Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed 4/02/2020.  Claims 1-20 are pending.  Claims 1 (a method), 10 (a machine), and 19 (a non-transitory CRM) are independent.   Claims 1, 10, and 19 are amended.

Response to Arguments
Applicant’s arguments, see page 7, filed 10/10/2022, with respect to the rejection(s) of claim(s) 1, 10, and 19 under Brewer (US 2019/0235973) have been fully considered and are persuasive. Brewer does not disclose binary searches for a backup point. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Brewer in view of Bish (US 2015/0178171).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3, 9, 10, 12, 18, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al., US 2019/0235973 (filed 2019-01), in view of Bish et al., US 2015/0178171 (filed 2013-12).

As to claims 1, 10, and 19, Brewer discloses a method/machine/CRM comprising:
forming a list of files that are of a plurality of designated file types that can be infected by malicious software, the files stored on a computing device; (“the backups may be incremental backups that only record new or modified data (e.g., new software, modified data files, etc.). Some implementations use a combination of multiple backup techniques, e.g., using an initial (or benchmark) bare-metal backup combined with a time series of incremental backups.” Brewer ¶ 16. See also Brewer ¶¶ 72 and 80.  “virtualization software 300 is responsible for capturing snapshots 305 of software and applications executed on the application server 105.” Brewer ¶ 44)
performing one or more snapshots of the files according to a predetermined schedule over a predetermined period of time; (see Brewer Figures 4 and 5A-B, Snapshots.)
performing one or more backups according to a predetermined schedule of the computing device; (The backed up data, see e.g. Brewer Fig. 5A, “location” of a backup.  “the disaster recovery system 100 polls the client system for changed blocks of data at frequent intervals, e.g., every week, every day, every hour, every few minutes (e.g., 10 minutes, 12 minutes, 15, minutes, etc.), every minute, or even every fraction of a minute (e.g., every 10, 12, or 15 seconds). A block may be detected as having changed if there is a timestamp recorded in the block that is newer than a previous polling time.” Brewer ¶ 67. “A full snapshot of the application server 105 may suitably include a copy of an operating system 310, applications 315, and data stored on the disk storage 260.” Brewer ¶ 45)
storing the one or more snapshots simultaneously with the one or more backups, (“FIG. 4 is an illustration of six example snapshots 410, 420, 430, 440, 450, and 460 in accordance with an illustrative implementation. The snapshots 410, 420, 430, 440, 450, and 460 are taken from the source server 105 (or whichever computer is being backed up).” Brewer ¶ 50) wherein the one or more snapshots correlate to one or more of the backups; (“It should be noted that block “BOB” and block “ALICE” are common to both snapshot 1 (410) and snapshot 2 (420). The hash code and location information for “BOB” and “ALICE” are the same in the journal files 510 and 520 for the respective snapshots 410 and 420.” Brewer ¶ 56)
determining that a malware attack is being carried out on the computing device and generating a list of dangerous objects that spread the malware attack; (“At stage 620, the disaster recovery system 100 analyzes the recorded back-up data. …. one or more characteristics sufficient to detect activity indicating malware or ransomware activity.” Brewer ¶ 69. “If they file is non-conforming, this may indicate a corrupt file or a mislabeled file, where the later may be unintentional or intentional. An intentionally mislabeled file may indicate malware or ransomware activity.” Brewer ¶ 70)
comparing the list of dangerous objects (“The disaster recovery system 100 then iteratively restores each incremental back-up and scans each increment for malware. Eventually the disaster recovery system 100 will recover an infected back-up.” Brewer ¶¶ 79-87, detections) with the one or more snapshots to determine when the malware attack occurred; (“At stage 640, the disaster recovery system 100 identifies, from the recorded back-up data, an infection point. In some implementations, the infection point is a point in time (or span of time) after which the client system is infected with malware (e.g., the detected ransomware) and before which the client system is not infected with the malware.” Brewer ¶ 86)
identifying a clean backup that was created most recently before the malware attack as compared to other backups …; and (“the disaster recovery system 100 may identify a hybrid set of data for use in recovery. The hybrid includes all data prior to the infection point plus some data backed-up after the infection, filtered such that only non-infected blocks are recovered.” Brewer ¶ 88)
recovering data for the computing device from the clean backup. (“At stage 650, the disaster recovery system 100 restores the client system to a state prior to the infection point.” Brewer ¶ 89. “the disaster recovery system 100 restores the client system to a state prior to the infection point. For example, in some implementations, the disaster recovery system 100 restores the client system in the manner described above in reference to stage 650 of the method 600 illustrated in FIG. 6).” Brewer ¶ 97).

