METHOD FOR DETECTING A SUSPECTED INFECTION EVENT

§102 §103 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action Claims and request for reconsideration filed on 12/01/2025 has been acknowledged. Claims 1-12, 16, and 18-23 are currently pending and have been considered below. Claims 1, 16, and 18-19 have been amended. Claim 17 has been canceled. Claims 1 and 16 are independent claims. In view of the arguments presented on page 9-10 of the remarks, filed on 12/01/2025, with respect to claims 1-12, the 35 U.S.C. 101 rejection of 1-12 has been withdrawn. Priority Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). However, the certified copy has not been filed, the Priority Document Exchange (PDX) failure status report was filed on 12/29/2023. The application claims the foreign priority of United Kingdom GB2211125.6 filed on 7/29/2022. Acknowledgement is made of applicant’s priority claim on page 8 of the remarks, filed on 12/01/2025: “It is noted that DAS code F47F was provided at filing. Hence, Applicant respectfully requests that the priority claim be granted.” Applicant is reminded that the PDX system generated a failure status report and that applicant may submit the certified copy of the foreign priority documents directly to the USPTO. Response to Arguments Applicant’s amendments with respect to the double patenting rejection of claim 16 have been considered. Claim 16 has been amended to include the limitations of claim 17. The double patenting rejection of claim 16, with the incorporated limitations of claim 17, is maintained and updated below. Applicant's arguments with respect to claims 1-12, filed on 12/01/2025 have been fully considered but they are not persuasive. The reasons set forth below. On page 11 of the remarks, filed on 12/01/2025, applicant argues: “Brenner does not disclose that the determination to classify data as anomalous is based on a pattern identified in data associated with back-up copies. Brenner discloses calculating a "change rate" which is compared to a threshold in order to detect ransomware.” Examiner respectful disagrees. The broadest reasonable interpretation of "a pattern identified in data associated with back-up copies" can be any “pattern identified in data associated with back-up copies,” and is taught by Brenner for two reasons: Firstly, Brenner teaches, as presented on page 9 of the non-final rejection, filed on 05/30/2025, in ¶[0039], “The backup and data analysis system may have access to profiles for particular user and system types that are comprised of data from multiple machines and users that are of the same type as the user of the backup data, and/or of the machine type of the computer system.” Examiner, as a person of ordinary skills in the arts, interprets “profiles” identified in data associated with back-up copies of other machines as a pattern, therefore, a “pattern identified in data associated with back-up copies…” is taught by Brenner. Secondly, examiner would like to clarify that the entire disclosure of Brenner of is not relied upon, and the comparison of “a change rate” was not relied upon in the non-final rejection, filed on 05/30/2025. Nevertheless, the identification and comparison of a “change rate” by Brenner, in ¶[0039] “The backup and data analysis system can compare expected file data against prior values received from similar machine and/or user types. This comparison can produce one or more change rates for the backup data against prior backup data. There can be change rates calculated for various characteristics of each file or piece of data in the backup data, for the backup as a whole, and for various other combinations of characteristics of the backup data.” does not teach away from, and in fact teaches, the claimed limitation of a “pattern identified in data associated with back-up copies…” because, examiner, as a person of ordinary skill, interprets a “change rate” associated with back-up copies as a “pattern identified in data associated with back-up copies…” On page 12-13 of the remarks, filed on 12/01/2025, applicant argues: “Brenner also does not disclose the subject matter of claim 2, which further defines that the pattern in data associated with back-up copies of the first machine comprises a "behaviour shape between the earliest back-up copy that comprises the signature of the infection event and the most recent back-up in which the infection even was detected" (Figs. 14, 15a, 15b).” Examiner respectfully disagrees. Examiner appreciates the discussion relating to the specification and the accompanying discussion relating to potential improvements over Brenner. However, the broadest reasonable interpretation of "behavior shape" is any behavior-related data associated with the backup, and behavior-related data is taught by Brenner. A specific "behavior shape," relating to traffic data and the comparison of traffic data “irrespective of (or in relationship to) timeframes of hours, days, weeks or months,” as presented by applicant in the remarks is only present in the specification, and not claimed in the claims. While examiner will read the specification as