Prosecution Insights
Last updated: July 17, 2026
Application No. 18/182,449

METHODS AND SYSTEMS FOR PROTECTING SHADOW COPIES

Final Rejection §103
Filed
Mar 13, 2023
Priority
Sep 16, 2021 — IN 202141041976 +2 more
Examiner
KIM, TAE K
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Zoho Corporation Private Limited
OA Round
4 (Final)
74%
Grant Probability
Favorable
5-6
OA Rounds
2m
Est. Remaining
80%
With Interview

Examiner Intelligence

Grants 74% — above average
74%
Career Allowance Rate
491 granted / 661 resolved
+16.3% vs TC avg
Moderate +5% lift
Without
With
+5.3%
Interview Lift
resolved cases with interview
Typical timeline
3y 6m
Avg Prosecution
17 currently pending
Career history
690
Total Applications
across all art units

Statute-Specific Performance

§101
1.2%
-38.8% vs TC avg
§103
72.7%
+32.7% vs TC avg
§102
19.1%
-20.9% vs TC avg
§112
4.1%
-35.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 661 resolved cases

Office Action

§103
DETAILED ACTION This Action is in consideration of the Applicant’s response on March 25, 2026. Claims 1, 7, 9, 11, and 13 – 16 are amended by the Applicant. Claims 1 – 17, where Claims 1 and 9 are in independent form, are presented for examination. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments filed March 25, 2026 have been fully considered but they are not persuasive. Applicant argued: a) Regarding Claims 1 and 9, the combination of Rellinger and Hunter do not disclose of a deletion request received by the VSS. b) Regarding Claims 1 and 9, the combination of Rellinger and Hunter do not disclose of the VSS including a COM API hook to intercept the request. c) Regarding Claims 1 and 9, the combination of Rellinger and Hunter do not disclose of an OS kernel receiving a second deletion request and includes an IRP filter to disallow it. The Office respectfully disagrees with Applicant’s assertions. 1. With regards to a), both Rellinger [Col. 6, lines 34-37] and Hunter [Pg. 5] both disclose of receiving deletion requests. 2. With regards to b), Hunter further discloses that VSS is implemented in COM technology and one of the methods to prevent shadow copy deletion includes COM object filters [Pgs. 2 and 13]. 3. With regards to c), both Rellinger [Fig. 5; Col. 6, lines 22-34] and Hunter [Pg. 13] further disclose of using an IRP filter in the kernel to block any potentially malicious request. Claim Rejections - 35 USC § 103 The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claim(s) 1 – 17 are rejected under 35 U.S.C. 103 as being rejected by U.S. Patent 10,606,766 (hereinafter “Rellinger”), in view of “Stomping Shadow Copies – A Second Look Into Deletion Methods” (hereinafter “Hunter”). 4. Regarding Claim 1, Rellinger discloses of a computer-implemented method for protecting a computer system from ransomware [Figs. 1 and 5], the computer system including a processor and memory to execute a shadow-copy process that invokes system calls to an operating-system kernel [Figs. 5 and 7; Col. 13, lines 50-62], the system calls to write shadow copies of files in the memory to secondary storage [Fig. 5], the method comprising: receiving, at the shadow-copy process, a first request to delete at least one of the shadow copies in the secondary storage [Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55; VSS request received to delete a previously created shadow copy]; wherein the shadow-copy process includes [Fig. 5; Col. 12, lines 9-55]; receiving, at the operating-system kernel, a second request to delete at least one of the shadow copies in the secondary storage [Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55; request to delete a previously created shadow copy], wherein the operating-system kernel includes an Input/Output Request Packet (IRP) filter to disallow the second request directed from a user layer to the operating-system kernel [Fig. 5; Col. 6, lines 22-34]; and blocking the first request and the second request [Fig. 5; Col. 12, lines 9-55; both requests can be blocked based on shadow copy access policy]. Rellinger discloses of VSS filters. However, Rellinger does not specifically disclose that the shadow copy process is a Component Object Model (COM) interface. Hunter discloses of methods for detecting unauthorized manipulations of shadow copies through various deletion methods used by ransomware [Pg. 7]. Hunter further discloses that deletion requests to VSS services can be from COM objects and that malware detection can be based on COM monitoring [Pg. 2, 8, 12-13]. Additionally, Hunter discloses that the kernel level filter can be an IRP filter [Pg. 13]. It would have been obvious to one skilled in the art before the effective date of the current invention to incorporate the teachings of Hunter with Rellinger since both systems detect modifications to shadow copies. The combination with Hunter would enable the Rellinger system to also monitor COM objects to determine if certain requests are authorized. The motivation to do so is to perform the detection process at different layers to improve detection of malware [Hunter; Pgs. 13-14]. 5. Regarding Claim 2, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Rellinger further discloses that the shadow-copy process blocks the first request [Col. 8, lines 39-55]. 6. Regarding Claim 3, Rellinger, in view of Hunter, discloses the limitations of Claim 2. Rellinger further discloses that the kernel blocks the second request [Fig. 5]. 7. Regarding Claim 4, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Hunter further discloses that the at least one of the first request and the second request comprises at least one of a Volume Snapshot Service (VSS) shadow-copy delete request and an overwrite request [Pg. 8, 12-13]. 8. Regarding Claim 5, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Rellinger further discloses that the shadow-copy process maintains a record of the shadow copies in secondary storage [Col. 3, lines 31-45]. 9. Regarding Claim 6, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Rellinger further discloses that the shadow-copy process comprises a hook to intercept the first request [Col. 8, lines 39-55]. 10. Regarding Claim 7, Rellinger, in view of Hunter, discloses the limitations of Claim 6. Hunter further discloses that the shadow-copy process passes the first request to a shadow-copy delete routine, the shadow-copy delete routine includes the hook to intercept the first request, and the hook maintains a record of the shadow copies of the files written to secondary storage [Pgs. 8, 12-13]. 11. Regarding Claim 8, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Rellinger further discloses that the shadow-copy process comprises a snapshot service [Col. 3, lines 14-24]. 12. Regarding Claim 9, Rellinger discloses of a computer system for preventing ransomware from deleting shadow copies [Figs. 1 and 7], the system comprising: a user layer executing user-level processes, the user-level processes including a snapshot service to save the shadow copies and ignore first shadow-copy-deletion requests to delete the shadow copies [Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55; VSS request received to delete a previously created shadow copy], wherein the snapshot service includes [Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55]; and a kernel layer executing operating-system-level processes, the kernel layer including a filter to ignore second shadow-copy-deletion requests to delete the shadow copies [Fig. 5; Col. 12, lines 9-55; request for a previously created shadow copy blocked by kernel level filter], wherein the filter comprises an Input/Output Request Packet (IRP) filter to disallow the second shadow-copy-deletion requests directed from a user layer to the operating-system kernel [Fig. 5; Col. 6, lines 22-34]. Rellinger discloses of VSS filters. However, Rellinger does not specifically disclose that the shadow copy process is a Component Object Model (COM) interface. Hunter discloses of methods for detecting unauthorized manipulations of shadow copies through various deletion methods used by ransomware [Pg. 7]. Hunter further discloses that deletion requests to VSS services can be from COM objects and that malware detection can be based on COM monitoring [Pg. 2, 8, 12-13]. Additionally, Hunter discloses that the kernel level filter can be an IRP filter [Pg. 13]. It would have been obvious to one skilled in the art before the effective date of the current invention to incorporate the teachings of Hunter with Rellinger since both systems detect modifications to shadow copies. The combination with Hunter would enable the Rellinger system to also monitor COM objects to determine if certain requests are authorized. The motivation to do so is to perform the detection process at different layers to improve detection of malware [Hunter; Pgs. 13-14]. 13. Regarding Claim 10, Rellinger, in view of Hunter, discloses the limitations of Claim 9. Rellinger further discloses that the snapshot service including a hook to intercept the first shadow-copy-deletion requests [Rellinger; Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55; VSS request received to delete a previously created shadow copy]. 14. Regarding Claim 11, Rellinger, in view of Hunter, discloses the limitations of Claim 9. Rellinger further discloses that the hook is to ignore the intercepted first shadow-copy deletion requests [Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55; VSS request received to delete a previously created shadow copy]. 15. Regarding Claim 12, Rellinger, in view of Hunter, discloses the limitations of Claim 11. The combination of Rellinger and Hunter further discloses that the hook is to maintain a record of the shadow copies saved in the kernel layer [Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55; VSS request received to delete a previously created shadow copy]. 16. Regarding Claim 13, Rellinger, in view of Hunter, discloses the limitations of Claim 9. Rellinger further discloses that the second shadow-copy-deletion requests bypass the snapshot service [Fig. 5; Col. 6, lines 34-37, Col. 12, lines 9-55; VSS request received to delete a previously created shadow copy]. 17. Regarding Claim 14, Rellinger, in view of Hunter, discloses the limitations of Claim 13. Hunter further discloses that the second shadow-copy-deletion requests comprise a direct-drive-access command [Pg. 10]. 18. Regarding Claim 15, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Rellinger further discloses that the operating-system kernel includes a filter to ignore the second requests [Fig. 5; Col. 12, lines 9-55; request for a previously created shadow copy blocked by kernel level filter]. 19. Regarding Claim 16, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Hunter further discloses that the first request is issued using at least one command-line instruction via an administrative process vssadmin exe, a code or script via a utility process wmic.exe, or a COM API [Pgs. 8, 12-13]. 20. Regarding Claim 17, Rellinger, in view of Hunter, discloses the limitations of Claim 1. Hunter further discloses that the second request comprises a direct-device-access command [Pg. 10]. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Contacts Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAE K KIM whose telephone number is (571)270-1979. The examiner can normally be reached M-F 9:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached at 5712727642. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TAE K KIM/Primary Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

