set of access rules manually by adding rules, changing rules, deleting rules, or the like.  ¶0076: thin clients 144 provide graphical user interface by application server facility 142 for managing threat protections of the threat management facility 100]
 
Regarding claim 16, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches wherein the first set of rules include default rules provided for the compute instance based on a detection of the operating system. [Berger, ¶0152: the default system does not include any additional shade of access control]
 
Regarding claim 18, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, Berger fails to explicitly teach but Bedhapudi teaches wherein the context includes interactions detected according to at least one of the first set of rules and the second set of rules. [Bedhapudi, ¶0145: ...certain functions of system 100 can be distributed amongst various physical and/or logical components. For instance, one or more of storage manager 140, data agents 142, and media agents 144 may operate on computing devices that are physically separate from one another; The secondary computing devices 106 on which media agents 144 operate can be tailored for interaction with associated secondary storage devices 108 and provide fast index cache operation, among other specific tasks. Similarly, client computing device(s) 102 can be selected to effectively service applications 110 in order to efficiently produce and store primary data 112.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings just-in-time of Berger before him or her by including the teachings ransomware detection and data pruning management of  Bedhapudi. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the distributed, scalable architecture functionality to tailor interactions as taught by Bedhapudi [Bedhapudi, ¶0145].  
  
Regarding claim 20, the combination of Berger and Bedhapudi teach claim 4 as described above.
Berger teaches further comprising a threat management facility coupled in a communicating relationship with the compute instance and configured to analyze data from the file integrity monitor in order to detect a threat on the compute instance or initiate a remediation of the compute instance. [Berger, ¶0064: threat management facility 100 creates definition updates, detects, and remediates the latest malicious software; threat definition facility 114 contain threat identification updates/definition files.]

Claims 5-6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Berger et al., hereinafter (“Berger”), US PG Publication (20170302458 A1), in view of Bedhapudi et al., hereinafter (“Bedhapudi”), US PG Publication (20190108341 A1), in view of Christian, US PG Publication (20200204574 A1).
Regarding claim 5, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, the combination of Berger and Bedhapudi fail to explicitly teach but Christian teaches wherein the context includes an attempt to tamper with one or more protected files on the compute instance. [Christian, ¶0160: For example, event 140 may represent a 500 server-error occurring on a web-server of network 108. This event/error may be due to an intrusion attempt by a hacker, such as by using SQL injection or a null-bit manipulation, resulting in tampering of server logs and/or theft of protected data.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Berger and Bedhapudi before him or her by including the teachings of data surveillance for privileged assets based on threat streams of Christian. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi with functionality to address intrusion attempts by Christian [Christian, ¶0160].  
 
Regarding claim 6, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, the combination of Berger and Bedhapudi fail to explicitly teach but Christian teaches wherein the context includes a signal from a data leakage prevention system for the compute instance. [Christian, ¶0122: packet analysis module 118 augments DPI analysis where a high number of superfluous packets signal a data exfiltration attempt wherein the data thief attempts to conceal private data]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Berger and Bedhapudi before him or her by including the teachings of data surveillance for privileged assets based on threat streams of Christian. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi with signal functionality to indicate thief attempts [Christian, ¶0122].  

Regarding claim 8, the combination of Berger and Bedhapudi teach claim 4 as described above.
However, the combination of Berger and Bedhapudi fail to explicitly teach but Christian teaches wherein the context includes information from an installer for one or more applications installed on the computer instance. [Christian, ¶0208: after instant data surveillance system 520 is installed in environment of organization in Fig. 12, it first ingests the data of PLM system 504A and their associated metadata to develop its baseline 120]
 	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Berger and Bedhapudi before him or her by including the teachings of data surveillance for privileged assets based on threat streams of Christian. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi with the associated metadata  [Christian, ¶0122].  

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Berger et al., hereinafter (“Berger”), US PG Publication (20170302458 A1), in view of Bedhapudi et al., hereinafter (“Bedhapudi”), US PG Publication (20190108341 A1), in view of Teal, US PG Publication (20190081983 A1).
Regarding new claim 21, the combination of Berger and Bedhapudi teach claim 4 as described above.
While Berger teaches  [Berger, ¶0071: policy management facility 122 defines policies for application type; where policy violations detected initiate, terminate or modify an ongoing process or interaction.]; however, the combination of Berger and Bedhapudi fail to explicitly teach but Teal teaches wherein the change in the security posture includes detecting a tamper attempt associated with a file, [Teal 20190081983 A1, ¶0017: detecting a change to one or the process properties with endpoint protection driver evaluating for change for possible malicious activity; where the method may include a tamper protection cache identifies one or more protected computing objects selected from a group including a directory and a file] and wherein updating the one or more additional rules includes adding a rule to monitor at least one of the file and a file directory associated with the file. , [Teal 20190081983 A1, See ¶0017;  ¶0096: Similar to the threat definitions facility 114, the network access rule facility 124 may provide updated rules and policies to the enterprise facility 102. ¶0098: as a result of a detection of a threat or violation; the detection techniques facility 130 monitor stored files and the like]

 	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Berger and Bedhapudi before him or her by including the teachings of Secure firewall configurations of Teal. The motivation/suggestion would have been obvious to try to modify the threat system of Berger by adding the software module to monitor and manage file changes as taught by Bedhapudi with the function of the threat definitions facility 114 updates files with a directory as result of detected threats of Teal [Teal, ¶0017 and 0096].  
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Sakinah White Taylor/           Primary Examiner, Art Unit 2497