one embodiment of the claims, only the claim is examined, and examiner cannot examine what is not written into the claims. Applicant is encouraged to incorporate such clarifying limitations into the claim. Applicant's arguments with respect to claims 16 and 18-23, filed on 12/01/2025 have been fully considered but they are not persuasive. The reasons set forth below. On page 14-15 of the remarks, filed on 12/01/2025, applicant argues: “As an initial matter, Applicant notes that the analysis in the report is based on a misconstruction of Munchani. Paragraphs [0077], [0091]-[0093] (cited against former claim 16 and 17) of Munchani relates to snapshots rather than backup copies. The inventors in the present matter point out snapshots and backup copies are different things so the skilled person would not construe the disclosure of Munchani as relevant to the claimed subject matter in view of their common general knowledge of these terms.” Examiner respectful disagrees. Examiner thanks and appreciates the discussion of snapshots vs backup copies by the inventors. However, the method claimed by the applicant of selecting a back-up (vs. a snapshot), moving a back-up (vs a snapshot) for the purpose of data and system recovery is taught by Munchani for the same implicit purpose of data and system recovery. Therefore, a person of ordinary skill in the arts, being exposed to Munchani before the claimed priority date of the invention, would construe the disclosure of Munchani as relevant to the claimed subject matter because both snapshots and backup copies are implemented for the purpose of data and system recovery. On page 15 of the remarks, filed on 12/01/2025, applicant argues: “there is no disclosure that the backup copies are cleaned, only that they are scanned.” Examiner respectfulyl disagrees. Claudatos explicitly teaches, in ¶[0025], “the backup copies may be scanned” and, in ¶[0006], as background information, “after a virus has been detected …, responses typically involve cleaning …” A person of ordinary skill in the arts understands that the overall system, as taught by Claudatos, comprises both scanning a backup object and cleaning a backup object. On page 15 of the remarks, filed on 12/01/2025, applicant argues: “Further, there is no disclosure that the antivirus is operated in a quarantine environment. In contrast, paragraph [0006] of Claudatos acknowledges, as background information to the teachings of Claudatos, that cleaning or repairing an infected object is an alternative response to quarantining the infected object to block further access” Examiner respectfully disagrees. Claudatos explicitly teaches, as background information, in ¶[0006], “After a virus has been detected in an object, responses typically involve cleaning or repairing the infected object (the object containing the virus), deleting the infected object, or quarantining the infected object to block further access.” Claudatos follows with a discussion of pros and cons of cleaning vs deleting vs quarantining. A person of ordinary skills in the arts understands the methods of cleaning, deleting, and quarantine as background information. A person of ordinary skills in the arts also understands the logical implications involved in combinations/permutations of these methods. For example, a person of ordinary skills in the arts understand that the following non-exhaustive list of permutations are possible: 1) quarantine -> delete, 2) quarantine -> clean, while the following are impossible: 1) delete -> clean, 2) delete -> quarantine. In conclusion, the concept of combining the method of quarantining and then cleaning is implicitly well-known in the arts and implicitly taught by Claudatos. Thus, the 35 USC 102 and 35 USC 103 rejections of claims 1-12, 16, and 18-23 is maintained. The rejections have been updated below to reflect amendments by the applicant and responses to arguments by the examiner. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claim 16 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. US 11,971,989 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because application claim 16 is anticipated by patent claim 1. Claims 17-23 are rejected because of their dependency on claim 16. US Patent No. 11,971,989 B2 discloses the following limitations of Claim 16 as shown in the table below: Current Application No. 18/361,138 US Patent No. US 11,971,989 B2 Claim 16 (Currently amended):A non-transitory computer-readable medium including one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform a method for restoring a computer system following an infection event, the computer system having a plurality of machines, in which a plurality of back-up copies are associated with each of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up, the method comprising restoring one or more of the plurality of machines using a respective clean-back-up copy; and further comprising: selecting a back-up copy for a particular machine; moving the selected back-up copy to a cleaning environment; cleaning the selected back-up copy in the cleaning environment; and applying the