DETAILED ACTION
This office action is in response to the communication filed on 07/08/2020.
Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-7, and 9 are rejected under U.S.C. 103 as being anticipated by MacLeod et al. (US 2018/0351969 A1, hereinafter Mac) in view of BEDHAPUDI(US 20190108341 A1), hereinafter Bed. 

	Regarding claim 1, Mac teaches a computing system comprising: 
	   a memory device; a persistent storage device having a filesystem defined therein, (“computer program products (e.g., a computer readable storage media that stores instructions executable by one or more processing units”(24)
     the persistent storage device comprising 
(“Disclosed further by way of example embodiments are systems, methods and/or computer program products (e.g., a computer readable storage media that stores instructions executable by one or more processing units) for real-time detection of and protection from steganography in a kernel mode.”(28))
      a plurality of filesystem objects (“In one embodiment, the size of the PE file is determined and compared to the filesize of the file as stored.”) (115) The file sizes of a file is a filesystem object that is stored in the system. 
     and a protection system stored in the filesystem, (“systems, methods and/or computer program products (e.g., a computer readable storage media that stores instructions executable by one or more processing units) for real-time detection of and protection from malware in a kernel mode.”(24)
     the protection system comprising a filesystem minifilter driver (“It is activated only when a minifilter driver is loaded. A minifilter driver refers to a driver that filters file system operations. Minifilter driver may be located between the I/O manager 120 and the base filesystem.” (38))
     and a protection service; (“The system and method create an end-to-end solution to detect, isolate, analyze and remove malware faster, more accurately, with less computational overhead, and storage utilization compared to existing techniques.” (29))
     and a processor communicatively coupled to the memory device and the persistent storage device, the processor programmed to: 
intercept, via the filesystem minifilter driver, an input/output (I/O) event directed to a target filesystem object of the plurality of filesystem objects; (“to intercept a file operation request, the filter manager 125 determines whether a minifilter driver is registered to intercept file operation requests. Responsive to determining that the minifilter driver is registered to intercept file operation requests, the filter manager 125 transmits the file operation request to the minifilter driver. Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120”(39)) The filesystem objects as defined by the specifications, are files/folders, and it is obvious that the file operation requests are directed to files/folders.
extract, via the filesystem minifilter driver, system event metadata from the I/O event, the system event metadata including an identifier of the target filesystem object; (“The minifilter driver A 320 may have previously registered with the filter manager 125 for events of interest (e.g., fopen, read, write, close, rename). Responsive to determining that the minifilter driver A 320 is registered to intercept file operation requests, the filter manager 125 transmits the file operation request 300 to the minifilter driver A 320.)(0085) It can be seen that the minifilter driver will extract the metadata from the request. The minifilter driver is also a part of the protection system. 
transmit the system event metadata to the protection service; 
(“the managed node 100 executes 825 a steganography remediation action and transmits information describing the steganography to a client device.”)(132)
Mac does not appear to teach the following. However, in an analogous art, Bed teaches about an application for ransomware detection and data pruning management and further teaches:
record, via the protection service, the system event metadata in a record file; create, via the protection service, a backup copy of the target filesystem object; (“system 100 may create and manage multiple secondary copies 116 of a particular data object or metadata, each copy representing the state of the data object in primary data 112 at a particular point in time”)(88) By creating the secondary copies, the system is both recording the metadata and objects of the file, and backing up the metadata and objects. 
release, via the filesystem minifilter driver, the I/O event, thereby enabling the I/O event to be performed on the target filesystem object; (“The filter driver 314 and/or the anomaly detection engine 320 may cause any modified files to be copied and stored in a safe location prior to the modification, and upon detecting a ransomware attack or after the ransomware has encrypted or locked certain files in the file system 316, the filter driver 314 and/or the anomaly detection engine 320 may restore the copies of the files from the safe location”)
and during a system restore operation, replace, via the protection service, the target filesystem object with the backup copy. (“The filter driver 314 and/or the anomaly detection engine 320 may cause any modified files to be copied and stored in a safe location prior to the modification, and upon detecting a ransomware attack or after the ransomware has encrypted or locked certain files in the file system 316, the filter driver 314 and/or the anomaly detection engine 320 may restore the copies of the files from the safe location” (329)

Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac with the application for ransomware detection and data pruning management of Bed. One would be motivated to do so as it allows for (“advantages over previous systems, including reduced mental workloads, improved decision-making, and the like.”(124))