Brewer does not disclose:
By incrementally scanning a subset of the one or more backups representing half-way points in a binary search until the clean backup is detected

Bish discloses:
By incrementally scanning a subset of the one or more backups representing half-way points in a binary search until the clean backup is detected (“a binary search to determine where the point of corruption is. That is, the first recovery file to be tested will include half of the updates, so that it is known whether the corruption occurred in the first half of the updates, or the last half of the updates. If it is determined that the corruption did not occur until somewhere in the last half of updates, then a new recovery file with 75% of the updates will be generated and tested. Assume that this second recovery file is corrupt—this means that a third recover file with 62.5% of the updates will be made and tested—and so on until the most recent uncorrupted update is found to be used for data restoration purposes.” Bish ¶ 54)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Brewer with Bish by utilizing a binary search to find the most recent uncompromised backup of the data.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Brewer with Bish in order to quickly and efficiently determine the best data backup from among a large number of data backups (“there will be cases where there are numerous updates to a file, meaning that many possible recovery files could be made and tested for corruption. For instance, if the file that is corrupted is a DB file, and has thousands of transactions against the file, some embodiments of the present invention will use a binary search” Bish ¶ 54)


As to claims 3, and 12 Brewer in view of Bish discloses the method/machine/CRM of claims 1, 10, and 19 and further discloses:
further comprising: detecting addition of a new file that is of the plurality of designated file types; and adding the new file to the list of files.
(“the backups may be incremental backups that only record new or modified data (e.g., new software, modified data files, etc.). Some implementations use a combination of multiple backup techniques, e.g., using an initial (or benchmark) bare-metal backup combined with a time series of incremental backups.” Brewer ¶ 16. See also Brewer ¶¶ 72 and 80)

As to claims 9 and 18, Brewer in view of Bish discloses the method/machine of claims 1 and 10 and further discloses:
further comprising: tracking modifications to files in the list of files by comparing hash sums in the one or more snapshots. (“Blocks with the same name have identical data and the same hash value. In actual use, the hash value is used to determine if two blocks have identical data.” Brewer ¶ 51)


Claims 2, 4, 11, 13, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al., US 2019/0235973 (filed 2019-01), in view of Bish et al., US 2015/0178171 (filed 2013-12), and Gartside et al., US 2003/0120951 (filed 2001-12).
As to claims 2, 11, and 20 Brewer in view of Bish discloses the method/machine/CRM of claims 1, 10, and 19 and further discloses:
wherein the plurality of designated file types includes at least executable files (“virtualization software 300 is responsible for capturing snapshots 305 of software and applications executed on the application server 105.” Brewer ¶ 44).

Brewer in view of Bish does not disclose:
and files containing macros.

Gartside discloses:
and files containing macros.
(“The invention recognises that items of malware included within malware definition data relate to relatively distinct malware classes. As examples, some malware classes are scripts, macros, EXE files, boot viruses etc.” Gartside ¶ 14)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Brewer in view of Bish with Gartside by capturing snapshots of files that include executables and macros (Gartside).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Brewer with Gartside in order to allow analysis to identify malicious software and recover the users data (Brewer ¶ 4) using known malicious file types (Gartside).

As to claims 4 and 13 Brewer in view of Bish discloses the method/machine of claims 1 and 10 and further discloses:
wherein the dangerous objects comprise files, (“The data in the back-up may be, for example, of specific file types such as document files, image files, multi-media files, etc.” Brewewr ¶ 70) processes (“virtualization software 300 is responsible for capturing snapshots 305 of software and applications executed on the application server 105.” Brewer ¶ 44). 

Brewer in view of Bish does not disclose:
and macros.

Gartside discloses:
and macros.
 (“The invention recognises that items of malware included within malware definition data relate to relatively distinct malware classes. As examples, some malware classes are scripts, macros, EXE files, boot viruses etc.” Gartside ¶ 14)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Brewer in view of Bish with Gartside detecting malicious activity in files containing macros (Gartside).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Brewer with Gartside in order detect malicious software using known malicious file types (Gartside).

Claims 5 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al., US 2019/0235973 (filed 2019-01), in view of Bish et al., US 2015/0178171 (filed 2013-12), and Thomas et al., US 2006/0218637 (filed 2006-09).
As to claims 5 and 14, Brewer in view of Bish discloses the method of claim 1 but does not disclose:
wherein the list is formed using one or more filter drivers.

Thomas discloses:
wherein the list is formed using one or more filter drivers.
(“a filter driver that “hooks” into the I/O system of the computing device may be used to determine if a file was modified since the file's last integrity check. Those skilled in the art and others will recognize that a filter driver may be configured to monitor the communication between an operating system and an I/O device. In this embodiment, the filter driver records each modification made to a file that is stored on a volume.” Thomas ¶ 37)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Brewer in view of Bish with Thomas by utilizing a filter driver to record the changes made to filesystem of Brewer.  It would have been obvious to a person of ordinary skill in the art to combine Brewer with Thomas in order to provide a mechanism to discover modifications made to the file system of Brewer, thereby efficiently monitoring changes made to the system by receiving notifications of those changes via filter driver, Thomas ¶ 37. 

Claims 6, 15, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al., US 2019/0235973 (filed 2019-01), in view of Bish et al., US 2015/0178171 (filed 2013-12), and Kurtin et al., US 2016/0019002 (filed 2016-01).
As to claims 6 and 15, Brewer in view of Bish discloses the method of claim 1 but does not disclose:
wherein the list is formed using features of an operating system of the computing device, wherein the features include at least Update Sequence Number (USN) Journal.

