Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsInternational Business Machines Corporation › 18503524
Last updated: May 29, 2026
Application No. 18/503,524

DETECTION OF MALWARE USING DEDUPLICATION SIGNATURES

Final Rejection §102§103
Filed
Nov 07, 2023
Priority
Oct 04, 2023 — GB 2315198.8
Examiner
JHAVERI, JAYESH M
Art Unit
2433
Tech Center
2400 — Computer Networks
Assignee
International Business Machines Corporation
OA Round
2 (Final)
83%
Grant Probability
Favorable
3-4
OA Rounds
0m
Est. Remaining
99%
With Interview

Interview Optional

+30.9% interview lift. Interview already conducted in this application's prosecution history. This examiner has a 83% grant rate with +30.9% interview lift. Since an interview has already been tried, recommend written response with narrowed claims based on precedent claim evolution patterns.
Based on 549 resolved cases, 2023–2026

Examiner Intelligence

JHAVERI, JAYESH M View full profile →
Grants 83% — above average
83%
Career Allowance Rate
455 granted / 549 resolved
+24.9% vs TC avg
Strong +31% interview lift
Without
With
+30.9%
Interview Lift
resolved cases with interview
Typical timeline
2y 5m
Avg Prosecution
6 currently pending
Career history
556
Total Applications
across all art units

Statute-Specific Performance

§101
0.9%
-39.1% vs TC avg
§103
83.7%
+43.7% vs TC avg
§102
9.9%
-30.1% vs TC avg
§112
2.1%
-37.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 549 resolved cases