cleaned, selected back-up copy to a respective machine in a live environment. Claim 1: A computer-implemented method for restoring a computer system following an infection event, the computer system having a plurality of machines, in which a plurality of back-up copies are associated with each of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up, the method comprising: (restoring one or more of the plurality of machines to a live environment using the clean-back-up copy.) searching the plurality of back-up copies to identify one or more back-up copies that comprise a signature of the infection event; selecting, subsequent to the searching the plurality of back-up copies, a back-up copy for a particular machine from the one or more back-up copies that comprise a signature of the infection event; moving the selected back-up copy to a quarantine environment; automatically cleaning the selected back-up copy in the quarantine environment to provide a clean-back-up copy; and restoring one or more of the plurality of machines to a live environment using the clean-back-up copy. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1, 2, 10, 11, and 12 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Brenner (US Patent Application Publication No. US 2019/0236274 A1). Regarding Claim 1, Brenner discloses: An non-transitory computer-readable medium including one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform a method for detecting a suspected infection event (Brenner, Abstract, “Ransomware may be then detected”), the method comprising: receiving data associated with back-up copies (Brenner, ¶[0033], “Method 200 may be implemented by elements of computer system 102 using backup application 104, in communication with backup and analysis system 110, and may use data analysis process 112 and may retrieve and store data in backup data storage 114.”) of a plurality of machines including at least a first machine and a second machine (Brenner, ¶[0032], “Backup data storage 114 may be queried for such versions, which can comprise earlier backup data from computer system 102 stored at backup data storage 114 and/or data and files from similar machines.”), in which the data is indicative of a size of the associated back-up copy (Brenner, ¶[0036], “At block 204, metadata is extracted from the backup data. This metadata can contain information about the files to be backed up. It can contain information, for example the size of the backup as a whole”); and determining whether to classify data associated with back-up copies of at least the second machine as anomalous based on a pattern identified in data associated with back-up copies of the first machine (Brenner, ¶[0039], “The backup and data analysis system may have access to profiles for particular user and system types that are comprised of data from multiple machines and users that are of the same type as the user of the backup data, and/or of the machine type of the computer system. The backup and data analysis system can compare expected file data against prior values received from similar machine and/or user types.” ¶[0043], "Data analysis process 312 can process backup data 302, comparing it to known profiles for similar machines or users, or comparing it to prior data for the computer system from which backup data 302 came from."). Regarding Claim 2, Brenner discloses: The non-transitory computer-readable medium of claim 1, wherein the method further comprises: receiving data associated with each of a plurality of back-up copies associated with the first machine (Brenner, ¶[0029], “Backup application 104 may collect files and data to back up at set times or on demand. These files and data, backup data 106 can then be sent to a system for analyzing backup data to determine whether there is potentially any ransomware contained in the backup data, such as backup and analysis system 110.”) in which the data is indicative of a size of the associated back-up copy (Brenner, ¶[0036], “At block 204, metadata is extracted from the backup data. This metadata can contain information about the files to be backed up. It can contain information, for example the size of the backup as a whole”); searching the plurality of back-up copies associated with the first machine (Brenner, ¶[0041], “Data analysis process 312 can process backup data 302, comparing it to known profiles for similar machines or users, or comparing it to prior data for the computer system from which backup data 302 came from.”) to identify the earliest back-up copy that comprises a signature of the infection event (Brenner, ¶[0041], “The backup system may find the last known good state of data for the potentially infected computer system by finding a valid backup for the potentially infected computer system.”); and wherein the pattern in data associated with back-up copies of the first machine comprises a behaviour shape between the earliest back-up copy that comprises the signature of the infection event and the most recent back-up in which the infection event was detected (Brenner, ¶[0043], “Data analysis process 312 can process backup data 302, comparing