Prosecution Insights
Last updated: July 17, 2026
Application No. 18/109,595

AGENT-BASED DEVICE PROTECTION USING DETECTION AND MITIGATION OF MODIFICATIONS TO A PROTECTED STORAGE REGION

Final Rejection §103
Filed
Feb 14, 2023
Examiner
SHAUGHNESSY, AIDAN EDWARD
Art Unit
2432
Tech Center
2400 — Computer Networks
Assignee
Dell Products L.P.
OA Round
4 (Final)
23%
Grant Probability
At Risk
5-6
OA Rounds
0m
Est. Remaining
36%
With Interview

Examiner Intelligence

Grants only 23% of cases
23%
Career Allowance Rate
3 granted / 13 resolved
-34.9% vs TC avg
Moderate +13% lift
Without
With
+13.3%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
26 currently pending
Career history
58
Total Applications
across all art units

Statute-Specific Performance

§101
1.0%
-39.0% vs TC avg
§103
92.3%
+52.3% vs TC avg
§102
6.2%
-33.8% vs TC avg
§112
0.5%
-39.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 13 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendments / Arguments Regarding the rejection(s) of claims under 35 USC 103: Applicant’s arguments, filed 03/16/2026, in view of the amended claims, have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Gryting et al. (US 20220058281 A1, referred to as Gryting), in view of Steigleder (US 20140053145 A1, referred to as Steigleder) DETAILED ACTION This is a reply to the arguments filed on 03/16/2026, in which, claims 1-4, 6-11, 13-18, and 20-23 are pending. Claims 1, 8, and 15 are independent. Claims 5, 12 and 19 are cancelled. When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 6-11, 13-18 and 20-23 are rejected under 35 U.S.C. 103 as being unpatentable over Gryting et al. (US 20220058281 A1, referred to as Gryting), in view of Steigleder (US 20140053145 A1, referred to as Steigleder). In reference to claim 1, A method, comprising: obtaining, by a software entity of an operating system of a processing device, an indication of a protected storage region of at least one storage device of the processing device (Gryting: [0015], [0028], and [0036] Provides for a kernel driver (software entity of the OS) obtaining an indication hat designates a protected file/region of a storage device.) Wherein the method is performed by the processing device, wherein the processing device comprises a processor coupled to a memory, and wherein the software entity executes on the processor (Gryting: [0018] and [0041] Provides for a processing device with a processor coupled to memory, on which the kernel driver (software entity) executes.) wherein the indication of the protected storage region indicates that content of the protected storage region is to be copied into a backup storage region of the at least one storage device (Gryting: [0015] and [0036] Provides for the identifier/marking indicating that the protected content is to be encrypted and stored (copied) into the backup database 116.) storing, by the software entity, subsequent to the obtaining, the content of the protected storage region in the backup storage region of the at least one storage device of the processing device (Gryting: [0015] and [0032]-[0036] Provides for storing the protected file content as encrypted backup copies in backup database 116 after the file is marked/provisioned.) Wherein the protected storage region and the backup storage region are at least partially within the processing device (Gryting: [0022] and [0041] Provides for both protected files (DB 114) and backups (DB 116) residing on storage within the same computer/processing device. ) monitoring, by the software entity, the content stored in the protected storage region to detect one or more changes, using the content of the backup storage region, in the content stored in the protected storage region (Gryting: [0016]-[0021] and [0030] Provides for the kernel driver monitoring protected content and detecting changes by comparing against hash values corresponding to the encrypted backup copies.) initiating at least one automated action responsive to the one or more detected changes in the content stored in the protected storage region (Gryting: [0034] Provides for an automated action made available to a system administrator upon detected modifications.) Gryting doesn’t excplitity teach wherein the at least one automated action comprises notifying at least one user of the one or more detected changes in the content stored in the protected storage region, updating, by the software entity, the content of the backup storage region with the content of the protected storage region and wherein the updating is responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were approved. However, Steigleder discloses: wherein the at least one automated action comprises notifying at least one user of the one or more detected changes in the content stored in the protected storage region (Steigleder: [0040] and [0061]-[0062] Provides for explicit automated notification of a system administrator and report generation in response to detected changes.) Updating, by the software entity, the content of the backup storage region with the content of the protected storage region (Steigleder: [0040] and [0060] Provides for promoted/approved changes being stored in a promotion database and becoming part of the known trusted state.) Wherein the updating is responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were approved (Steigleder: [0057]-[0060] and [0075] Provides for user/administrator review and manual promotion (approval) of detected changes.