Office Action

§102 §103
DETAILED ACTION Claims 1-22 are pending in this office action. Claims 9-10 and 19 have been cancelled. Claims 21-22 have been newly added. Applicant’s arguments, filed 01/14/2026, have been fully considered but they are not persuasive. Response to Arguments Applicant presents arguments regarding the presence or absence of claimed limitations in the prior art. However, applicant has amended certain claims and added new claims. The responses as well as any applicable new grounds of rejection are outlined below. Applicant argues: The Office Action alleges that the pre-amended limitations are taught by Martin at, for example, paragraphs 28-35 (see Office Action, page 3). Applicant respectfully disagrees. Paragraphs 33-35 of Martin describe a framework for virus detection. In Martin, a central repository 205 is configured to "maintain a list of current virus definitions." The "virus detection software 134" of Martin can "be configured to represent at least one virus definition as one or more virus deduplication fingerprints in a searchable virus fingerprint data structure (e.g., an index)" (Martin, paragraph 33). Martin uses a "central repository of virus definitions," to generate fingerprints therefrom, and uses these virus fingerprints to check against data within "data storage system 12." However, Martin completely lacks "obtaining a deduplication signature of a file stored in a first location and identified as being suspicious." Martin does not contemplate generating a deduplication signature of "a file stored in a first location and identified as being suspicious." Rather, Martin generates fingerprints for known viruses. See Martin, paragraphs 33-35 and FIG. 2. Because Martin never performs "obtaining a deduplication signature of a file stored in a first location and identified as being suspicious, wherein the deduplication signature includes a plurality of suspect signature blocks," Examiner Response: Regarding argument (a), examiner respectfully disagrees with applicant. The amended and added limitations have led to a changed scope. Even if considering that just clarification of claim limitations via rephrasing is intended, the scope of these claims has been altered and therefore new grounds of rejection if and as applicable, necessitated by applicant's amendments/additions, are outlined below. Martin discloses - “deduplication processor 22b may be used to monitor I/O operations to eliminate redundant copies of data and reduce storage overhead of the storage system 12.”; “The deduplication processor 22b can be configured to perform one or more deduplication techniques to ensure that only a predetermined number of instances of data is retained on storage devices 16a-n”; “block-level deduplication which looks within a file and saves unique iterations of each data block of a file. All the blocks are broken into chunks with the same fixed length. Each chunk of data is processed using a hash algorithm, such as MD5 or SHA-1. This process generates a unique number (i.e., a deduplication fingerprint) for each piece, which is then stored in an index within memory” - para 0028, wherein deduplication technique optimizes storage by storing only fewer copies of deduplication fingerprints associated with one or more files stored in a storage location thereby eliminating redundant copies of data and thus reducing storage overheads. Furthermore, storing the plurality of suspect signature blocks in a searchable format store is disclosed in para 0028, 0033, 0035, wherein deduplication fingerprint blocks associated with potential suspect files are stored in searchable format such as indexes at another memory location such that further referencing to those can be made for virus detection. Martin discloses the system’s needs to scan data blocks corresponding to files being accessed, e.g. using on-access scanners, indicating the system’s need to inherently treat all files that are being accessed, as suspect files or files determined to be candidates for scanning in order to safeguard the system. The process creates and utilizes deduplication signatures in a way that makes the scanning process more storage-efficient in situations where large number of files are checked for malicious blocks (para 0015-0016, 0028-0033). Furthermore, absent any specificity around mechanism or steps involving factors to determine files that are classified as suspect files, the aspect of scanning plurality of files that are being viewed as suspect files (or files that are considered worth scanning) is a matter of subjective system design need wherein a subset of files or entire set of files being accessed is scanned, considering possibility in view of pertinent claim limitation that a very large number of files (some or all files) ending up as suspect files that would require scanning at a larger scale. Claim Objections Claim 11 is objected to because of the following informalities: For claim 11, “the deduplication signatures” has insufficient antecedent basis in the phrase “wherein the deduplication signatures include”, where “signatures” is not defined. For the purpose of examination, the term will be interpreted as “the deduplication signature” and the phrase will be interpreted as “wherein the deduplication signature includes”. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-3, 11-13, 20-21 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Martin et al. (US 2021/0026960 A1, hereinafter Martin). For claim 1, Martin teaches a computer-implemented method for detection of malware, said method comprising: obtaining a deduplication signature of a file stored in a first location and identified as being suspicious, wherein the deduplication signature includes a plurality of suspect signature blocks (para 0015-0016, 0028-0033 - deduplication signature or fingerprints associated with file blocks and virus definitions, storing the plurality of potential suspect signature blocks in a searchable format by deduplication process and used by virus detection process); storing the plurality of suspect signature blocks in a suspect signature block store (para 0028-0033, 0035 - deduplication fingerprint blocks associated with suspect files are stored in searchable format such as indexes at another memory location such that further referencing to those can be made for virus detection); and identifying a suspect signature block in a second location using the suspect signature block store (Fig. 1; para 0015-0016, 0028-0029, 0033-0035, 0038 - making available deduplication fingerprint blocks associated with malicious or suspect files for search by virus detection process, for comparison of deduplication fingerprint with the deduplication index stored in one memory, wherein the data is received by a storage device (e.g., device 12 of FIG. 1) from a host (e.g. hosts 14a-n); i.e. comparing by a virus detection process the deduplication fingerprints for the I/O data blocks with virus deduplication fingerprints contained in the virus fingerprint data structure). For claim 2, Martin