it to known profiles for similar machines or users, or comparing it to prior data for the computer system from which backup data 302 came from. Results of the comparison can be saved within backup server catalog 314. Backup server catalog 314 may also be queried for known profiles for similar machines or users, and/or prior data for the computer system from which backup data 302 came from.”). Regarding Claim 10, Brenner discloses: The non-transitory computer-readable medium of claim 1, wherein the method further comprises scanning a back-up copy that is classified as anomalous using antivirus software (Brenner, ¶[0043], “Data analysis process 312 can process backup data 302, comparing it to known profiles for similar machines or users, or comparing it to prior data for the computer system from which backup data 302 came from. Results of the comparison can be saved within backup server catalog 314. Backup server catalog 314 may also be queried for known profiles for similar machines or users, and/or prior data for the computer system from which backup data 302 came from.”). Regarding Claim 11, Brenner discloses: The non-transitory computer-readable medium of claim 1, wherein the method further comprises scanning metadata of a back-up copy that is classified as anomalous using antivirus software (Brenner, ¶[0043], “FIG. 3 is a block diagram of components for detecting ransomware in backup data in accordance with some embodiments of the present disclosure. Backup server 310 can provide the functionality of backup and analysis server 110. Backup server 310 for example, can comprise a Dell EMC Avamar or Networker server, and can use existing backup metadata from Avamar or Networker to detect potential ransomware. Data analysis process 312 can process backup data 302, comparing it to known profiles for similar machines or users, or comparing it to prior data for the computer system from which backup data 302 came from. Results of the comparison can be saved within backup server catalog 314. Backup server catalog 314 may also be queried for known profiles for similar machines or users, and/or prior data for the computer system from which backup data 302 came from.”). Regarding Claim 12, Brenner discloses: The non-transitory computer-readable medium of claim 1, wherein determining whether to classify data associated with back-up copies of the second machine as anomalous is based one or more patterns identified in data associated with back-up copies associated with a first plurality of machines (Brenner, ¶[0043], “Data analysis process 312 can process backup data 302, comparing it to known profiles for similar machines or users, or comparing it to prior data for the computer system from which backup data 302 came from. Results of the comparison can be saved within backup server catalog 314. Backup server catalog 314 may also be queried for known profiles for similar machines or users, and/or prior data for the computer system from which backup data 302 came from.”). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Brenner (US Patent Application Publication No. US 2019/0236274 A1) in view of Nachenberg (US Patent No. US 8,413,244 B1). Regarding Claim 3, Brenner discloses: The non-transitory computer-readable medium of claim 2, wherein the behaviour shape (Brenner, ¶[0043], “Data analysis process 312 can process backup data 302, comparing it to known profiles”) Brenner does not explicitly teach the following limitation that Nachenberg teaches: wherein the behaviour shape is a back-up data transfer profile as a function of time (Nachenberg, col 4, line 13-24, “The security system 120 classifies a file by feeding into a classifier values of a set of various features (also called a "feature vector") determined based on information about the file received from one or more client systems 110 hosting (or that hosted) the file. One example feature measures time proximity (also called temporal proximity) between the creation of the target file and the creation of known malware in common client systems 110 (i.e., client systems 110 that host both the target file and the known malware). Another example feature measures time proximity between the creation of the target file and the creation of known legitimate files in common client systems 110.”). Brenner in view of Nachenberg are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “security and storage systems.