     Regarding claim 2, the combination of Mac and Bed, hereinafter after MB, teaches all of the features with respect to claim 1 as outlined above. Mac further teaches: 
    The computing system in accordance with Claim 1, said processor further programmed to monitor, via the filesystem minifilter driver, I/O events directed to one or more of the plurality of filesystem objects. (“Minifilter driver may be located between the I/O manager 120 and the base filesystem. The filter manager 125 may attach to the file system stack for a target volume. A minifilter driver may attach to the file system stack indirectly, by registering with the filter manager 125 for the I/O operations that the minifilter driver chooses to filter.”(38) 
	
     Regarding claim 3, MB teaches all of the features with respect to claim 1 as outlined above. Mac further teaches: 
The computing system in accordance with Claim 1, said processor further programmed to load, into the memory device, the filesystem minifilter driver during a booting sequence of the computing system, the filesystem minifilter driver configured to operate in a kernel mode of the processor. (“This includes but is not limited to detecting encryption, identifying steganography, protecting against computer “lockouts,” and monitoring the state of the Master File Table (NTFS MFT) and the Master Boot Record (MBR) for evidence of tampering.”)(43) If the system is protecting the MFT and the MBR then it must be loaded up during the booting sequence.  

     Regarding claim 4, MB teaches all of the features with respect to claims 1 and 3 as outlined above. Mac further teaches: 
The computing system in accordance with Claim 3, said processor further programmed to: load, into the memory device, at least a portion of an operating system kernel; and set, via the operating system kernel, a minimum access level to access the filesystem minifilter driver. (“The kernel driver 130 may be dynamically installed in the filter manager 125 inside the I/O manager 120. This embodiment provides a high-performance mechanism to intercept file system events on the Windows platform”)(36) (“In one embodiment, the I/O manager 120 detects file operation requests (e.g., read, write, file open, etc.) that are received by the managed node 100.”(37)
(“The managed node 100 is the computer system that is to be protected from malware and steganography in a kernel mode.”(34)

     Regarding claim 5, MB teaches all of the features with respect to claims 1, 3, and 4 as outlined above. Mac further teaches: 
The computing system in accordance with Claim 4, said processor further programmed to register the filesystem minifilter driver with the operating system kernel. (“[0095] Because the minifilter driver A 320 and minifilter driver B 330 execute in kernel mode 240, they can determine which process is changing the state of the file.”)

     Regarding claim 6, MB teaches all of the features with respect to claim 1 as outlined above. Mac further teaches: 
The computing system in accordance with Claim 1, said processor further programmed to start the protection service, the protection service configured to operate in a user mode of the processor. (“The processor may switch between the two modes depending on the type of code running on the processor. For example, applications 225 may run in user mode while core operating system components may run in kernel mode 240. Drivers may run in kernel mode 240 or user mode 235.”(75)

     Regarding claim 7 MB teaches all of the features with respect to claim 1 as outlined above. Mac further teaches: 
The computing system in accordance with Claim 1, said processor further programmed to compare the backup copy to the target filesystem object to determine whether the backup copy and the target filesystem object are substantially identical. (“The malware analytics module 140 may compare the determined size of the file to the stored filesize of the file. Responsive to the determined size of the file being larger than the stored filesize of the file, the malware analytics module 140 may execute steganography detection analytics on the file”(60)) This can easily be done by the processor to compare the target filesystem and the backup copy. 

Regarding claim 9, MB teaches all of the following with respect to claim 1. Bed further teaches:
The computing system in accordance with Claim 1, said processor further programmed to: determine whether the system restore operation has been requested; and if the system restore operation has been requested, start, via the protection service, the system restore operation. (“Data agent 142 also may receive instructions from storage manager 140 to restore (or assist in restoring) a secondary copy 116 from secondary storage device 108 to primary storage 104, such that the restored data may be properly accessed by application 110 in a suitable format as though it were primary data 112.”(133)) The data agents are a part of the protection service. 
Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac with the application for ransomware detection and data pruning management of Bed. One would be motivated to do so as it allows for (“advantages over previous systems, including reduced mental workloads, improved decision-making, and the like.”(124))