teaches the claimed subject matter as discussed above. Martin further teaches wherein the suspect signature block in the second location is identified using a deduplication pointer (para 0028, 0033-0035 - deduplication fingerprint blocks pointers or indexes associated with malicious or potential suspect files for referencing and search). For claim 3, Martin teaches the claimed subject matter as discussed above in claim 2. Martin further teaches wherein the second location is a second client and wherein the first location is a first client (para 0001, 0015, 0034-0035 - fingerprint referencing or identification of suspicious files in real-time or as it is being opened; Fig. 1; para 0015-0016, 0028-0029, 0033-0035, 0038 - making available deduplication fingerprint blocks associated with malicious or suspect files for search by virus detection process, for comparison of deduplication fingerprint with the deduplication index stored in one memory, wherein the data is received by a storage device (e.g., device 12 of FIG. 1) from a host (e.g. hosts 14a-n); i.e. comparing by a virus detection process the deduplication fingerprints for the I/O data blocks with virus deduplication fingerprints contained in the virus fingerprint data structure, wherein the data storages pertaining to indexes or I/O data blocks with incoming virus signature data for comparison are on different hosts or clients). For claim 11, Martin teaches a system comprising a processor set; one or more computer-readable storage media; and program instructions stored on the one or more computer-readable media to cause the processor set to perform operations (Fig. 1-3; para 0016, 0018, 0023) comprising: obtaining a deduplication signature of a file stored in a first location and identified as being suspicious, wherein the deduplication signature includes a plurality of suspect signature blocks (para 0015-0016, 0028-0033 - deduplication signature or fingerprints associated with file blocks and virus definitions, storing the plurality of potential suspect signature blocks in a searchable format by deduplication process and used by virus detection process); storing the plurality of suspect signature blocks in a suspect signature block store (para 0028-0033, 0035 - deduplication fingerprint blocks associated with suspect files are stored in searchable format such as indexes at another memory location such that further referencing to those can be made for virus detection); and identifying a suspect signature block in a second location using the suspect signature block store (Fig. 1; para 0015-0016, 0028-0029, 0033-0035, 0038 - making available deduplication fingerprint blocks associated with malicious or suspect files for search by virus detection process, for comparison of deduplication fingerprint with the deduplication index stored in one memory, wherein the data is received by a storage device (e.g., device 12 of FIG. 1) from a host (e.g. hosts 14a-n); i.e. comparing by a virus detection process the deduplication fingerprints for the I/O data blocks with virus deduplication fingerprints contained in the virus fingerprint data structure). For claim 12, Martin teaches the claimed subject matter as discussed above. Martin further teaches wherein the suspect signature block in the second location is identified using a deduplication pointer (para 0028, 0033-0035 - deduplication fingerprint blocks pointers or indexes associated with malicious or potential suspect files for referencing and search). For claim 13, Martin teaches the claimed subject matter as discussed above. Martin further teaches wherein the second location is a second client and wherein the first location is a first client (para 0001, 0015, 0034-0035 - fingerprint referencing or identification of suspicious files in real-time or as it is being opened; Fig. 1; para 0015-0016, 0028-0029, 0033-0035, 0038 - making available deduplication fingerprint blocks associated with malicious or suspect files for search by virus detection process, for comparison of deduplication fingerprint with the deduplication index stored in one memory, wherein the data is received by a storage device (e.g., device 12 of FIG. 1) from a host (e.g. hosts 14a-n); i.e. comparing by a virus detection process the deduplication fingerprints for the I/O data blocks with virus deduplication fingerprints contained in the virus fingerprint data structure, wherein the data storages pertaining to indexes or I/O data blocks with incoming virus signature data for comparison are on different hosts or clients). For claim 20, Martin teaches a computer program product comprising: one or more computer-readable storage media; and program instructions stored on the one or more computer-readable media to perform operations (Fig. 1-3; para 0016, 0018, 0023), comprising: obtaining a deduplication signature of a file stored in a first location and identified as being suspicious, wherein the deduplication signature includes a plurality of suspect signature blocks (para 0015-0016, 0028-0033 - deduplication signature or fingerprints associated with file blocks and virus definitions, storing the plurality of potential suspect signature blocks in a searchable format by deduplication process and used by virus detection process); storing the plurality of suspect signature blocks in a suspect signature block store (para 0028-0033, 0035 - deduplication fingerprint blocks associated with suspect files are stored in searchable format such as indexes at another memory location such that further referencing to those can be made for virus detection); and identifying a suspect signature block in a second location using the suspect signature block store (Fig. 1; para 0015-0016, 0028-0029, 0033-0035, 0038 - making available deduplication fingerprint blocks associated with malicious or suspect files for search by virus detection process, for comparison of deduplication fingerprint with the deduplication index stored in one memory, wherein the data is received by a storage device (e.g., device 12 of FIG. 1) from a host (e.g. hosts 14a-n); i.e. comparing by a virus detection process the deduplication fingerprints for the I/O data blocks with virus deduplication fingerprints contained in the virus fingerprint data structure). For claim 21, Martin teaches the claimed subject matter as discussed above. Martin further teaches wherein the first location is a first client, wherein the file is identified as suspicious by a malware scan, wherein the second location is a second client (para 0001, 0015, 0034-0035 - fingerprint referencing or identification of suspicious files in real-time or as it is being opened; Fig. 1; para 0015-0016, 0028-0029, 0033-0035, 0038 - making available deduplication fingerprint blocks associated with malicious or suspect files for search by virus detection process, for comparison of deduplication fingerprint with the deduplication index stored in one memory, wherein the data is received by a storage device (e.g., device 12 of FIG. 1) from a host (e.g. hosts 14a-n); i.e. comparing by a virus detection process the deduplication fingerprints for the I/O data blocks with virus deduplication fingerprints contained in the virus fingerprint data structure, wherein the data storages pertaining to indexes or I/O data blocks with incoming virus signature data for comparison are on different hosts or clients), and wherein the suspect signature block is identified in the second client using a deduplication pointer (para 0028, 0033-0035 - deduplication fingerprint blocks pointers or indexes associated with malicious or potential suspect files for referencing and search). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 4-5, 14-15, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (US 2021/0026960 A1, hereinafter Martin), in view of Jindal et al. (US 2024/0143759 A1, hereinafter Jindal). For claim 4, Martin teaches the claimed subject matter as discussed above. Martin further teaches backup versions and index updates (para 0032-0034). Martin does not appear to explicitly disclose, however Jindal teaches querying a dereference resource pointing to previous versions of suspect signature blocks of data of the plurality of suspect signature blocks to determine when code has changed indicating suspicious code (para 0011, 0154-0155, 0215, 0237 - signature blocks associated with data files including suspect files that existed previously in resources and needed to be updated resulting in index updates). Therefore, based on Martin in view of Jindal, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize teachings of Jindal in the system of Martin, in order to incorporate comparison of old malware files with regards to code changes and followed by system updates to maintain updated file signatures thereby also maintaining the malware detection system’s efficacy. For claim 5, Martin in view of Jindal teaches the claimed subject matter as discussed above in the method of claim 4. Martin does not appear to explicitly disclose, however Jindal teaches obtaining signatures that represent signature blocks of previously backed up versions of the file from a backup server’s database; and comparing the signatures that represent signature blocks of previously backed up versions of the file to the stored plurality of suspect signature blocks and allowing dereferenced signatures to be stored in a dereferenced table to be compared to still-referenced signatures (para 0011, 0154-0155, 0214-0215, 0237 - signature blocks associated with data files including suspect files that existed previously in resources and needed to be updated resulting in index updates which are all stored in record management database). For claim 14, Martin teaches the claimed subject matter as discussed above. Martin further teaches backup versions and index updates (para 0032-0034). Martin does not appear to explicitly disclose, however Jindal teaches a dereference component for querying a dereference resource pointing to previous versions of suspect signature blocks of data of the plurality of suspect signature blocks to determine when code has changed indicating suspicious code (para 0011, 0154-0155, 0215, 0237 - signature blocks associated with data files including suspect files that existed previously in resources and needed to be updated resulting in index updates). Therefore, based on Martin in view of Jindal, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to utilize teachings of Jindal in the system of Martin, in order to incorporate comparison of old malware files with regards to code changes and followed by system updates to maintain updated file signatures thereby also maintaining the malware detection system’s efficacy. For claim 15, Martin in view of Jindal teaches the claimed subject matter as discussed above in the method of claim 14. Martin does not appear to explicitly disclose, however Jindal teaches wherein the dereference component includes: obtaining signatures that represent signature blocks of previously backed up versions of the file from a backup server’s database; and comparing these to the stored plurality of suspect signature blocks and allowing dereferenced signatures to be stored in a dereferenced table to be compared to still referenced signatures (para 0011, 0154-0155, 0214-0215, 0237 - signature blocks associated with data files including suspect files that existed previously in resources and needed to be updated resulting in index updates which are all stored in record management database). For claim 22, Martin in view of Jindal teaches the claimed subject matter as discussed above. Martin teaches signature comparison for virus detection and identifying suspect signature block by signature comparison (Fig. 1; para 0015-0016, 0028-0029, 0033-0035, 0038-0041 - making available deduplication fingerprint blocks associated with malicious or suspect files for search by virus detection process, for comparison of deduplication fingerprint with the deduplication index stored in one memory, i.e. comparing by a virus detection process the deduplication fingerprints for the I/O data blocks with virus deduplication fingerprints contained in the virus fingerprint data structure). Martin does not appear to explicitly disclose, however Jindal teaches wherein the operations further comprise: comparing a number of dereferenced signatures of the file to a number of still-referenced signatures of the file; and determining that a client storing the file is infected in response to the number of dereferenced signatures of the file and the number of still-referenced signatures of the file not matching (para 0154-0155, 0214-0215, 0237 - signature blocks associated with data files including suspect files that stored in resources and needed to be updated resulting in index updates which are all stored in record management database, i.e., new incoming data is compared with corresponding portions that are already in secondary storage, and only new/changed portions are stored, wherein a deduplicated secondary copy may comprise actual data portions copied from primary data and may further comprise pointers to already-stored data, which is generally more storage-efficient than a full copy. In order to streamline the comparison process, system may calculate and/or store signatures (e.g., hashes or cryptographically unique IDs) corresponding to the individual source data portions and compare the signatures to already-stored data signatures where all signatures need to match for determination of file integrity). Allowable Subject Matter Claims 6-8 and 16-18 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims in addition to overcoming the above-mentioned rejections associated with their parent claims. Conclusion Applicant's amendment and added claims necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH M JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached Mon-Fri 9 AM to 5 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFREY PWU can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAYESH M JHAVERI/Primary Examiner, Art Unit 2433
Read full office action