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Brenner with Nachenberg “wherein the behaviour shape is a back-up data transfer profile as a function of time” because there is a need for new techniques that can reliably detect malware (Nachenberg, Abstract). Claims 4, 5, 8, and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Brenner (US Patent Application Publication No. US 2019/0236274 A1) in view of O’Mahony et al. (US Patent Application Publication No. US 2019/0286534 A1, hereinafter, O’Mahony). Regarding Claim 4, Brenner discloses: The non-transitory computer-readable medium of claim 2, wherein the method further comprises: in response to classifying a back-up copy of the second machine as anomalous (Brenner, ¶[0029], “Backup application 104 may collect files and data to back up at set times or on demand. These files and data, backup data 106 can then be sent to a system for analyzing backup data to determine whether there is potentially any ransomware contained in the backup data, such as backup and analysis system 110.”), Brenner does not explicitly teach the following limitation that Nachenberg teaches: determining a score indicative of a likelihood of infection (O’Mahony, [0047], “Using the analysis of the extracted features or characteristics 230 and the data augmentation 240, each of the candidate backups may scored or automatically classified. By analyzing the extracted features or characteristics 250, the candidate backups 250 can be ranked according to their likelihood of being the most recent healthy backup or according to their likelihood of being infected.”) based on when the most recent antivirus scan was performed on the second machine (O’Mahony, ¶[0048], “In one embodiment, machine learning classification is implemented to automatically analyze the extracted features and assign a score to each candidate backup. The score or ranking can also be performed based on deviations from the norm. For example, if the historical data indicates a certain change rate, a backup with a change rate that is higher than the change rates of other backups is given a poorer score or is more likely to be infected.”). Brenner in view of O’Mahony are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “security and storage systems.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Brenner with O’Mahony to determine “a score indicative of a likelihood of infection based on when the most recent antivirus scan was performed on the second machine” because a solution can be considered to be the minimization of the cost and time taken to recover data (O’Mahony, Abstract). Regarding Claim 5, Brenner in view of O’Mahony teaches: The non-transitory computer-readable medium of claim 4, wherein the method further comprises generating a graphical user interface providing: an indication whether back-up copies of one or more of the plurality of machines have been classified as anomalous (O’Mahony, [0032], “The candidate backups 250 may be mined or examined to identify how files have been modified or to identify a change in the rate at which files have been modified, and/or a time at which the changes were made. A change in any of these rates or a rate that is higher (or lower) than a threshold value may indicate an infection”); and the score indicative of a likelihood of infection associated with one or more of the one or more of the plurality of machines have been classified as anomalous (O’Mahony, ¶[0048], “In one embodiment, machine learning classification is implemented to automatically analyze the extracted features and assign a score to each candidate backup. The score or ranking can also be performed based on deviations from the norm. For example, if the historical data indicates a certain change rate, a backup with a change rate that is higher than the change rates of other backups is given a poorer score or is more likely to be infected.”). Regarding Claim 8, Brenner in view of O’Mahony teaches: The non-transitory computer-readable medium of claim 1, where the method further comprises: receiving data associated with each of a plurality of back-up copies associated with the first machine, in which the data is indicative of a size of the associated back-up copy (Brenner, ¶[0029], “Backup application 104 may collect files and data to back up at set times or on demand. These files and data, backup data 106 can then be sent to a system for analyzing backup data to determine whether there is potentially any ransomware contained in the backup data, such as backup and analysis system 110.” ¶[0036], “At block 204, metadata is extracted from the backup data. This metadata can contain information about the files to be backed up. It can contain information, for example the size of the backup as a whole”); and training a pattern matching algorithm to determine whether to classify data associated with back-up copies as an anomalous pattern using the data associated with each of a plurality of back-up copies of the first machine (O’Mahony, ¶[0048], “In one embodiment, machine learning classification is implemented to automatically analyze the extracted features and assign a score to each candidate backup. The score or ranking can also be performed based on deviations from the norm. For example, if the historical data indicates a certain change rate, a backup with a change rate that is higher than the change rates of other backups is given a poorer score or is more likely to be infected.”). Regarding Claim 9, Brenner in view of O’Mahony teaches: The non-transitory computer-readable medium of claim 8, wherein the method further comprises using the trained pattern matching algorithm to determine whether to classify the data associated with back-up copies (O’Mahony, ¶[0048], “In one embodiment, machine learning classification is implemented to automatically analyze