Kurtin discloses:
wherein the list is formed using features of an operating system (“Assume that a Windows folder on a host file system 130 is to be accessible on virtual machine 108. A main NTFS structure 200” Kurtin ¶ 70, see also ¶ 71.  Features of the Windows OS.) of the computing device, wherein the features include at least Update Sequence Number (USN) Journal. (“At block 306, a virtual disk is created and file system structures are initialized on the virtual disk. In NTFS embodiments, MFT tables, USN (Update Sequence Number) journals, reparse points, object identifiers, unicode tables etc. are created and initialized for the virtual disk.” Kurtin ¶ 47).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Brewer in view of Bish with Kurtin by utilizing the known windows features of a USN journal to detect changes to files in the system.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Brewer with Kurtin in order to monitor changes in the ubiquitously used Windows Operating System.

As to claim 17, Brewer in view of Bish and Kurtin discloses the method of claim 15 and further discloses:
searching for infected (“The disaster recovery system 100 then iteratively restores each incremental back-up and scans each increment for malware. Eventually the disaster recovery system 100 will recover an infected back-up.” Brewer ¶¶ 79-87, detections) or safe versions of data of the computing device on the virtual volume. (“At stage 640, the disaster recovery system 100 identifies, from the recorded back-up data, an infection point. In some implementations, the infection point is a point in time (or span of time) after which the client system is infected with malware (e.g., the detected ransomware) and before which the client system is not infected with the malware.” Brewer ¶ 86, searching for a non=infected backup.)


Claims 7 and 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al., US 2019/0235973 (filed 2019-01), in view of Bish et al., US 2015/0178171 (filed 2013-12), and Graun et al., US 2020/0089881 (filed 2018-09).
As to claim 7, Brewer in view of Bish discloses the method of claim 1 and further discloses:
… a backup as a virtual volume on the computing device; performing anti-virus scanning on the virtual volume to determine whether the backup is safe. (“the disaster recovery system 100 uses the back-up data to create a virtualized instance of the protected system (e.g., in a sandbox environment) and then initiates a malware scan on the virtualized instance.” Brewer ¶ 77. The virtualized instance using a virtual volume.)

Brewer in view of Bish does not explicitly state the term: mounting.

Graun discloses: mounting.
(“preventing users of an enterprise network from accessing malware infected files that are stored within public cloud file stores by continuously scanning and/or sandboxing files by natively mounting a public cloud file store as a file system, for example, within a network security device.” Graun ¶ 24).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Brewer in view of Bish with Graun by “mounting” the backup in a sandbox to perform malware scanning, as discussed in Graun.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Brewer with Graun in order to allow the files to be accessed in a cloud malware scanning system, e.g. Groun ¶ 24.

As to claim 8, Brewer in view of Bish and Graun discloses the method of claim 7 and further discloses:
searching for infected (“The disaster recovery system 100 then iteratively restores each incremental back-up and scans each increment for malware. Eventually the disaster recovery system 100 will recover an infected back-up.” Brewer ¶¶ 79-87, detections) or safe versions of data of the computing device on the virtual volume. (“At stage 640, the disaster recovery system 100 identifies, from the recorded back-up data, an infection point. In some implementations, the infection point is a point in time (or span of time) after which the client system is infected with malware (e.g., the detected ransomware) and before which the client system is not infected with the malware.” Brewer ¶ 86, searching for a non=infected backup.)

Claims 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brewer et al., US 2019/0235973 (filed 2019-01), in view of Bish et al., US 2015/0178171 (filed 2013-12), Kurtin et al., US 2016/0019002 (filed 2016-01) and Graun et al., US 2020/0089881 (filed 2018-09).
As to claim 16, Brewer in view of Bish and Kurtin discloses the machine of claim 15 and further discloses:
… a backup as a virtual volume on the computing device; performing anti-virus scanning on the virtual volume to determine whether the backup is safe. (“the disaster recovery system 100 uses the back-up data to create a virtualized instance of the protected system (e.g., in a sandbox environment) and then initiates a malware scan on the virtualized instance.” Brewer ¶ 77. The virtualized instance using a virtual volume.)

Brewer in view of Bish and Kurtin does not explicitly state the term: mounting.

Graun discloses: mounting.
(“preventing users of an enterprise network from accessing malware infected files that are stored within public cloud file stores by continuously scanning and/or sandboxing files by natively mounting a public cloud file store as a file system, for example, within a network security device.” Graun ¶ 24).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Brewer in view of Bish and Kurtin with Graun by “mounting” the backup in a sandbox to perform malware scanning, as discussed in Graun.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Brewer in view of Kurtin with Graun in order to allow the files to be accessed in a cloud malware scanning system, e.g. Groun ¶ 24.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Terry et al., US 10,261,867, discloses performing a binary search to locate a point-in-time backup.
Varadharajan et al., US 2014/0201154, discloses using a binary search to restore backed up data to an application. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492