Detailed Action
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 9-11 are amended. Claims 1-11 are pending.
Objections
The abstract of the disclosure is objected to because [ having parenthesis with numbers ]. The abstract should be in narrative form and generally limited to a single paragraph within the range of 50 to 150 words in length.
See MPEP § 608.01(b) for guidelines for the preparation of patent abstracts. A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b).
Objection to claim 1: please remove the limitation “-“ from claim 1.
Response to Applicant’s arguments
Applicant’s arguments regarding the rejection of claims 9-11 under 35 U.S.C. 101 are persuasive in view of the amendments of the claims. Therefore, the rejection of the claims 9-11 under 35 USC 101 are withdrawn.
Applicant’s arguments regarding rejection of independent claims under AIA 35 U.S.C. 102 is persuasive in view of claim 3 limitation based on broadest interpretation of the claim in view of page 3, lines 4-10 filed on 05/10/2025. Therefore, the rejection of claim 3 under 35 USC 102 is withdrawn (see allowable subject matter below).
Examiner refer applicant to the following MPEP citations when responding to an office action rendered:
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.
In response to applicant's argument, the fact that the inventor has recognized another advantage which would flow naturally from following the suggestion of the prior art cannot be the basis for patentability when the differences would otherwise be obvious. See Ex parte Obiaya, 227 USPQ 58, 60 (Bd. Pat. App. & Inter. 1985).
In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Examiner suggest applicant to amend the independent claims 1 incorporating limitations of claims 3 in order to expedite the prosecution of the application.
Claim Rejection – 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim 1-2 and 4-11 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by “Zaitsev et al.” (US 7530106).
Regarding claim 1:
A method of assessing the integrity of files comprising the steps:
continually monitoring files of a file system for file corruptions indicative of the presence of malware (Col. 2, lines 49-52 and 56-57, “system, method, and computer program product for security rating of processes for malware presence, including (a) detecting an attempt to execute a file on a computer… continuing to monitor the process for any suspicious activities”), detecting an updated file such as a modified file or a created file (Col. 4, lines 54-59, “possible factor in the risk analysis is how the file was created, e.g., which process created this file, whether another file had been downloaded prior to the file being created on the disk--thus, knowing the URL of the downloaded file, the risk of the file that was just created can be assessed”), the updated file emerging from an update event (Col. 4, lines 59-62, “Also, which directory/folder the file was created in (e.g., Temporary Internet Files is a higher risk than My Documents, root directory is higher risk than a lower-level directory) can be another factor”), screening file parameters of the updated file (Col. 3 and 4, lines 65-67 and 1-3, “The security rating R is the number that could be divided in two parts: part one is static rating and part two is dynamic rating. Before the file execution invoked, the certain criteria of the file are analyzed, such name of the file, file size, file's location, compression, whether the file is packed, and whether the file was received from a CD-ROM, etc.”), where if file parameters are within predetermined bounds, the file is marked as integrous (Col. 3, lines 57-60, “The security rating R varies from `safe` to `dangerous` (high) and calculated from 0 to 100 percent. 0 is the safest level and 100% is the most dangerous level. As an example, process is rated as `safe` with a rating of 0-25%”) and wherein alternatively in response to a file parameter having an anomaly transgressing a predefined anomaly threshold (Col. 3, lines 61-63, “…or `suspicious` with a rating of 25-75% and in excess of 75% the process is rated as `dangerous` (high)”), deep inspecting the updated file (Col. 8, lines 6-9, “In step 118, if the security rating D is greater than 50%, the process is considered `suspicious` or `moderately dangerous`. The system will notify the user (step 120) and continue to execute the process (step 114)” i.e., examiner noted the deep inspection is described in spec as “the threat area shows each alert signal and/or updated file under deep inspection with relevant file parameter anomaly…”), the deep inspection comprising:
retrieving, from a database (Col. 8, lines 48-52, “If D is greater than 75%, the process is considered dangerous by the antivirus program 204, which indicates that there is a strong probability of malware, from the malware database 206 and that the process is corrupted”), a sequence of tests specific to the file parameter anomaly of the updated file (Col. 8, lines 43-46, “If monitor 212 detects the process performing any suspicious activities, then the system updates the security rating of the process to D again by comparing the process's attributes and characteristics to the list of factors 202a and list of weights 202b stored on the disk storage unit 202”), testing the updated file using the sequence of tests where the sequence of tests ascertains file integrity related to the updated file and the update event (Col. 8, lines 52-58, “The system will therefore block the action and terminate the process and/or block the process' access to computer resources, such as memory, disk, network card, etc. The system, using the antivirus program 204 will try, if possible, to cure the process by downloading clean code via Internet 208 or restoring the file from a trusted backup, and relaunching the process”), where:
if the updated file and update event passes all tests of the sequence of tests, marking the file as being integrous, and alternatively, transmitting an alert signal indicating a malware risk related to the updated file or update event (Col. 8, lines 41-43, “If D is greater than, e.g., 50%, the system will notify the user 212 and continue to execute the process on the CPU 21…”).