the extracted features and assign a score to each candidate backup. The score or ranking can also be performed based on deviations from the norm. For example, if the historical data indicates a certain change rate, a backup with a change rate that is higher than the change rates of other backups is given a poorer score or is more likely to be infected.”) of the second machine as anomalous (Brenner, ¶[0039], “The backup and data analysis system may have access to profiles for particular user and system types that are comprised of data from multiple machines and users that are of the same type as the user of the backup data, and/or of the machine type of the computer system. The backup and data analysis system can compare expected file data against prior values received from similar machine and/or user types.”). Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Brenner (US Patent Application Publication No. US 2019/0236274 A1) in view of O’Mahony et al. (US Patent Application Publication No. US 2019/0286534 A1, hereinafter, O’Mahony) and further in view of Challita et al (US Patent Application Publication No. US 2018/0248896, hereinafter, Challita). Regarding Claim 6, Brenner in view of O’Mahony teaches: The non-transitory computer-readable medium of claim 4, Brenner in view of O’Mahony does not explicitly teach the following limitation that Challita teaches: wherein the method further comprises prioritizing the recovery of machines associated with a score indicative that infection is more likely over the recovery of machines with a score indicative that infection is less likely (Challita, ¶[0058], “With reference to FIG. 6, the response component, in an embodiment, is shown in flowchart form. In step 150, ransomware behavior is suspected, and, in an embodiment, three processes commence. Firstly, ongoing analysis commences at step 152. Secondly, the back-up of the system's files begins in step 154, wherein the backup is an on-demand backup that, in an embodiment, prioritizes the backing up of files to those that appear to be the next targets for the encryption.”). Brenner in view of O’Mahony and further in view of Challita are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “security and storage systems.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Brenner in view of O’Mahony with Challita “wherein the method further comprises prioritizing the recovery of machines associated with a score indicative that infection is more likely over the recovery of machines with a score indicative that infection is less likely” because a modern behavioral-based solution may provide advantages that prior art solutions do not (Challita, ¶[0010]). Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Brenner (US Patent Application Publication No. US 2019/0236274 A1) in view of O’Mahony et al. (US Patent Application Publication No. US 2019/0286534 A1, hereinafter, O’Mahony) and further in view of Nachenberg (US Patent No. US 8,413,244 B1). Regarding Claim 7, Brenner in view of O’Mahony teaches: The non-transitory computer-readable medium of claim 4, Brenner in view of O’Mahony does not explicitly teach the following limitation that Nachenberg teaches: in which the score is scaled based on the time the most recent antivirus scan was performed on the second machine between (Nachenberg, col 4, line 13-24, “The security system 120 classifies a file by feeding into a classifier values of a set of various features (also called a "feature vector") determined based on information about the file received from one or more client systems 110 hosting (or that hosted) the file. One example feature measures time proximity (also called temporal proximity) between the creation of the target file and the creation of known malware in common client systems 110 (i.e., client systems 110 that host both the target file and the known malware). Another example feature measures time proximity between the creation of the target file and the creation of known legitimate files in common client systems 110.”): a time associated with the earliest back-up copy of the first machine that comprises the signature of the infection event (Nachenberg, col 4, line 13-24, “the creation of known malware in common client systems 110”); and a time associated with the most recent back-up of the first machine (Nachenberg, col 4, line 13-24, “the creation of the target file”). Brenner in view of O’Mahony and further in view of Nachenberg are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “security and storage systems.