Regarding claim 10, Mac teaches a method comprising:
starting a filesystem minifilter driver during a booting sequence of a computing system, the filesystem minifilter driver configured to operate in an operating system kernel of the computing system; (“This includes but is not limited to detecting encryption, identifying steganography, protecting against computer “lockouts,” and monitoring the state of the Master File Table (NTFS MFT) and the Master Boot Record (MBR) for evidence of tampering.”)(43) If the system is protecting the MFT and the MBR then it must be loaded up during the booting sequence. 
(“A minifilter kernel driver (illustrated and described below with respect to FIG. 3) supports routines for file operations.”(40)) The minifilter driver as described earlier, can be a part of the kernel and therefore will then start up with the kernel. 
monitoring, via the filesystem minifilter driver, an input/output (110) event directed to a target filesystem object (“In one embodiment, the process 225 in user mode 235 makes a call to create a file in the Windows API. This call triggers the user request 300 for file I/O (e.g., a Windows NT API call). The request 300 goes through NTDLL.DLL 215. The I/O manager 120 detects the file operation request 300 initiated by the process 225 running in user mode 235.”)(79)
	stored in a filesystem of a persistent storage device of the computing system, (“Disclosed further by way of example embodiments are systems, methods and/or computer program products (e.g., a computer readable storage media that stores instructions executable by one or more processing units) for real-time detection of and protection from steganography in a kernel mode.”(28))
wherein the target filesystem object is one of a plurality of filesystem objects stored in the filesystem; (“the malware analytics module 140 may determine the size of the file by obtaining a pointer to a section header of the file. The section header is associated with a plurality of sections of the file.”)(55)
intercepting, via the filesystem minifilter driver, the I/O event; (“to intercept a file operation request, the filter manager 125 determines whether a minifilter driver is registered to intercept file operation requests. Responsive to determining that the minifilter driver is registered to intercept file operation requests, the filter manager 125 transmits the file operation request to the minifilter driver. Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120”(39)) The filesystem objects as defined by the specifications, are files/folders, and it is obvious that the file operation requests are directed to files/folders.
extracting, via the filesystem minifilter driver, system event metadata from the I/O event, the system event metadata including an identifier of the target filesystem object; (“The minifilter driver A 320 may have previously registered with the filter manager 125 for events of interest (e.g., fopen, read, write, close, rename). Responsive to determining that the minifilter driver A 320 is registered to intercept file operation requests, the filter manager 125 transmits the file operation request 300 to the minifilter driver A 320.”)(0085) It can be seen that the minifilter driver will extract the metadata from the request. The minifilter driver is also a part of the protection system.
transmitting the system event metadata to a protection service operating on the computing system; (“the managed node 100 executes 825 a steganography remediation action and transmits information describing the steganography to a client device.”)(132)
Mac does not appear to teach the following. However, in an analogous art, Bed teaches about an application for ransomware detection and data pruning management and further teaches:
releasing, via the filesystem minifilter driver, the I/O event to enable the I/O event to be performed on the target filesystem object; (“The filter driver 314 and/or the anomaly detection engine 320 may cause any modified files to be copied and stored in a safe location prior to the modification, and upon detecting a ransomware attack or after the ransomware has encrypted or locked certain files in the file system 316, the filter driver 314 and/or the anomaly detection engine 320 may restore the copies of the files from the safe location”)(329)
and replacing, during a system restore operation and via the protection service, the target filesystem object with the backup copy. (“The filter driver 314 and/or the anomaly detection engine 320 may cause any modified files to be copied and stored in a safe location prior to the modification, and upon detecting a ransomware attack or after the ransomware has encrypted or locked certain files in the file system 316, the filter driver 314 and/or the anomaly detection engine 320 may restore the copies of the files from the safe location” (329)
Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac with the application for ransomware detection and data pruning management of Bed. One would be motivated to do so as it allows for (“advantages over previous systems, including reduced mental workloads, improved decision-making, and the like.”(124))

Regarding claim 11, the combination of MB, teach all of the following with respect to claim 10. Mac further teaches: 
The method in accordance with Claim 10, said method further comprising: setting, via the operating system kernel, a minimum access level for accessing the filesystem minifilter driver; and registering the filesystem minifilter driver with the operating system kernel. (“The kernel driver 130 may be dynamically installed in the filter manager 125 inside the I/O manager 120. This embodiment provides a high-performance mechanism to intercept file system events on the Windows platform”)(36) (“In one embodiment, the I/O manager 120 detects file operation requests (e.g., read, write, file open, etc.) that are received by the managed node 100.”(37)
(“The managed node 100 is the computer system that is to be protected from malware and steganography in a kernel mode.”(34))