Show 2 earlier events
Mar 10, 2025
Response Filed
May 22, 2025
Final Rejection mailed — §103
Sep 30, 2025
Request for Continued Examination
Oct 09, 2025
Response after Non-Final Action
Jan 14, 2026
Non-Final Rejection mailed — §103
Mar 25, 2026
Response Filed
Jun 17, 2026
Final Rejection mailed — §103
Jul 15, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12671720
Cyber-Security in Heterogeneous Networks
2y 11m to grant Granted Jun 30, 2026
Patent 12671721
Cyber-Security in Heterogeneous Networks
2y 11m to grant Granted Jun 30, 2026
Patent 12664272
SECURITY IN INTEGRATED CIRCUITS
2y 7m to grant Granted Jun 23, 2026
Patent 12650816
SYSTEMS AND METHODS FOR PROVIDING TOOLS FOR THE SECURE CREATION, TRANSMITTAL, REVIEW OF, AND RELATED OPERATIONS ON, HIGH VALUE ELECTRONIC FILES
3y 4m to grant Granted Jun 09, 2026
Patent 12641108
SYSTEMS AND METHODS FOR MITIGATING RISKS OF THIRD-PARTY COMPUTING SYSTEM FUNCTIONALITY INTEGRATION INTO A FIRST-PARTY COMPUTING SYSTEM
2y 9m to grant Granted May 26, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
74%
Grant Probability
80%
With Interview (+5.3%)
3y 6m (~2m remaining)
Median Time to Grant
High
PTA Risk
Based on 661 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month