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Brenner in view of O’Mahony with Nachenberg “in which the score is scaled based on the time the most recent antivirus scan was performed on the second machine between: a time associated with the earliest back-up copy of the first machine that comprises the signature of the infection event; and a time associated with the most recent back-up of the first machine” because there is a need for new techniques that can reliably detect malware (Nachenberg, Abstract). Claims 16 and 18-23 are rejected under 35 U.S.C. 103 as being unpatentable over Munshani et al. (US Patent Application Publication No. US 2023/0147026 A1, hereinafter, Munshani) in view of Claudatos et al. (US Patent Application Publication No. US 2008/0016564 A1, hereinafter, Claudatos). Regarding Claim 16, Munshani discloses: A non-transitory computer-readable medium including one or more sequences of one or more instructions which, when executed by one or more processors, cause an apparatus to at least perform a method for restoring a computer system following an infection event, the computer system having a plurality of machines (Munshani, ¶[0077], “As will be discussed in more detail below, the malware engine 502 detects indicators of compromise that is present on a snapshot of an object (e.g., virtual machine, database, file system, etc.) that shows the snapshot may have been compromised by malware, such as ransomware. … Embodiments enable an enterprise to quickly recover all protected objects to a safe copy, bringing the business back online as soon as possible.”), in which a plurality of back-up copies are associated with each of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up (Munshani, ¶[0093], “The example interface 700 illustrates, for each object, a snapshot chain (e.g., in chronological order) and the status of each snapshot in each chain (or for the specified snapshots or range scanned). Further, the example interface 700 may illustrate a cut point indicating a quarantining of snapshots due to infection. For example, snapshots 702 and 708 are below the cut point and therefore not infected and can be restored and not quarantined. On the other hand, snapshot 704 is infected with malware while snapshot 706 is infected with malware and partially encrypted by that malware. On the other hand, snapshot 710 is fully encrypted by malware (which can be determined via entropy measurement).”), the method comprising restoring one or more of the plurality of machines using a respective clean-back-up copy (Munshani, ¶[0091], “A user then, using an interface such as the example interface 700, enters a command to recover a snapshot, which is received at operation 614. If the selected snapshot is determined to be quarantined at operation 616, then the method 600 ends. Else, the snapshot can be recovered by the recoverer 516 at operation 618, which can include mounting and/or restoring, etc. to a specified destination.”); and further comprising selecting a back-up copy for a particular machine (Munshani, ¶[0092], “For example, the method 600 enables users to restore an object to a point prior to a malware infection by quickly identifying healthy snapshots that can be used to perform a full system restore.” ¶[0093], “The example interface 700 illustrates, for each object, a snapshot chain (e.g., in chronological order) and the status of each snapshot in each chain (or for the specified snapshots or range scanned). Further, the example interface 700 may illustrate a cut point indicating a quarantining of snapshots due to infection.”); moving the selected back-up copy to a cleaning environment (Munshani, ¶[0092], “Further, as the method 600 quarantines infected snapshots, the method 600 prevents reinfection by malware.”); Munshani does not explicitly teach the following limitation that Claudatos teaches: cleaning the selected back-up copy in the cleaning environment (Claudatos, ¶[0025], “The backup copies may be scanned by an antivirus engine prior to their use as replacements.”); and applying the cleaned, selected back-up copy to a respective machine in a live environment (Claudatos, ¶[0026], “Policies may, for example, specify quarantining the suspected infected object, notifying an administrator, replacing the infected object with a clean backup copy, denying the attempted access, etc.”). Munshani in view of Claudatos are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area.” Namely, they pertain to the field of “security and storage systems.” It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Munshani with Claudatos to clean “the selected back-up copy in the cleaning environment” and apply “the cleaned, selected back-up copy to a respective machine in a live environment” because an object is analyzed to determine whether it is infected by malware, and if it is determined to be infected, a backup copy of the object is located in a backup of the objects (Claudatos, Abstract). Regarding Claim 18, Munshani in view of Claudatos teaches: The non-transitory computer-readable medium of claim 17, wherein selecting the back-up copy comprises receiving an indication of a back-up copy from a user (Munshani, ¶[0092], “For example, the method 600 enables users to restore an object to a point prior to a malware infection by quickly identifying healthy snapshots that can be used to perform a full system restore.”). (back-up copy) to be cleaned (Claudatos, ¶[0025], “The backup copies may be scanned by an antivirus engine prior to their use as replacements.”) Regarding Claim 19, Munshani in view of Claudatos teaches: The non-transitory computer-readable medium of claim 17, wherein cleaning the selected back-up copy in the