Regarding claim 12, the combination of MB, teach all of the following with respect to claim 10. Mac further teaches:
The method in accordance with Claim 10, wherein said setting a minimum access level operation comprises: setting a parameter of the operating system kernel to prevent access to the filesystem minifilter driver by one or more predetermined user accounts; and requiring user authentication for one or more authorized user accounts. (“Once a user process that is responsible for producing the file operation request has been identified by the I/O manager 120, the filter manager 125 may perform a search for the identified process on one or more of a blacklist of programs and a whitelist of programs to determine whether the identified process is a trusted process.”(39))

Regarding claim 13, the combination of MB, teach all of the following with respect to claim 10. Mac further teaches:
The method in accordance with Claim 10, said method further comprising starting the protection service, wherein the protection service is configured to operate in a user mode of the computing system. (“The processor may switch between the two modes depending on the type of code running on the processor. For example, applications 225 may run in user mode while core operating system components may run in kernel mode 240. Drivers may run in kernel mode 240 or user mode 235.”(75)

Regarding claim 17, the combination of MB, teach all of the following with respect to claim 10. Bed teaches the method further: 
The method in accordance with Claim 10, said method further comprising: determining whether the system restore operation has been requested; and if the system restore operation has been requested, starting, via the protection service, the system restore operation. (“Data agent 142 also may receive instructions from storage manager 140 to restore (or assist in restoring) a secondary copy 116 from secondary storage device 108 to primary storage 104, such that the restored data may be properly accessed by application 110 in a suitable format as though it were primary data 112.”(133)) The data agents are a part of the protection service. 
Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac with the application for ransomware detection and data pruning management of Bed. One would be motivated to do so as it allows for (“advantages over previous systems, including reduced mental workloads, improved decision-making, and the like.”(124))

Regarding claim 18 the combination of MC, teach all of the following with respect to claims 10 and 17. Mac further teaches:
determining, using the restore module, from the identifier that the I/O event was directed to the target filesystem object; (“To keep track of which files in the file system are being created, modified, deleted, renamed, overwritten, etc., a software module running on a client machine may monitor the I/O activity in a file system.”)(288)
determining, using the restore module, that the I/O event was unauthorized; (“the anomaly detection engine 320 may determine that a given I/O activity is an anomaly.”(300))
Mac fails to teach The method in accordance with Claim 17, wherein starting the system restore operation comprises starting a restore module of the protection service, and wherein the replacing operation comprises: starting a restore module of the protection service; parsing the record file, using the restore module, to read the system event metadata recorded in the record file, including the identifier; and replacing, using the restore module, the target filesystem object with the backup copy. However, Bed further teaches:
The method in accordance with Claim 17, wherein starting the system restore operation comprises starting a restore module of the protection service, and wherein the replacing operation comprises: starting a restore module of the protection service; (“This feature allows the system to directly access, copy, restore, back up, or otherwise manipulate the replication copies as if they were the “live” primary data 112”)(173)
parsing the record file, using the restore module, to read the system event metadata recorded in the record file, including the identifier; (“For example for “copy-on-write” snapshots, when a block changes in primary storage, the block is copied to secondary storage or cached in primary storage before the block is overwritten in primary storage, and the pointer to that block is changed to reflect the new location of that block”)(“By electing to restore primary data 112 from a snapshot taken at a given point in time, users may also return the current file system to the state of the file system that existed when the snapshot was taken.”)(170)
and replacing, using the restore module, the target filesystem object with the backup copy. (“The filter driver 314 and/or the anomaly detection engine 320 may cause any modified files to be copied and stored in a safe location prior to the modification, and upon detecting a ransomware attack or after the ransomware has encrypted or locked certain files in the file system 316, the filter driver 314 and/or the anomaly detection engine 320 may restore the copies of the files from the safe location” (329)

Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac with the application for ransomware detection and data pruning management of Bed. One would be motivated to do so as it allows for (“advantages over previous systems, including reduced mental workloads, improved decision-making, and the like.”(124))