Regarding claim 2:
A method according to claim 1, wherein the alert signal is accompanied by an inspection conclusion describing which specific file parameters and tests that prompted transmission of the alert signal (Col. 2, lines 50-55, “…security rating of processes for malware presence, including (a) detecting an attempt to execute a file on a computer; (b) performing initial risk assessment of the file and assigning initial (static) security rating S; (c) analyzing the initial risk pertaining to the file and if it exceeds predetermined threshold, notifying user”), thereby providing a system supervisor with an informed dataset (Col. 2, lines 61-64, “if the security rating D is greater than, for example, 50% then the user gets notified and the process most likely will continued to be executed, unless the user instructs otherwise…”).
Regarding claim 4:
A method according to claim1, wherein the sequence of tests comprises a name test evaluating the name of the updated file to determine whether through simple name manipulations the file can be opened as expected (Col. 7, lines 18-19 and 34-38, “risk analysis is performed, using various techniques to determine risks… if the process tries to access password-protected files, or tries to start a service with a name identical to a system process name, or tries to start service with a name identical to an antivirus process, this can also be grounds for increasing the rating”).
Regarding claim 5:
A method according to claim1, wherein the sequence of tests comprises a parsing test involving evaluating the file type and determining whether the file can be understood as the type of file it seems to be at least in part and preferably in its whole (Col. 4 and 5, lines 66-67 and 1-3, “File attributes, such as Archived and Read Only are used often, but attributes such as `Hidden` or `System` are used rarely and an indication for the executed file, that the file is suspicious. These attributes add, e.g., 5% to the process security rating”).
Regarding claim 6:
A method according to claim1, wherein the sequence of tests comprises a file entropy test, where the file entropy is determined to identify whether the file is compressed (Col. 4, lines 44-49, “Typical malware files sent out in this manner are on the order of 50-100 kilobytes (which, if packed, reduces to something on the order of 20-50 kilobytes). A file with the size less than 50 kilobytes could be considered as a candidate for being `suspicious` file”).
Regarding claim 7:
A method according to claim1, wherein the sequence of tests comprises a compound test evaluating whether the updated file is part of a pattern over time of file content similarity or update event similarity (Col. 5, lines 13-16, “Creation of the certain files such as autorun.inf and runtime.sys causes a `dangerous` rating to be assigned the process. Deletion and modification of system's files causes a `dangerous` rating to be assigned to the process”).
Regarding claim 8:
A method according to claim1, wherein the sequence of tests comprises a heuristics test, testing the updated file using a simulated environment or a decompiler (Col. 5, lines 55-60, “Host-based Intrusion Prevention Systems (HIPS) could be used with virtualization, for example, if the process tries to create a file in a system folder, the system would not allow the process to do it, and at the same time gives the process a higher rating and informs the process that the file has been created (even though in reality, the file was not created)”).
Regarding claim 9:
A computing device having a processor adapted to perform the steps of claim 1 (Col. 8, line 66, “…including a processing unit 21”).
Regarding claim 10:
A compute program comprising instructions which cause the computer to carry out the method of claim 1, when the program is executed by a computer (Col. 9, lines 20-23, “The drives and their associated computer-readable media provide non-volatile storage of computer readable instructions, data structures, program modules/subroutines”).
Regarding claim 11:
A computer-readable medium claim 11 corresponds to method claim 1 and contains no further limitations. Therefore, claim 11 is rejected for the same reason set forth in the rejection of claim 1.
Allowable Subject Matter
Claim 3 objected to as being dependent upon a rejected base claim 1, but would be allowable if rewritten in independent form including all of the limitations of the base claim (1) and any intervening claims. Reason for allowance will be furnished upon allowance of the application is met.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see US 10333961, Chen et al. ) and (see US 20180048657 Hittel et al. )
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAMBIZ ZAND whose telephone number is (571)272-3811. The examiner can normally be reached 8-5:30 M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.