cleaning environment is achieved using antivirus software (Claudatos, ¶[0025], “The backup copies may be scanned by an antivirus engine prior to their use as replacements.”). Regarding Claim 20, Munshani in view of Claudatos teaches: The non-transitory computer-readable medium of claim 16, wherein the method further comprises: identifying the most recent back-up copy for a particular machine (Munshani, ¶[0092], “For example, the method 600 enables users to restore an object to a point prior to a malware infection by quickly identifying healthy snapshots that can be used to perform a full system restore.” ¶[0093], “The example interface 700 illustrates, for each object, a snapshot chain (e.g., in chronological order) and the status of each snapshot in each chain (or for the specified snapshots or range scanned). Further, the example interface 700 may illustrate a cut point indicating a quarantining of snapshots due to infection.”); moving the most recent back-up copy to a cleaning environment (Munshani, ¶[0092], “Further, as the method 600 quarantines infected snapshots, the method 600 prevents reinfection by malware.”); cleaning the most recent back-up copy in the cleaning environment (Claudatos, ¶[0025], “The backup copies may be scanned by an antivirus engine prior to their use as replacements.”); and applying the cleaned most recent back-up copy to a respective machine in a live environment (Claudatos, ¶[0026], “Policies may, for example, specify quarantining the suspected infected object, notifying an administrator, replacing the infected object with a clean backup copy, denying the attempted access, etc.”). Regarding Claim 21, Munshani in view of Claudatos teaches: The non-transitory computer-readable medium of claim 16, wherein the method further comprises searching the plurality of back-up copies to identify one or more clean-back-up copies that do not comprise a signature of the infection event (Munshani, ¶[0093], “The example interface 700 illustrates, for each object, a snapshot chain (e.g., in chronological order) and the status of each snapshot in each chain (or for the specified snapshots or range scanned). Further, the example interface 700 may illustrate a cut point indicating a quarantining of snapshots due to infection. For example, snapshots 702 and 708 are below the cut point and therefore not infected and can be restored and not quarantined.”). Regarding Claim 22, Munshani in view of Claudatos teaches: The non-transitory computer-readable medium of claim 21, wherein the method further comprises determining an infection-datum-time for the computer system by identifying a creation time of a clean-back-up copy created before an earliest back-up copy that comprises a signature of the infection event (Munshani, ¶[0093], “Further, the example interface 700 may illustrate a cut point indicating a quarantining of snapshots due to infection. For example, snapshots 702 and 708 are below the cut point and therefore not infected and can be restored and not quarantined. On the other hand, snapshot 704 is infected with malware while snapshot 706 is infected with malware and partially encrypted by that malware. On the other hand, snapshot 710 is fully encrypted by malware (which can be determined via entropy measurement).”). Regarding Claim 23, Munshani in view of Claudatos teaches: The non-transitory computer-readable medium of claim 22, wherein the method further comprises: identifying a back-up copy created after the infection-datum-time (Munshani, ¶[0093], “The example interface 700 illustrates, for each object, a snapshot chain (e.g., in chronological order) and the status of each snapshot in each chain (or for the specified snapshots or range scanned). Further, the example interface 700 may illustrate a cut point indicating a quarantining of snapshots due to infection. … On the other hand, snapshot 704 is infected with malware while snapshot 706 is infected with malware and partially encrypted by that malware. On the other hand, snapshot 710 is fully encrypted by malware (which can be determined via entropy measurement).”); moving the back-up copy to a cleaning environment (Munshani, ¶[0092], “Further, as the method 600 quarantines infected snapshots, the method 600 prevents reinfection by malware.”); cleaning the back-up copy in the cleaning environment (Claudatos, ¶[0025], “The backup copies may be scanned by an antivirus engine prior to their use as replacements.”); and applying the back-up copy to a respective machine in a live environment (Claudatos, ¶[0026], “Policies may, for example, specify quarantining the suspected infected object, notifying an administrator, replacing the infected object with a clean backup copy, denying the attempted access, etc.”). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDGAR W XIE whose telephone number is (703)756-4777. The examiner can normally be reached Monday - Friday, 8:00am - 5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFREY PWU can be reached at (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /EDGAR W XIE/ Examiner, Art Unit 2433 /WASIKA NIPA/ Primary Examiner, Art Unit 2433