Regarding claim 19 the combination of MC, teach all of the following with respect to claim 10. Mac further teaches:
determining, using the restore module, from the system event metadata that the I/O event was performed on the target filesystem object; (“the I/O manager 120 detects file operation requests (e.g., read, write, file open, etc.) that are received by the managed node 100. The filter manager 125 may determine, from a file handle corresponding to the file operation request, whether the file operation request corresponds to an operation of interest. A file handle is a number or identifier that the operating system assigns temporarily to a file when it is opened.”)(37)
determining, using the restore module, that the I/O event was unauthorized; (“If behavior is found that indicates the presence of the malware, the I/O manager 120 may identify the user mode process responsible for initiating the detected file operation request.”(37))
Mac fails to teach The method in accordance with Claim 10, wherein the replacing operation comprises: starting a restore module of the protection service; parsing the record file, using the restore module, to read the system event metadata recorded in the record file; and replacing, using the restore module, the target filesystem object with the backup copy. However, Bed further teaches:
The method in accordance with Claim 10, wherein the replacing operation comprises: starting a restore module of the protection service; (“This feature allows the system to directly access, copy, restore, back up, or otherwise manipulate the replication copies as if they were the “live” primary data 112”)(173)
parsing the record file, using the restore module, to read the system event metadata recorded in the record file; (“For example for “copy-on-write” snapshots, when a block changes in primary storage, the block is copied to secondary storage or cached in primary storage before the block is overwritten in primary storage, and the pointer to that block is changed to reflect the new location of that block”)(“By electing to restore primary data 112 from a snapshot taken at a given point in time, users may also return the current file system to the state of the file system that existed when the snapshot was taken.”)(170)

and replacing, using the restore module, the target filesystem object with the backup copy. (“The filter driver 314 and/or the anomaly detection engine 320 may cause any modified files to be copied and stored in a safe location prior to the modification, and upon detecting a ransomware attack or after the ransomware has encrypted or locked certain files in the file system 316, the filter driver 314 and/or the anomaly detection engine 320 may restore the copies of the files from the safe location” (329)

Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac with the application for ransomware detection and data pruning management of Bed. One would be motivated to do so as it allows for (“advantages over previous systems, including reduced mental workloads, improved decision-making, and the like.”(124))

Regarding claim 20 the combination of MC, teach all of the following with respect to claim 10. Mac further teaches:
The method in accordance with Claim 10, wherein the monitoring operation comprises receiving one or more PreOperation callbacks associated with the I/O event directed to the target filesystem object. (“The minifilter driver A 320 may have previously registered with the filter manager 125 for events of interest (e.g., fopen, read, write, close, rename). Responsive to determining that the minifilter driver A 320 is registered to intercept file operation requests, the filter manager 125 transmits the file operation request 300 to the minifilter driver A 320.”)(0085)

     Claim 8, is rejected under 35 U.S.C. 103 as being unpatentable over MB in view of Narashima(US-20160371292-A1), hereinafter Nara. 	

Regarding claim 8,  MB teaches all of the features with respect to claims 1 and 7 as outlined above. MB does not appear to teach The computing system in accordance with Claim 7, wherein the compare operation comprises one or more of the following: said processor programmed to carry out a byte-for-byte comparison of the backup copy to the target filesystem object; and said processor programmed to generate a first hash value for the backup copy and a second hash value for the target filesystem object and compare the first and second hash values. However, in an analogous art, Nara teaches about a method for inline compression and deduplication and further teaches:
The computing system in accordance with Claim 7, wherein the compare operation comprises one or more of the following: said processor programmed to carry out a byte-for-byte comparison of the backup copy to the target filesystem object; and said processor programmed to generate a first hash value for the backup copy and a second hash value for the target filesystem object and compare the first and second hash values. (“the scan and match engine determined that a match was detected and therefore, the scan and match engine compares the subset of data associated with the hash value against the reference block stored in the reference block buffer associated with the matched entry on a per-byte basis and correspondingly sends signals to the decompression module to decompress the subset of data within the reference block buffer using a modified compression header format for reference copies, such as “11”. The decompressed output is stored within the data output buffer.” (82)) 
	Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac and the application for ransomware detection and data pruning management of Bed with the method for inline compression and deduplication of Nara. One would be motivated to do so as to (“system 100 can be configured in a manner that allows it to automatically interpret compressibility characteristics using pre-determined threshold values and/or computed compressibility counts”(see at least Nara 57). 

Claims 14-15  are rejected under 35 U.S.C. as being unpatentable over MB in view of Narashima(US-20160371292-A1), hereinafter Nara.