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Gryting, which provides a method for monitoring protected storage regions through kernel-level software entities, detecting changes through comparison with encrypted backup copies, and initiating automated actions in response to detected modifications, with the teachings of Steigleder, which introduces user notification of detected changes, administrator approval workflows, and updating backup storage with approved content changes. One of ordinary skill in the art would recognize the ability to incorporate Steigleder's user-driven approval and backup update mechanisms into Gryting's change detection system to provide human oversight of storage modifications. One of ordinary skill in the art would be motivated to make this modification in order to prevent legitimate administrative changes from being incorrectly flagged and blocked by ensuring that authorized modifications can be reviewed. In reference to claim 2, The method of claim 1, wherein the monitoring the content of the protected storage region comprises comparing one or more of: (i) the content of the protected storage region to the content of the backup storage region and (ii) a first hash value of the content of the protected storage region to a second hash value of the content of the backup storage region (Gryting: [0030], [0015]-[0016], [0023] and [0038] Provides for comparing a hash value of the protected content against stored hash values corresponding to the encrypted backup copies.) In reference to claim 3, The method of claim 1, wherein the monitoring the content of the protected storage region is performed one or more of: (i) for each write operation to the protected storage region, (ii) periodically and (iii) responsive to a reboot of the processing device (Gryting: [0016], [0021], [0028]–[0030] and [0038] Provides for monitoring triggered on intercepted file-access system calls (an access/operation-driven trigger) and, for memory units, continuous recalculation of hashes (periodic monitoring).) In reference to claim 4, The method of claim 1, wherein the at least one automated action further comprises restoring the content of the backup storage region to the protected storage region responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were not approved (Gryting: [0004], [0023], [0027] and [0032]–[0033] Provides for restoring the protected content from the backup region whenever a modification is detected.) In reference to claim 6, The method of claim 1, wherein the protected storage region stores one or more of: boot metadata, filesystem metadata, operating system metadata, basic input/output system metadata and designated protected information (Gryting: [0014]-[0015], [0019] and [0023]-[0028] Provides for protecting operating-system/kernel components (the kernel text segment and read-only data, including kernel configuration parameters) and user-designated protected files.) In reference to claim 7, The method of claim 1, wherein the software entity of the operating system of the processing device comprises an agent executed by the operating system (Gryting: [0018]-[0021], [0029]–[0030] and [0041] Provides for a kernel-space device driver that runs within/under the operating system and autonomously performs the monitoring, interception, and restoration functions.) In reference to claim 8, An apparatus comprising: at least one processing given device comprising a processor coupled to a memory; the at least one processing given device being configured to implement the following steps: obtaining, by a software entity associated with an operating system of the at least one processing device comprising a processor coupled to a memory, an indication of a protected storage region of at least one storage device associated with the at least one processing device (Gryting: [0015], [0028], and [0036] Provides for a kernel driver (software entity of the OS) obtaining an indication hat designates a protected file/region of a storage device.) Wherein the method is performed by the processing device, wherein the processing device comprises a processor coupled to a memory, and wherein the software entity executes on the processor (Gryting: [0018] and [0041] Provides for a processing device with a processor coupled to memory, on which the kernel driver (software entity) executes.) wherein the indication of the protected storage region indicates that content of the protected storage region is to be copied into a backup storage region of the at least one storage device (Gryting: [0015] and [0036] Provides for the identifier/marking indicating that the protected content is to be encrypted and stored (copied) into the backup database 116.) storing, by the software entity, subsequent to the obtaining, the content of the protected storage region in the backup storage region of the at least one storage device of the processing device (Gryting: [0015] and [0032]-[0036] Provides for storing the protected file content as encrypted backup copies in backup database 116 after the file is marked/provisioned.) Wherein the protected storage region and the backup storage region are at least partially within the processing device (Gryting: [0022] and [0041] Provides for both protected files (DB 114) and backups (DB 116) residing on storage within the same computer/processing device. ) monitoring, by the software entity, the content stored in the protected storage region to detect one or more changes, using the content of the backup storage region, in the content stored in the protected storage region (Gryting: [0016]-[0021] and [0030] Provides for the kernel driver monitoring protected content and detecting changes by comparing against hash values corresponding to the encrypted backup copies.) initiating at least one automated action responsive to the one or more detected changes in the content stored in the protected storage region (Gryting: [0034] Provides for an automated action made available to a system administrator upon detected modifications.) Gryting doesn’t excplitity teach wherein the at least one automated action comprises notifying at least one user of the one or more detected changes in the content stored in the protected storage region, updating, by the software entity, the content of the backup storage region with the content of the protected storage region and wherein the updating is responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were approved. However, Steigleder discloses: wherein the at least one automated action comprises notifying at least one user of the one or more detected changes in the content stored in the protected storage region (Steigleder: [0040] and [0061]-[0062] Provides for explicit automated notification of a system administrator and report generation in response to detected changes.) Updating, by the software entity, the content of the backup storage region with the content of the protected storage region (Steigleder: [0040] and [0060] Provides for promoted/approved changes being stored in a promotion database and becoming part of the known trusted state.) Wherein the updating is responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were approved (Steigleder: [0057]-[0060] and [0075] Provides for user/administrator review and manual promotion (approval) of detected changes.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Gryting, which provides a method for monitoring protected storage regions through kernel-level software entities, detecting changes through comparison with encrypted backup copies, and initiating automated actions in response to detected modifications, with the teachings of Steigleder, which introduces user notification of detected changes, administrator approval workflows, and updating backup storage with approved content changes. One of ordinary skill in the art would recognize the ability to incorporate Steigleder's user-driven approval and backup update mechanisms into Gryting's change detection system to provide human oversight of storage modifications. One of ordinary skill in the art would be motivated to make this modification in order to prevent legitimate administrative changes from being incorrectly flagged and blocked by ensuring that authorized modifications can be reviewed. In reference to claim 9, The apparatus of claim 8, wherein the monitoring the content of the protected storage region comprises comparing one or more of: (i) the content of the protected storage region to the content of the backup storage region and (ii) a first hash value of the content of the protected storage region to a second hash value of the content of the backup storage region (Gryting: [0030], [0015]-[0016], [0023] and [0038] Provides for comparing a hash value of the protected content against stored hash values corresponding to the encrypted backup copies.) In reference to claim 10, The apparatus of claim 8, wherein the monitoring the content of the protected storage region is performed one or more of: (i) for each write operation to the protected storage region, (ii) periodically and (iii) responsive to a reboot of the processing device (Gryting: [0016], [0021], [0028]–[0030] and [0038] Provides for monitoring triggered on intercepted file-access system calls (an access/operation-driven trigger) and, for memory units, continuous recalculation of hashes (periodic monitoring).) In reference to claim 11, The apparatus of claim 8, wherein the at least one automated action further comprises restoring the content of the backup storage region to the protected storage region responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were not approved (Gryting: [0004], [0023], [0027] and [0032]–[0033] Provides for restoring the protected content from the backup region whenever a modification is detected.) In reference to claim 13, The apparatus of claim 8, wherein the protected storage region stores one or more of: boot metadata, filesystem metadata, operating system metadata, basic input/output system metadata and designated protected information (Gryting: [0014]-[0015], [0019] and [0023]-[0028] Provides for protecting