Prosecution Timeline

Nov 07, 2023
Application Filed
Oct 22, 2025
Non-Final Rejection mailed — §102, §103
Jan 12, 2026
Applicant Interview (Telephonic)
Jan 12, 2026
Examiner Interview Summary
Jan 14, 2026
Response Filed
Apr 02, 2026
Final Rejection mailed — §102, §103
May 26, 2026
Applicant Interview (Telephonic)
May 26, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

18/404,190
Patent 12627653
SECURED DIRECT ACCESS FOR CUSTOMER SERVICE
2y 4m to grant Granted May 12, 2026
18/149,843
Patent 12619786
SYSTEM AND METHODS FOR SMART REGISTER APPLICATIONS
3y 4m to grant Granted May 05, 2026
18/244,452
Patent 12615250
WEB BROWSER-BASED SECURE EQUIPMENT ACCESS
2y 7m to grant Granted Apr 28, 2026
18/522,449
Patent 12613964
SYSTEM AND METHOD FOR PREVENTING AND MITIGATING MALICIOUS PROCESSES BY ANALYZING LIVE DATA
2y 5m to grant Granted Apr 28, 2026
18/670,086
Patent 12615251
TRANSFORMED ONE TIME PASSWORD (OTP) FOR AUTHENTICATION
1y 11m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
83%
Grant Probability
99%
With Interview (+30.9%)
2y 5m (~0m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 549 resolved cases by this examiner. Grant probability derived from career allowance rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month