Regarding claim 14, the combination of MB, teach all of the following with respect to claim 10. MB does not appear to teach The method in accordance with Claim 10, said method further comprising comparing the backup copy to the target filesystem object to determine whether the backup copy and the target filesystem object are substantially identical. However, in an analogous art, Nara teaches about a method for inline compression and deduplication and further teaches:
The method in accordance with Claim 10, said method further comprising comparing the backup copy to the target filesystem object to determine whether the backup copy and the target filesystem object are substantially identical. (“the scan and match engine determined that a match was detected and therefore, the scan and match engine compares the subset of data associated with the hash value against the reference block stored in the reference block buffer associated with the matched entry on a per-byte basis and correspondingly sends signals to the decompression module to decompress the subset of data within the reference block buffer using a modified compression header format for reference copies, such as “11”. The decompressed output is stored within the data output buffer.” (82)) 
Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac and Systems and the application for ransomware detection and data pruning management of Bed with the method for inline compression and deduplication of Nara. One would be motivated to do so as the (“system 100 can be configured in a manner that allows it to automatically interpret compressibility characteristics using pre-determined threshold values and/or computed compressibility counts”(see at least Nara 57).
Regarding claim 15,  the combination MB and Nara teach all of the following with respect to claims 10 and 14. MB does not appear to teach The method in accordance with Claim 14, wherein the comparing operation comprises one or more of the following: carrying out a byte-for-byte comparison of the backup copy to the target filesystem object; and generating a first hash value for the backup copy and a second hash value for the target filesystem object and comparing the first and second hash values. However, in an analogous art, Nara teaches about a method for inline compression and deduplication and further teaches:
	The method in accordance with Claim 14, wherein the comparing operation comprises one or more of the following: carrying out a byte-for-byte comparison of the backup copy to the target filesystem object; and generating a first hash value for the backup copy and a second hash value for the target filesystem object and comparing the first and second hash values. (“the scan and match engine determined that a match was detected and therefore, the scan and match engine compares the subset of data associated with the hash value against the reference block stored in the reference block buffer associated with the matched entry on a per-byte basis and correspondingly sends signals to the decompression module to decompress the subset of data within the reference block buffer using a modified compression header format for reference copies, such as “11”. The decompressed output is stored within the data output buffer.” (82)) 
Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac and Systems and the application for ransomware detection and data pruning management of Bed with the method for inline compression and deduplication of Nara. One would be motivated to do so as the (“system 100 can be configured in a manner that allows it to automatically interpret compressibility characteristics using pre-determined threshold values and/or computed compressibility counts”(see at least Nara 57).

Claim 16  are rejected under 35 U.S.C. as being unpatentable over MB in view of Nara, in further view of Osada(US-20140149701-A1), hereinafter Osa. 

Regarding claim 16, the combination of MB and Nara, hereinafter MBN,  teach all of the following with respect to claim 10. MB does not appear to teach The method in accordance with Claim 15, said method further comprising: based upon the comparison, deleting the backup copy if the backup copy and the target filesystem object are not substantially identical; and creating, via the protection service, a second backup copy of the target filesystem object. However, in an analogous art, Osa teaches a backup method and further teaches:
The method in accordance with Claim 15, said method further comprising: based upon the comparison, deleting the backup copy if the backup copy and the target filesystem object are not substantially identical; and creating, via the protection service, a second backup copy of the target filesystem object (“After writing the configuration file 112, if the configuration file 112 is not present (step S1303: NO) or the hash values are not identical (step S1305: NO), the backup tool 121 deletes the configuration file storage folder 123 (step S1308). After deleting the configuration file storage folder 123, the backup tool 121 writes the guest OS to the backup image file 305 (step S1309). After writing the guest OS, the backup tool 121 ends the image backup process.”) 
Furthermore, it would have been obvious to one skilled in the art, before the effective date of the claimed invention, to modify the method for real-time detection and protection of Mac and Systems and methods for restoring files and the application for ransomware detection and data pruning management of Bed and the method for inline compression and deduplication of Nara with backup method of Osa. One would be motivated to do so as the (“the administrator can restore the system that includes configuration information more quickly and accurately than by performing restoration by manual input of the configuration information.”(see at least Osa 112).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUSTIN W COLLIER whose telephone number is (571)272-0066. The examiner can normally be reached Mon-Fri.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUSTIN W COLLIER/         Examiner, Art Unit 2499                                                                                                                                                                                               /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499