operating-system/kernel components (the kernel text segment and read-only data, including kernel configuration parameters) and user-designated protected files.) In reference to claim 14, The apparatus of claim 8, wherein the software entity of the operating system of the processing device comprises an agent executed by the operating system (Gryting: [0018]-[0021], [0029]–[0030] and [0041] Provides for a kernel-space device driver that runs within/under the operating system and autonomously performs the monitoring, interception, and restoration functions.) In reference to claim 15, A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing given device causes the at least one processing given device to perform the following steps: obtaining, by a software entity associated with an operating system of the at least one processing device comprising a processor coupled to a memory, an indication of a protected storage region of at least one storage device associated with the at least one processing device (Gryting: [0015], [0028], and [0036] Provides for a kernel driver (software entity of the OS) obtaining an indication hat designates a protected file/region of a storage device.) Wherein the method is performed by the processing device, wherein the processing device comprises a processor coupled to a memory, and wherein the software entity executes on the processor (Gryting: [0018] and [0041] Provides for a processing device with a processor coupled to memory, on which the kernel driver (software entity) executes.) wherein the indication of the protected storage region indicates that content of the protected storage region is to be copied into a backup storage region of the at least one storage device (Gryting: [0015] and [0036] Provides for the identifier/marking indicating that the protected content is to be encrypted and stored (copied) into the backup database 116.) storing, by the software entity, subsequent to the obtaining, the content of the protected storage region in the backup storage region of the at least one storage device of the processing device (Gryting: [0015] and [0032]-[0036] Provides for storing the protected file content as encrypted backup copies in backup database 116 after the file is marked/provisioned.) Wherein the protected storage region and the backup storage region are at least partially within the processing device (Gryting: [0022] and [0041] Provides for both protected files (DB 114) and backups (DB 116) residing on storage within the same computer/processing device. ) monitoring, by the software entity, the content stored in the protected storage region to detect one or more changes, using the content of the backup storage region, in the content stored in the protected storage region (Gryting: [0016]-[0021] and [0030] Provides for the kernel driver monitoring protected content and detecting changes by comparing against hash values corresponding to the encrypted backup copies.) initiating at least one automated action responsive to the one or more detected changes in the content stored in the protected storage region (Gryting: [0034] Provides for an automated action made available to a system administrator upon detected modifications.) Gryting doesn’t excplitity teach wherein the at least one automated action comprises notifying at least one user of the one or more detected changes in the content stored in the protected storage region, updating, by the software entity, the content of the backup storage region with the content of the protected storage region and wherein the updating is responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were approved. However, Steigleder discloses: wherein the at least one automated action comprises notifying at least one user of the one or more detected changes in the content stored in the protected storage region (Steigleder: [0040] and [0061]-[0062] Provides for explicit automated notification of a system administrator and report generation in response to detected changes.) Updating, by the software entity, the content of the backup storage region with the content of the protected storage region (Steigleder: [0040] and [0060] Provides for promoted/approved changes being stored in a promotion database and becoming part of the known trusted state.) Wherein the updating is responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were approved (Steigleder: [0057]-[0060] and [0075] Provides for user/administrator review and manual promotion (approval) of detected changes.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Gryting, which provides a method for monitoring protected storage regions through kernel-level software entities, detecting changes through comparison with encrypted backup copies, and initiating automated actions in response to detected modifications, with the teachings of Steigleder, which introduces user notification of detected changes, administrator approval workflows, and updating backup storage with approved content changes. One of ordinary skill in the art would recognize the ability to incorporate Steigleder's user-driven approval and backup update mechanisms into Gryting's change detection system to provide human oversight of storage modifications. One of ordinary skill in the art would be motivated to make this modification in order to prevent legitimate administrative changes from being incorrectly flagged and blocked by ensuring that authorized modifications can be reviewed. In reference to claim 16, The non-transitory processor-readable storage medium of claim 15, wherein the monitoring the content of the protected storage region comprises comparing one or more of: (i) the content of the protected storage region to the content of the backup storage region and (ii) a first hash value of the content of the protected storage region to a second hash value of the content of the backup storage (Gryting: [0030], [0015]-[0016], [0023] and [0038] Provides for comparing a hash value of the protected content against stored hash values corresponding to the encrypted backup copies.) In reference to claim 17, The non-transitory processor-readable storage medium of claim 15, wherein the monitoring the content of the protected storage region is performed one or more of: (i) for each write operation to the protected storage region, (ii) periodically and (iii) responsive to a reboot of the processing device (Gryting: [0016], [0021], [0028]–[0030] and [0038] Provides for monitoring triggered on intercepted file-access system calls (an access/operation-driven trigger) and, for memory units, continuous recalculation of hashes (periodic monitoring).) In reference to claim 18, The non-transitory processor-readable storage medium of claim 15, wherein the at least one automated action further comprises restoring the content of the backup storage region to the protected storage region responsive to the at least one user indicating that the one or more detected changes in the content stored in the protected storage region were not approved (Gryting: [0004], [0023], [0027] and [0032]–[0033] Provides for restoring the protected content from the backup region whenever a modification is detected.) In reference to claim 20, The non-transitory processor-readable storage medium of claim 15, wherein the protected storage region stores one or more of: boot metadata, filesystem metadata, operating system metadata, basic input/output system metadata and designated protected information (Gryting: [0014]-[0015], [0019] and [0023]-[0028] Provides for protecting operating-system/kernel components (the kernel text segment and read-only data, including kernel configuration parameters) and user-designated protected files.) In reference to claim 21, The method of claim 1, wherein the indication of the protected storage region of the at least one storage device comprises a user designation of at least a portion of a storage device as the protected storage region (Gryting: [0015], [0028] and [0036]-[0035] Provides for a user designating selected files as protected.) In reference to claim 22, The apparatus of claim 8, wherein the indication of the protected storage region of the at least one storage device comprises a user designation of at least a portion of a storage device as the protected storage region (Gryting: [0015], [0028] and [0036]-[0035] Provides for a user designating selected files as protected.) In reference to claim 23, The non-transitory processor-readable storage medium of claim 15, wherein the indication of the protected storage region of the at least one storage device comprises a user designation of at least a portion of a storage device as the protected storage region (Gryting: [0015], [0028] and [0036]-[0035] Provides for a user designating selected files as protected.) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892. Applicant’s amendment necessitated the new ground(s) of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AIDAN EDWARD SHAUGHNESSY whose telephone number is (703)756-1423. The examiner can normally be reached on Monday-Friday from 7:30am to 5pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson, can be reached at telephone number (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/usptoautomated-interview-request-air-form. /A.E.S./Examiner, Art Unit 2432 /Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432
Read full office action

Prosecution Timeline

Show 8 earlier events
Aug 11, 2025
Response after Non-Final Action
Sep 02, 2025
Request for Continued Examination
Sep 11, 2025
Response after Non-Final Action
Dec 16, 2025
Non-Final Rejection mailed — §103
Mar 13, 2026
Examiner Interview Summary
Mar 13, 2026
Applicant Interview (Telephonic)
Mar 16, 2026
Response Filed
Jun 12, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12574412
METHOD AND SYSTEM FOR PROCESSING AUTHENTICATION REQUESTS
4y 7m to grant Granted Mar 10, 2026
Patent 12339956
ENDPOINT ISOLATION AND INCIDENT RESPONSE FROM A SECURE ENCLAVE
3y 4m to grant Granted Jun 24, 2025
Patent 12225029
AUTOMATIC IDENTIFICATION OF ALGORITHMICALLY GENERATED DOMAIN FAMILIES
2y 9m to grant Granted Feb 11, 2025
Study what changed to get past this examiner. Based on 3 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
23%
Grant Probability
36%
With Interview (+13.3%)
3y 5m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 13 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month